Design/Logic Flaw

An issue was discovered in WSO2 API Manager 2.6.0, WSO2 IS as Key Manager 5.7.0, and WSO2 Identity Server 5.8.0. When a custom claim dialect with an XSS payload is configured in the identity provider basic claim configuration, that payload gets executed, if a user picks up that dialect's URI as t...

CVE-2019-20436

Affected software: WSO2 API Manager 2.6.0; WSO2 IS as Key Manager 5.7.0; WSO2 Identity Server 5.8.0. Issue: configuring a claim dialect whose URI contains an XSS payload can cause execution when the URI is added as a service provider claim dialect during SP configuration, given the attacker has a...

CVE-2019-20436

An issue was discovered in WSO2 API Manager 2.6.0, WSO2 IS as Key Manager 5.7.0, and WSO2 Identity Server 5.8.0. If there is a claim dialect configured with an XSS payload in the dialect URI, and a user picks up this dialect's URI and adds it as the service provider claim dialect while configurin...

PT-2020-10447 · Wso2 · Wso2 Identity Server +2

Name of the Vulnerable Software and Affected Versions: WSO2 API Manager version 2.6.0 WSO2 IS as Key Manager version 5.7.0 WSO2 Identity Server version 5.8.0 Description: An issue was discovered where if a claim dialect is configured with an XSS payload in the dialect URI, and a user adds this...

PT-2020-10448 · Wso2 · Wso2 Identity Server +2

Name of the Vulnerable Software and Affected Versions: WSO2 API Manager version 2.6.0 WSO2 IS as Key Manager version 5.7.0 WSO2 Identity Server version 5.8.0 Description: An issue was discovered where a custom claim dialect with an XSS payload, when configured in the identity provider basic claim...

GHSA-2598-2F59-RMHQ SQL Injection in sequelize

Versions of sequelize prior to 3.35.1 are vulnerable to SQL Injection. The package fails to sanitize JSON path keys in the Postgres dialect, which may allow attackers to inject SQL statements and execute arbitrary SQL queries. Recommendation Upgrade to version 3.35.1 or later...

GHSA-J9XP-92VC-559J SQL Injection in sequelize

Affected versions of sequelize are vulnerable to SQL Injection. The package fails to sanitize JSON path keys in the MariaDB and MySQL dialects, which may allow attackers to inject SQL statements and execute arbitrary SQL queries. Recommendation If you are using sequelize 5.x, upgrade to version...

CVE-2019-10749

sequelize before version 3.35.1 allows attackers to perform a SQL Injection due to the JSON path keys not being properly sanitized in the Postgres dialect...

CVE-2019-10749

sequelize before version 3.35.1 allows attackers to perform a SQL Injection due to the JSON path keys not being properly sanitized in the Postgres dialect...

CVE-2019-10757

knex.js versions before 0.19.5 are vulnerable to SQL Injection attack. Identifiers are escaped incorrectly as part of the MSSQL dialect, allowing attackers to craft a malicious query to the host DB...

Sql injection

knex.js versions before 0.19.5 are vulnerable to SQL Injection attack. Identifiers are escaped incorrectly as part of the MSSQL dialect, allowing attackers to craft a malicious query to the host DB...

CVE-2019-10757

CVE-2019-10757 affects knex.js versions before 0.19.5. The root cause is that identifiers are escaped incorrectly in the MSSQL dialect, enabling an attacker to craft a malicious query to the host database (SQL Injection). Impact is described as vulnerable to SQL injection; mitigation provided in ...

CVE-2019-10757

knex.js versions before 0.19.5 are vulnerable to SQL Injection attack. Identifiers are escaped incorrectly as part of the MSSQL dialect, allowing attackers to craft a malicious query to the host DB...

SQL Injection

Overview Versions of sequelize prior to 3.35.1 are vulnerable to SQL Injection. The package fails to sanitize JSON path keys in the Postgres dialect, which may allow attackers to inject SQL statements and execute arbitrary SQL queries. Recommendation Upgrade to version 3.35.1 or later. References...

SQL Injection

Overview sequelize is a promise-based Node.js ORM for Postgres, MySQL, MariaDB, SQLite and Microsoft SQL Server. Affected versions of this package are vulnerable to SQL Injection due to JSON path keys not being properly sanitized in the Postgres dialect. PoC by Snyk const Sequelize =...

[SECURITY] Fedora 29 Update: php-phpmyadmin-sql-parser-4.3.2-1.fc29

A validating SQL lexer and parser with a focus on MySQL dialect. This library was originally developed for phpMyAdmin during the Google Summer of Code 2015. Autoloader: /usr/share/php/PhpMyAdmin/SqlParser/autoload.php...

[SECURITY] Fedora 30 Update: php-phpmyadmin-sql-parser-4.3.2-1.fc30

A validating SQL lexer and parser with a focus on MySQL dialect. This library was originally developed for phpMyAdmin during the Google Summer of Code 2015. Autoloader: /usr/share/php/PhpMyAdmin/SqlParser/autoload.php...

WMI Exec

A similar approach to psexec but executing commands through WMI. !/usr/bin/env python3 Copyright c 2003-2018 CORE Security Technologies This software is provided under under a slightly modified version of the Apache Software License. See the accompanying LICENSE file for more information. import...

[SECURITY] Fedora 26 Update: php-phpmyadmin-sql-parser-4.2.4-3.fc26

A validating SQL lexer and parser with a focus on MySQL dialect. This library was originally developed for phpMyAdmin during the Google Summer of Code 2015. Autoloader: /usr/share/php/PhpMyAdmin/SqlParser/autoload.php...

[SECURITY] Fedora 22 Update: php-udan11-sql-parser-3.4.0-1.fc22

A validating SQL lexer and parser with a focus on MySQL dialect. This library was originally developed for phpMyAdmin during the Google Summer of Code 2015. To use this library, you just have to add, in your project: requireonce '/usr/share/php/SqlParser/autoload.php';...