CVE-2022-2422 Feathers - SQL injection via attribute aliases

Due to improper input validation in the Feathers js library, it is possible to perform a SQL injection attack on the back-end database, in case the feathers-sequelize package is used...

The vulnerability of the sequelize.json() ORM library for applications like Sequelize allows attackers to compromise the confidentiality, integrity, and accessibility of protected information.

The vulnerability of the sequelize.json ORM library for applications like Sequelize is related to the lack of protection for SQL query structures. Exploiting this vulnerability could allow a malicious actor to compromise the confidentiality, integrity, and accessibility of the protected informati...

Risks involved with operatorAliases in Sequelize

The risks involved with the operatorAliases option in Sequelize, the popular library for DBMSs The post Risks involved with operatorAliases in Sequelize appeared first on Wallarm Blog...

12g (=0.0.27), 402 (>=0.0.2 <=0.1.1) +996 more potentially affected by unknown CVE via sequelize (>=1.0.2 <=4.44.3)

sequelize NPM version =1.0.2, =0.0.2, =1.16.1, =1.16.0, =1.16.0, =1.16.0, =1.16.0, =0.0.1, =1.1.7, =0.0.1, =1.0.0, =4.0.2, =5.2.3 and more Source cves: unknown CVE Source advisory: OSV:GHSA-FW4P-36J9-RRJ3...

GHSA-FW4P-36J9-RRJ3 Denial of Service in sequelize

Versions of sequelize prior to 4.44.4 are vulnerable to Denial of Service DoS. The SQLite dialect fails to catch a TypeError exception for the results variable. The results value may be undefined and trigger the error on a .map call. This may allow attackers to submit malicious input that forces...

Denial of Service in sequelize

Versions of sequelize prior to 4.44.4 are vulnerable to Denial of Service DoS. The SQLite dialect fails to catch a TypeError exception for the results variable. The results value may be undefined and trigger the error on a .map call. This may allow attackers to submit malicious input that forces...

GHSA-5V9H-Q3GJ-C32X SQL Injection via GeoJSON in sequelize

Affected versions of sequelize are vulnerable to SQL Injection in Models that have fields with the GEOMETRY DataType. This vulnerability occurs because single quotes in document values are not escaped for GeoJSON documents using STGeomFromGeoJSON, and MySQL GeoJSON documents using GeomFromText...

SQL Injection via GeoJSON in sequelize

Affected versions of sequelize are vulnerable to SQL Injection in Models that have fields with the GEOMETRY DataType. This vulnerability occurs because single quotes in document values are not escaped for GeoJSON documents using STGeomFromGeoJSON, and MySQL GeoJSON documents using GeomFromText...

@aaa-backend-stack/graphql (>=1.16.1 <=2.4.4), @aaa-backend-stack/graphql-rest-bindings (>=1.16.0 <=1.16.9) +264 more potentially affected by CVE-2019-10749 via sequelize (>=1.0.2 <=3.34.0)

sequelize NPM version =1.0.2, =1.16.1, =1.16.0, =1.16.0, =1.16.0, =1.16.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.12.0, =1.0.22, =2.0.10, =1.0.97, =1.6.489, =1.6.735 and more Source cves: CVE-2019-10749 Source advisory: OSV:GHSA-2598-2F59-RMHQ...

GHSA-2598-2F59-RMHQ SQL Injection in sequelize

Versions of sequelize prior to 3.35.1 are vulnerable to SQL Injection. The package fails to sanitize JSON path keys in the Postgres dialect, which may allow attackers to inject SQL statements and execute arbitrary SQL queries. Recommendation Upgrade to version 3.35.1 or later...

SQL Injection in sequelize

Versions of sequelize prior to 3.35.1 are vulnerable to SQL Injection. The package fails to sanitize JSON path keys in the Postgres dialect, which may allow attackers to inject SQL statements and execute arbitrary SQL queries. Recommendation Upgrade to version 3.35.1 or later...

@aaa-backend-stack/graphql (>=1.16.1 <=2.4.4), @aaa-backend-stack/graphql-rest-bindings (>=1.16.0 <=1.16.9) +264 more potentially affected by CVE-2019-10748 via sequelize (>=1.0.2 <=3.34.0)

sequelize NPM version =1.0.2, =1.16.1, =1.16.0, =1.16.0, =1.16.0, =1.16.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.12.0, =1.0.22, =2.0.10, =1.0.97, =1.6.489, =1.6.735 and more Source cves: CVE-2019-10748 Source advisory: OSV:GHSA-J9XP-92VC-559J...

@alexbp-ds/microservice-wrapper (=1.1.8), @apifie/node-microservice (>=0.0.1 <=1.0.3) +94 more potentially affected by CVE-2019-10748 via sequelize (>=4.0.0 <=4.44.2)

sequelize NPM version =4.0.0, =0.0.1, =4.0.2, =1.0.16, =1.0.20, =1.0.18, =1.0.10, =1.0.0, =0.1.0, =0.0.1, =1.0.0, =1.0.6, =5.1.3, =1.6.7, =0.6.3, =0.6.5 and more Source cves: CVE-2019-10748 Source advisory: OSV:GHSA-J9XP-92VC-559J...

1st-project (=1.0.2), @142vip/egg-sequelize (>=0.0.1 <=0.0.2) +1065 more potentially affected by CVE-2019-10748 via sequelize (>=5.10.0 <=5.8.10)

sequelize NPM version =5.10.0, =0.0.1, =0.5.0, =1.0.0, =1.0.0, =1.0.0, =0.0.1, =1.0.1, =1.0.0, =0.2.0, =1.0.1, =1.0.2 - @aica/js-app =1.0.1 and more Source cves: CVE-2019-10748 Source advisory: OSV:GHSA-J9XP-92VC-559J...

GHSA-J9XP-92VC-559J SQL Injection in sequelize

Affected versions of sequelize are vulnerable to SQL Injection. The package fails to sanitize JSON path keys in the MariaDB and MySQL dialects, which may allow attackers to inject SQL statements and execute arbitrary SQL queries. Recommendation If you are using sequelize 5.x, upgrade to version...

SQL Injection in sequelize

Affected versions of sequelize are vulnerable to SQL Injection. The package fails to sanitize JSON path keys in the MariaDB and MySQL dialects, which may allow attackers to inject SQL statements and execute arbitrary SQL queries. Recommendation If you are using sequelize 5.x, upgrade to version...

CVE-2019-10749

sequelize before version 3.35.1 allows attackers to perform a SQL Injection due to the JSON path keys not being properly sanitized in the Postgres dialect...

CVE-2019-10748

Sequelize all versions prior to 3.35.1, 4.44.3, and 5.8.11 are vulnerable to SQL Injection due to JSON path keys not being properly escaped for the MySQL/MariaDB dialects...

CVE-2019-10748

Sequelize all versions prior to 3.35.1, 4.44.3, and 5.8.11 are vulnerable to SQL Injection due to JSON path keys not being properly escaped for the MySQL/MariaDB dialects...

CVE-2019-10749

sequelize before version 3.35.1 allows attackers to perform a SQL Injection due to the JSON path keys not being properly sanitized in the Postgres dialect...