NoSQL Injection

Overview Versions of sequelize prior to 4.12.0 are vulnerable to NoSQL Injection. Query operators such as $gt are not properly sanitized and may allow an attacker to alter data queries, leading to NoSQL Injection. Recommendation Upgrade to version 4.12.0 or later References - GitHub Issue - Snyk...

1st-project (=1.0.2), @142vip/egg-sequelize (>=0.0.1 <=0.0.2) +1062 more potentially affected by CVE-2019-11069 via sequelize (>=5.10.0 <=5.2.3)

sequelize NPM version =5.10.0, =0.0.1, =0.5.0, =1.0.0, =1.0.0, =1.0.0, =0.0.1, =1.0.1, =1.0.0, =0.2.0, =1.0.1, =1.0.2 - @aica/js-app =1.0.1 and more Source cves: CVE-2019-11069 Source advisory: OSV:GHSA-2777-2VQ8-C4V4...

SQL Injection in sequelize

Versions of sequelize prior to 5.3.0 excluding v3 and v4 are vulnerable to SQL Injection. PostgreSQL optionstandardconformingstrings is not set to on by default, which may allow attackers to inject SQL statements due to poor handling of backslashes in string literals. Recommendation Upgrade to...

GHSA-2777-2VQ8-C4V4 SQL Injection in sequelize

Versions of sequelize prior to 5.3.0 excluding v3 and v4 are vulnerable to SQL Injection. PostgreSQL optionstandardconformingstrings is not set to on by default, which may allow attackers to inject SQL statements due to poor handling of backslashes in string literals. Recommendation Upgrade to...

SQL Injection

sequelize is vulnerable to SQL injection when using with PostgreSQL. This is due to backslashes that are not being escaped properly in non-standard strings, allowing a remote attacker to inject and execute arbitrary SQL statements in the database...

CVE-2019-11069

Sequelize version 5 before 5.3.0 does not properly ensure that standard conforming strings are used...

CVE-2019-11069

Sequelize version 5 before 5.3.0 does not properly ensure that standard conforming strings are used...

Design/Logic Flaw

Sequelize version 5 before 5.3.0 does not properly ensure that standard conforming strings are used...

CVE-2019-11069

Severity: CVE-2019-11069 affects Sequelize versions prior to 5.3.0, where standard-conforming strings are not guaranteed, enabling potential SQL injection via backslash handling in PostgreSQL string literals. Affected component: Sequelize (Node.js ORM) in 5.x series before 5.3.0. Root cause: impr...

CVE-2019-11069

Sequelize version 5 before 5.3.0 does not properly ensure that standard conforming strings are used...

PT-2019-12164 · Postgresql · Sequelize

Name of the Vulnerable Software and Affected Versions: Sequelize versions prior to 5.3.0 Description: The issue arises from the improper handling of backslashes in string literals, potentially allowing attackers to inject SQL statements. This is due to the PostgreSQL option standard conforming...

@loke/mysql-orm (=1.12.0), @weiqiwang/nodejs-develop-kit (=1.2.0) +179 more potentially affected by CVE-2016-10550 via sequelize (>=1.0.2 <=3.14.2)

sequelize NPM version =1.0.2, =0.0.1, =0.0.1, =0.0.1, =0.1.0, =0.0.1, =0.0.5, =0.0.1, =0.0.1, =2.0.0, =0.0.1, =0.0.2-a, =0.0.131-a and more Source cves: CVE-2016-10550 Source advisory: OSV:GHSA-98PQ-PMW9-4GPM...

SQL Injection in sequelize

Affected versions of sequelize are vulnerable to SQL Injection in locations where user input is passed into the limit or order parameters of sequelize query calls, such as findOne or findAll. Recommendation Update to version 3.17.0 or later...

Potential SQL Injection in sequelize

Affected versions of sequelize are vulnerable to SQL Injection when user input is passed into findOne or into a statement such as where: "user input". Recommendation Update to version 3.0.0 or later. Version 3.0.0 will introduce a number of breaking changes. Thankfully, the project authors have...

GHSA-2V7Q-2XQX-F4Q5 Potential SQL Injection in sequelize

Affected versions of sequelize are vulnerable to SQL Injection when user input is passed into findOne or into a statement such as where: "user input". Recommendation Update to version 3.0.0 or later. Version 3.0.0 will introduce a number of breaking changes. Thankfully, the project authors have...

SQL Injection in sequelize

Affected versions of sequelize use MySQL's backslash-based escape syntax when connecting to SQLite, despite the fact that SQLite uses PostgreSQL's escape syntax, which can result in a SQL Injection vulnerability. Recommendation Update to version 1.7.0-alpha3 or later...

GHSA-X2JC-PWFJ-H9P3 SQL Injection in sequelize

Affected versions of sequelize use MySQL's backslash-based escape syntax when connecting to SQLite, despite the fact that SQLite uses PostgreSQL's escape syntax, which can result in a SQL Injection vulnerability. Recommendation Update to version 1.7.0-alpha3 or later...

SQL Injection in sequelize

Affected versions of sequelize cast arrays to strings and fail to properly escape the resulting SQL statement, resulting in a SQL injection vulnerability. Proof of Concept In Postgres, SQLite, and Microsoft SQL Server there is an issue where arrays are treated as strings and improperly escaped...

GHSA-9C2P-JW8P-F84V SQL Injection in sequelize

Affected versions of sequelize cast arrays to strings and fail to properly escape the resulting SQL statement, resulting in a SQL injection vulnerability. Proof of Concept In Postgres, SQLite, and Microsoft SQL Server there is an issue where arrays are treated as strings and improperly escaped...

CVE-2016-10554

sequelize is an Object-relational mapping, or a middleman to convert things from Postgres, MySQL, MariaDB, SQLite and Microsoft SQL Server into usable data for NodeJS. Before version 1.7.0-alpha3, sequelize defaulted SQLite to use MySQL backslash escaping, even though SQLite uses Postgres escapin...