13 matches found
CVE-2023-22578
CVE-2023-22578 affects the Sequelize JavaScript ORM. The issue is caused by improper attribute filtering, enabling a remote attacker to execute SQL injections via crafted queries that can view, add, modify, or delete data in the back-end database. Documented impacts in the IBM/Red Hat/OSS advisor...
CVE-2023-22580
CVE-2023-22580 describes a vulnerability in the Sequelize JS library where improper input filtering can allow malicious queries to disclose sensitive information. The issue affects Sequelize (library/file level) and is associated with a confidentiality impact (per CVSS) without explicit exploit d...
CVE-2019-10748
CVE-2019-10748 affects the Sequelize ORM. The vulnerability is a SQL Injection issue in Sequelize versions prior to 3.35.1, 4.44.3, and 5.8.11, caused by JSON path keys not being properly escaped in the MySQL/MariaDB dialects. The risk is high due to network-exposed attack potential and the abili...
CVE-2019-10752
CVE-2019-10752 affects the Sequelize ORM. All versions prior to 4.44.3 and 5.15.1 are vulnerable to SQL Injection because the helper function sequelize.json() does not escape values properly when formatting sub paths for JSON queries in MySQL, MariaDB and SQLite. The vulnerability is documented a...
CVE-2023-25813
Sequelize (Node.js ORM) prior to v6.19.1 is vulnerable to SQL injection when using replacements in combination with where clauses, due to improper escaping and the replacement processing order. The issue affects Sequelize
CVE-2019-10749
CVE-2019-10749 affects sequelize prior to 3.35.1. The vulnerability arises in the Postgres dialect where JSON path keys are not properly sanitized, enabling SQL injection. Affected component: Sequelize (Node.js ORM) code paths used for generating queries with JSON path keys. Exploitation details ...
CVE-2023-22579
CVE-2023-22579 concerns Sequelize (Node.js ORM). The related docs point to a type-confusion/unsafe fall-through in getWhereConditions that can bypass parameter filtering, enabling an attacker to execute arbitrary code under certain conditions. Affected component: Sequelize runtime; core issue is ...
CVE-2016-10556
CVE-2016-10556 affects the Sequelize ORM for Node.js (v3.19.3 and earlier). The issue: when an array is used as a string in a query, Sequelize incorrectly escapes it, causing a SQL injection in Postgres, SQLite, and MSSQL. The PoC shows a crafted replacements value leading to a query like: SELECT...
CVE-2016-10554
The CVE concerns sequelize (Node.js ORM). Before 1.7.0-alpha3, sequelize defaults SQLite to MySQL backslash escaping, even though SQLite uses PostgreSQL escaping, creating a SQL injection risk when Sequelize connects to SQLite. Affected: sequelize versions prior to 1.7.0-alpha3. Root cause: escap...
CVE-2019-11069
Severity: CVE-2019-11069 affects Sequelize versions prior to 5.3.0, where standard-conforming strings are not guaranteed, enabling potential SQL injection via backslash handling in PostgreSQL string literals. Affected component: Sequelize (Node.js ORM) in 5.x series before 5.3.0. Root cause: impr...
CVE-2016-10550
The CVE-2016-10550 issue affects sequelize (ORM for Node.js) where user input into limit or order parameters can be used to inject SQL. Concrete details across documents show affected version: 3.16.0 and earlier. Root cause is improper handling of input in query construction, enabling SQL stateme...
CVE-2016-10553
CVE-2016-10553 affects the Node.js ORM sequelize . The vulnerability is a SQL Injection when user input is concatenated into queries, specifically in patterns like findOne or where: "user input". Affected versions are the pre-3.0 releases; the recommended fix is to upgrade to version 3.0.0 or lat...
CVE-2026-30951
CVE-2026-30951 affects Sequelize (Node.js ORM). Prior to version 6.37.8, JSON/JSONB where-clause processing can interpolate an unescaped cast type via _traverseJSON(), inserting CAST(... AS ) with attacker-controlled JSON keys, enabling arbitrary SQL and data exfiltration from any table. The vuln...