CVE-2015-1369
EPSS 0.36%SQL Injection in sequelize
Published: 10/24/2017Modified: 11/8/2023
Also known as:GHSA-xqg8-cv3h-xppv
Description
Versions 2.0.0-rc-7 and earlier of `sequelize` are affected by a SQL injection vulnerability when user input is passed into the order parameter. ## Proof of Concept ```javascript Test.findAndCountAll({ where: { id :1 }, order : [['id', 'UNTRUSTED USER INPUT']] }) ``` ## Recommendation Update to version 2.0.0-rc8 or later
Affected packages (1)
- npm/sequelizefrom 0, < 2.0.0-rc8
References (7)
- ADVISORYhttps://github.com/advisories/GHSA-xqg8-cv3h-xppv
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2015-1369
- PATCHhttps://github.com/sequelize/sequelize
- WEBhttps://github.com/sequelize/sequelize/issues/2906
- WEBhttps://github.com/sequelize/sequelize/pull/2919
- WEBhttps://www.npmjs.com/advisories/33
- WEBhttp://www.openwall.com/lists/oss-security/2015/01/23/2