Описание
SQL Injection in sequelize
Affected versions of sequelize are vulnerable to SQL Injection in locations where user input is passed into the limit or order parameters of sequelize query calls, such as findOne or findAll.
Recommendation
Update to version 3.17.0 or later.
Пакеты
Наименование
sequelize
npm
Затронутые версииВерсия исправления
< 3.17.0
3.17.0
Связанные уязвимости
CVSS3: 9.8
nvd
больше 7 лет назад
sequelize is an Object-relational mapping, or a middleman to convert things from Postgres, MySQL, MariaDB, SQLite and Microsoft SQL Server into usable data for NodeJS If user input goes into the `limit` or `order` parameters, a malicious user can put in their own SQL statements. This affects sequelize 3.16.0 and earlier.