Описание
SQL Injection in sequelize
Affected versions of sequelize use MySQL's backslash-based escape syntax when connecting to SQLite, despite the fact that SQLite uses PostgreSQL's escape syntax, which can result in a SQL Injection vulnerability.
Recommendation
Update to version 1.7.0-alpha3 or later.
Пакеты
Наименование
sequelize
npm
Затронутые версииВерсия исправления
<= 1.7.0-alpha2
1.7.0
Связанные уязвимости
CVSS3: 9.8
nvd
больше 7 лет назад
sequelize is an Object-relational mapping, or a middleman to convert things from Postgres, MySQL, MariaDB, SQLite and Microsoft SQL Server into usable data for NodeJS. Before version 1.7.0-alpha3, sequelize defaulted SQLite to use MySQL backslash escaping, even though SQLite uses Postgres escaping.