Sequelize
Products
1- 5 CVEs
Recent CVEs
5| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2016-1000225 | cri | 0.52 | — | — | Sep 1, 2020 | Affected versions of `sequelize` are vulnerable to SQL Injection in Models that have fields with the `GEOMETRY` DataType. This vulnerability occurs because single quotes in document values are not escaped for GeoJSON documents using `ST_GeomFromGeoJSON`, and MySQL GeoJSON documents using `GeomFromText`. ## Recommendation Update to version 3.23.6 or later. | ||
| CVE-2019-10749 | 0.00 | — | 0.00 | Oct 29, 2019 | sequelize before version 3.35.1 allows attackers to perform a SQL Injection due to the JSON path keys not being properly sanitized in the Postgres dialect. | |||
| CVE-2019-10748 | 0.00 | — | 0.00 | Oct 28, 2019 | Sequelize all versions prior to 3.35.1, 4.44.3, and 5.8.11 are vulnerable to SQL Injection due to JSON path keys not being properly escaped for the MySQL/MariaDB dialects. | |||
| CVE-2019-10752 | 0.00 | — | 0.00 | Oct 17, 2019 | Sequelize, all versions prior to version 4.44.3 and 5.15.1, is vulnerable to SQL Injection due to sequelize.json() helper function not escaping values properly when formatting sub paths for JSON queries for MySQL, MariaDB and SQLite. | |||
| CVE-2019-11069 | 0.00 | — | 0.00 | Apr 10, 2019 | Sequelize version 5 before 5.3.0 does not properly ensure that standard conforming strings are used. |
- risk 0.52cvss —epss —
Affected versions of `sequelize` are vulnerable to SQL Injection in Models that have fields with the `GEOMETRY` DataType. This vulnerability occurs because single quotes in document values are not escaped for GeoJSON documents using `ST_GeomFromGeoJSON`, and MySQL GeoJSON documents using `GeomFromText`. ## Recommendation Update to version 3.23.6 or later.
- CVE-2019-10749Oct 29, 2019risk 0.00cvss —epss 0.00
sequelize before version 3.35.1 allows attackers to perform a SQL Injection due to the JSON path keys not being properly sanitized in the Postgres dialect.
- CVE-2019-10748Oct 28, 2019risk 0.00cvss —epss 0.00
Sequelize all versions prior to 3.35.1, 4.44.3, and 5.8.11 are vulnerable to SQL Injection due to JSON path keys not being properly escaped for the MySQL/MariaDB dialects.
- CVE-2019-10752Oct 17, 2019risk 0.00cvss —epss 0.00
Sequelize, all versions prior to version 4.44.3 and 5.15.1, is vulnerable to SQL Injection due to sequelize.json() helper function not escaping values properly when formatting sub paths for JSON queries for MySQL, MariaDB and SQLite.
- CVE-2019-11069Apr 10, 2019risk 0.00cvss —epss 0.00
Sequelize version 5 before 5.3.0 does not properly ensure that standard conforming strings are used.