CyberSec.Space Logo
Back to CVE Browser

CVE-2016-10550

CRITICAL
9.8
CVSS Severity Score
EPSS Score0.1870%
EPSS Percentile16.62th
PublishedMay 31, 2018
Last ModifiedNov 21, 2024

Vulnerability Description

sequelize is an Object-relational mapping, or a middleman to convert things from Postgres, MySQL, MariaDB, SQLite and Microsoft SQL Server into usable data for NodeJS If user input goes into the `limit` or `order` parameters, a malicious user can put in their own SQL statements. This affects sequelize 3.16.0 and earlier.

Affected Platforms (CPE)

πŸ“¦
Sequelizejs

Sequelize

<= 3.16.0

References & Advisories

πŸ”— https://github.com/sequelize/sequelize/pull/5167/commits/f282d85e60e3df5e57ecdb82adccb4eaef404f03
πŸ”— https://nodesecurity.io/advisories/112
πŸ”— https://github.com/sequelize/sequelize/pull/5167/commits/f282d85e60e3df5e57ecdb82adccb4eaef404f03
πŸ”— https://nodesecurity.io/advisories/112

Related Vulnerabilities

CVE-2019-107529.8

Sequelize, all versions prior to version 4.44.3 and 5.15.1, is vulnerable to SQL Injection due to sequelize.json() helper function...

CVE-2019-107489.8

Sequelize all versions prior to 3.35.1, 4.44.3, and 5.8.11 are vulnerable to SQL Injection due to JSON path keys not being properl...

CVE-2019-107499.8

sequelize before version 3.35.1 allows attackers to perform a SQL Injection due to the JSON path keys not being properly sanitized...

CVE-2016-105519.8

waterline-sequel is a module that helps generate SQL statements for Waterline apps Any user input that goes into Waterline's `like...