CVE-2019-10748 Vulnerability in npm package sequelize

Description

Sequelize all versions prior to 3.35.1, 4.44.3, and 5.8.11 are vulnerable to SQL Injection due to JSON path keys not being properly escaped for the MySQL/MariaDB dialects.

Remediation

References

https://github.com/sequelize/sequelize/commit/a72a3f5%2C

https://github.com/sequelize/sequelize/pull/11089%2C

https://snyk.io/vuln/SNYK-JS-SEQUELIZE-450221

Related Vulnerabilities

CVE-2018-3733 Vulnerability in npm package crud-file-server

CVE-2023-47320 Vulnerability in maven package org.silverpeas.core:silverpeas-core-web

CVE-2020-15174 Vulnerability in maven package org.webjars.npm:electron

CVE-2017-17868 Vulnerability in maven package com.liferay.portal:portal-service

CVE-2023-29519 Vulnerability in maven package org.xwiki.platform:xwiki-platform-attachment-ui

Severity

Critical

Classification

CWE-89 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H