Name of the Vulnerable Software and Affected Versions squel versions (affected versions not specified)

Description The issue concerns sql injection due to improper escaping of user-provided input when using the setFields method. This could lead to sql injection if the query was then executed. A proof of concept demonstrates the injection of a single quote into a generated sql statement from user-provided input, such as foo: "bar'baz" in the /api endpoint like squel.insert().into('buh').setFields({foo: "bar'baz"}).toString(), resulting in INSERT INTO buh (foo) VALUES ('bar'baz').

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.