Kevin Valk

**Name of the Vulnerable Software and Affected Versions** Sequelize versions prior to 6.29.0 Sequelize versions prior to 7.0.0.alpha-20 **Description** The issue is due to improper attribute filtering in the Sequelize JS library, allowing an attacker to perform SQL injections. This can be exploited when using parentheses in the attribute option, causing Sequelize to use the string as-is in the SQL. For example, using the `attributes` option with a value like `['count(id)', 'count']` can lead to SQL injection. The estimated number of potentially affected devices is not provided. **Recommendations** For Sequelize versions prior to 6.29.0, update to version 6.29.0 or later to patch the issue. For Sequelize versions prior to 7.0.0.alpha-20, update to version 7.0.0.alpha-20 or later to patch the issue. As a temporary workaround, do not use user-provided content to build your list of attributes. If you do, make sure that the attribute in question actually exists on your model by checking that it exists in the `rawAttributes` property of your model first.

**Name of the Vulnerable Software and Affected Versions** Sequelize versions prior to 6.28.1 Sequelize Core versions prior to 7.0.0.alpha-20 **Description** The issue is due to improper parameter filtering in the Sequelize JS library, which can allow an attacker to perform injection. Providing an invalid value to the `where` option of a query caused Sequelize to ignore that option instead of throwing an error. This only happens at the top level of the `where` option, typically used with plain JavaScript objects. **Recommendations** For Sequelize versions prior to 6.28.1, update to version 6.28.1 or later to resolve the issue. For Sequelize Core versions prior to 7.0.0.alpha-20, update to version 7.0.0.alpha-20 or later to resolve the issue. As a temporary workaround, consider validating and sanitizing user input to prevent malicious data from being passed to the `where` option.

**Name of the Vulnerable Software and Affected Versions** sequelize js library (affected versions not specified) **Description** The issue is related to improper input filtering in the sequelize js library, which can lead to sensitive information disclosure when malicious queries are executed. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Feathers js library (affected versions not specified) **Description** The issue is related to improper input validation in the Feathers js library, which can lead to a SQL injection attack on the back-end database when the feathers-sequelize package is used. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** feathers-sequelize (affected versions not specified) **Description** The issue is related to improper parameter filtering in the Feathers js library, which may lead to SQL injection. This could potentially allow attackers to inject malicious SQL code. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Feather-Sequelize (affected versions not specified) **Description** The cleanQuery method in Feather-Sequelize uses insecure recursive logic to filter unsupported keys from the query object, resulting in a Remote Code Execution (RCE) with privileges of the application. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.