Yeee3642

**Name of the Vulnerable Software and Affected Versions** JawherKl node-api-postgres versions prior to 2.5 **Description** A flaw exists in the `User.getAll` function within the `models/user.js` file. Manipulation of the `sort` argument can lead to SQL injection. This issue is remotely exploitable. The exploit is publicly available. The vendor was notified but did not respond. **Recommendations** Versions prior to 2.5 should be updated. As a temporary workaround, consider restricting or disabling the `User.getAll` function until a patch is available.

**Name of the Vulnerable Software and Affected Versions** JawherKl node-api-postgres versions up to 2.5 **Description** A flaw exists in the Profile Picture Handler component of JawherKl node-api-postgres. Specifically, the `path.extname` function within the `index.js` file is susceptible to manipulation, leading to unrestricted file upload. This issue can be exploited remotely. **Recommendations** Versions prior to 2.5 should be used.