CVE-2016-10556

Name of the Vulnerable Software and Affected Versions sequelize versions 3.19.3 and earlier

Description The issue is related to how arrays are treated as strings and improperly escaped in Postgres, SQLite, and Microsoft SQL Server, leading to potential SQL injection. A malicious user could exploit this by inputting a specially crafted array, such as ["test", "'); DELETE TestTable WHERE Id = 1 --')"], into a query like database.query('SELECT * FROM TestTable WHERE Name IN (:names)', { replacements: { names: directCopyOfUserInput } });. This could result in the SQL statement becoming SELECT Id FROM Table WHERE Name IN ('test', ''); DELETE TestTable WHERE Id = 1 --'), which, due to the backslash having no special meaning in the mentioned databases, could lead to the deletion of a record in the TestTable with an Id of 1.

Recommendations Update to version 3.20.0 or later. As a temporary workaround, consider validating and sanitizing user input to prevent malicious data from being injected into SQL queries. Restrict access to sensitive database operations to minimize the risk of exploitation.