PT-2020-7933 · Sequelize · Sequelize

Published

2020-09-01

Updated

2020-09-01

CVE-2016-1000225

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions: sequelize versions prior to 3.23.6

Description: The issue affects models with fields of the GEOMETRY DataType, leading to SQL Injection. This occurs because single quotes in document values are not properly escaped for GeoJSON documents using ST GeomFromGeoJSON, and MySQL GeoJSON documents using GeomFromText.

Recommendations: Update to version 3.23.6 or later.

Fix

SQL injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-89

Related Identifiers

CVE-2016-1000225

GHSA-5V9H-Q3GJ-C32X

Affected Products

Sequelize

PT-2020-7933 · Sequelize · Sequelize

CVE-2016-1000225

Weakness Enumeration

Related Identifiers

Affected Products

References · 11