Name of the Vulnerable Software and Affected Versions: Propel versions 1.x through 3.x

Description: The issue arises from the limit() query method being susceptible to catastrophic SQL injection when using MySQL. This occurs due to a lack of integer casting of the limit input in either Criteria::setLimit() or in DBMySQL::applyLimit(). The code comments suggest that casting was avoided to prevent overflow issues with 32-bit integers. This behavior is unexpected since one of the primary purposes of an Object-Relational Mapping (ORM) system is to prevent basic SQL injection.

Recommendations: For all affected versions, consider disabling the limit() query method until a proper fix is implemented to prevent SQL injection. Restrict access to the Criteria::setLimit() and DBMySQL::applyLimit() functions to minimize the risk of exploitation. Avoid using the limit() query method in the affected API endpoints until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.