CVE-2015-1369 — SQL Injection in sequelize

Description

Versions 2.0.0-rc-7 and earlier of `sequelize` are affected by a SQL injection vulnerability when user input is passed into the order parameter. ## Proof of Concept ```javascript Test.findAndCountAll({ where: { id :1 }, order : [['id', 'UNTRUSTED USER INPUT']] }) ``` ## Recommendation Update to version 2.0.0-rc8 or later

How to fix CVE-2015-1369

To remediate CVE-2015-1369, upgrade the affected package to a fixed version below.

npm/sequelize—upgrade to 2.0.0-rc8 or later

Is CVE-2015-1369 being exploited?

Low — EPSS is 0.4%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 2.0.0-rc8

References (7)

ADVISORYgithub.com/advisories/GHSA-xqg8-cv3h-xppv
ADVISORYnvd.nist.gov/vuln/detail/CVE-2015-1369
PATCHgithub.com/sequelize/sequelize
WEBgithub.com/sequelize/sequelize/issues/2906
WEBgithub.com