admin/cve
1
0
Fork 0
mirror of https://github.com/0xMarcio/cve.git synced 2025-05-05 10:17:57 +00:00
Code Issues Packages Projects Releases Wiki Activity
cve/2023/CVE-2023-25813.md

20 lines
1.1 KiB
Markdown
Raw Permalink Normal View History

Update Sat May 25 21:48:12 CEST 2024
2024-05-25 21:48:12 +02:00
### [CVE-2023-25813](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-25813)
![](https://img.shields.io/static/v1?label=Product&message=sequelize&color=blue)
![](https://img.shields.io/static/v1?label=Version&message=%3D%20%3C%206.19.1%20&color=brighgreen)
![](https://img.shields.io/static/v1?label=Vulnerability&message=CWE-89%3A%20Improper%20Neutralization%20of%20Special%20Elements%20used%20in%20an%20SQL%20Command%20('SQL%20Injection')&color=brighgreen)
### Description
Sequelize is a Node.js ORM tool. In versions prior to 6.19.1 a SQL injection exploit exists related to replacements. Parameters which are passed through replacements are not properly escaped which can lead to arbitrary SQL injection depending on the specific queries in use. The issue has been fixed in Sequelize 6.19.1. Users are advised to upgrade. Users unable to upgrade should not use the `replacements` and the `where` option in the same query.
### POC
#### Reference
No PoCs from references.
#### Github
- https://github.com/ARPSyndicate/cvemon
Update CVE sources 2024-05-28 08:49
2024-05-28 08:49:17 +00:00
- https://github.com/bde574786/Sequelize-1day-CVE-2023-25813
- https://github.com/nomi-sec/PoC-in-GitHub
Update Sat May 25 21:48:12 CEST 2024
2024-05-25 21:48:12 +02:00
Reference in New Issue Copy Permalink