Common Weakness Enumeration

CWE-790

Allowed-with-Review

Improper Filtering of Special Elements

Abstraction: Class · Status: Incomplete

The product receives data from an upstream component, but does not filter or incorrectly filters special elements before sending it to a downstream component.

23 vulnerabilities reference this CWE, most recent first.

CVE-2023-22578 (GCVE-0-2023-22578)

Vulnerability from cvelistv5 – Published: 2023-02-16 14:11 – Updated: 2025-04-01 04:48
VLAI
Title
Sequalize - Default support for “raw attributes” when using parentheses
Summary
Due to improper artibute filtering in the sequalize js library, can a attacker peform SQL injections.
SSVC
Exploitation: none Automatable: yes Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-790 - Improper Filtering of Special Elements
Assigner
References
Impacted products
Vendor Product Version
Feathers-Sequalize Sequelize.js Affected: <v7.0.0-alpha.20
Create a notification for this product.
Credits
Thomas Rinsma (Codean) Kevin Valk (Codean) Victor Pasman (DIVD) Frank Breedijk (DIVD)
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T10:13:49.012Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "third-party-advisory",
              "x_transferred"
            ],
            "url": "https://csirt.divd.nl/CVE-2023-22578"
          },
          {
            "tags": [
              "related",
              "x_transferred"
            ],
            "url": "https://csirt.divd.nl/DIVD-2022-00020/"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2023-22578",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-03-18T14:48:23.245936Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-03-18T14:48:34.841Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Sequelize.js",
          "vendor": "Feathers-Sequalize",
          "versions": [
            {
              "status": "affected",
              "version": "\u003cv7.0.0-alpha.20"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "user": "00000000-0000-4000-9000-000000000000",
          "value": "Thomas Rinsma (Codean)"
        },
        {
          "lang": "en",
          "type": "finder",
          "value": "Kevin Valk (Codean)"
        },
        {
          "lang": "en",
          "type": "analyst",
          "value": "Victor Pasman (DIVD)"
        },
        {
          "lang": "en",
          "type": "analyst",
          "value": "Frank Breedijk (DIVD)"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Due to improper artibute filtering in the sequalize js library, can a attacker peform SQL injections."
            }
          ],
          "value": "Due to improper artibute filtering in the sequalize js library, can a attacker peform SQL injections."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 10,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-790",
              "description": "CWE-790: Improper Filtering of Special Elements",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-04-01T04:48:17.055Z",
        "orgId": "b87402ff-ae37-4194-9dae-31abdbd6f217",
        "shortName": "DIVD"
      },
      "references": [
        {
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://csirt.divd.nl/CVE-2023-22578"
        },
        {
          "tags": [
            "related"
          ],
          "url": "https://csirt.divd.nl/DIVD-2022-00020/"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "Sequalize - Default support for \u201craw attributes\u201d when using parentheses",
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "b87402ff-ae37-4194-9dae-31abdbd6f217",
    "assignerShortName": "DIVD",
    "cveId": "CVE-2023-22578",
    "datePublished": "2023-02-16T14:11:36.631Z",
    "dateReserved": "2023-01-03T07:33:48.701Z",
    "dateUpdated": "2025-04-01T04:48:17.055Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2021-43802 (GCVE-0-2021-43802)

Vulnerability from cvelistv5 – Published: 2021-12-09 22:35 – Updated: 2024-08-04 04:03
VLAI
Title
Admin privilege escalation and arbitrary code execution via malicious *.etherpad imports
Summary
Etherpad is a real-time collaborative editor. In versions prior to 1.8.16, an attacker can craft an `*.etherpad` file that, when imported, might allow the attacker to gain admin privileges for the Etherpad instance. This, in turn, can be used to install a malicious Etherpad plugin that can execute arbitrary code (including system commands). To gain privileges, the attacker must be able to trigger deletion of `express-session` state or wait for old `express-session` state to be cleaned up. Core Etherpad does not delete any `express-session` state, so the only known attacks require either a plugin that can delete session state or a custom cleanup process (such as a cron job that deletes old `sessionstorage:*` records). The problem has been fixed in version 1.8.16. If users cannot upgrade to 1.8.16 or install patches manually, several workarounds are available. Users may configure their reverse proxies to reject requests to `/p/*/import`, which will block all imports, not just `*.etherpad` imports; limit all users to read-only access; and/or prevent the reuse of `express_sid` cookie values that refer to deleted express-session state. More detailed information and general mitigation strategies may be found in the GitHub Security Advisory.
CWE
  • CWE-790 - Improper Filtering of Special Elements
  • CWE-1287 - Improper Validation of Specified Type of Input
Assigner
Impacted products
Vendor Product Version
ether etherpad-lite Affected: < 1.8.16
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T04:03:08.907Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/ether/etherpad-lite/security/advisories/GHSA-w3g3-qf3g-2mqc"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/ether/etherpad-lite/issues/5010"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/ether/etherpad-lite/compare/b7065eb9a0ec7c3c265f8cfeb2534efe6f036456...77bcb507b30e762e9375b0511b3763e0162aae53"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/ether/etherpad-lite/releases/tag/1.8.16"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "etherpad-lite",
          "vendor": "ether",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 1.8.16"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Etherpad is a real-time collaborative editor. In versions prior to 1.8.16, an attacker can craft an `*.etherpad` file that, when imported, might allow the attacker to gain admin privileges for the Etherpad instance. This, in turn, can be used to install a malicious Etherpad plugin that can execute arbitrary code (including system commands). To gain privileges, the attacker must be able to trigger deletion of `express-session` state or wait for old `express-session` state to be cleaned up. Core Etherpad does not delete any `express-session` state, so the only known attacks require either a plugin that can delete session state or a custom cleanup process (such as a cron job that deletes old `sessionstorage:*` records). The problem has been fixed in version 1.8.16. If users cannot upgrade to 1.8.16 or install patches manually, several workarounds are available. Users may configure their reverse proxies to reject requests to `/p/*/import`, which will block all imports, not just `*.etherpad` imports; limit all users to read-only access; and/or prevent the reuse of `express_sid` cookie values that refer to deleted express-session state. More detailed information and general mitigation strategies may be found in the GitHub Security Advisory."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.9,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-790",
              "description": "CWE-790: Improper Filtering of Special Elements",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-1287",
              "description": "CWE-1287: Improper Validation of Specified Type of Input",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-12-09T22:35:12.000Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/ether/etherpad-lite/security/advisories/GHSA-w3g3-qf3g-2mqc"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/ether/etherpad-lite/issues/5010"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/ether/etherpad-lite/compare/b7065eb9a0ec7c3c265f8cfeb2534efe6f036456...77bcb507b30e762e9375b0511b3763e0162aae53"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/ether/etherpad-lite/releases/tag/1.8.16"
        }
      ],
      "source": {
        "advisory": "GHSA-w3g3-qf3g-2mqc",
        "discovery": "UNKNOWN"
      },
      "title": "Admin privilege escalation and arbitrary code execution via malicious *.etherpad imports",
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2021-43802",
          "STATE": "PUBLIC",
          "TITLE": "Admin privilege escalation and arbitrary code execution via malicious *.etherpad imports"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "etherpad-lite",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "\u003c 1.8.16"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "ether"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Etherpad is a real-time collaborative editor. In versions prior to 1.8.16, an attacker can craft an `*.etherpad` file that, when imported, might allow the attacker to gain admin privileges for the Etherpad instance. This, in turn, can be used to install a malicious Etherpad plugin that can execute arbitrary code (including system commands). To gain privileges, the attacker must be able to trigger deletion of `express-session` state or wait for old `express-session` state to be cleaned up. Core Etherpad does not delete any `express-session` state, so the only known attacks require either a plugin that can delete session state or a custom cleanup process (such as a cron job that deletes old `sessionstorage:*` records). The problem has been fixed in version 1.8.16. If users cannot upgrade to 1.8.16 or install patches manually, several workarounds are available. Users may configure their reverse proxies to reject requests to `/p/*/import`, which will block all imports, not just `*.etherpad` imports; limit all users to read-only access; and/or prevent the reuse of `express_sid` cookie values that refer to deleted express-session state. More detailed information and general mitigation strategies may be found in the GitHub Security Advisory."
            }
          ]
        },
        "impact": {
          "cvss": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.9,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-790: Improper Filtering of Special Elements"
                }
              ]
            },
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-1287: Improper Validation of Specified Type of Input"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/ether/etherpad-lite/security/advisories/GHSA-w3g3-qf3g-2mqc",
              "refsource": "CONFIRM",
              "url": "https://github.com/ether/etherpad-lite/security/advisories/GHSA-w3g3-qf3g-2mqc"
            },
            {
              "name": "https://github.com/ether/etherpad-lite/issues/5010",
              "refsource": "MISC",
              "url": "https://github.com/ether/etherpad-lite/issues/5010"
            },
            {
              "name": "https://github.com/ether/etherpad-lite/compare/b7065eb9a0ec7c3c265f8cfeb2534efe6f036456...77bcb507b30e762e9375b0511b3763e0162aae53",
              "refsource": "MISC",
              "url": "https://github.com/ether/etherpad-lite/compare/b7065eb9a0ec7c3c265f8cfeb2534efe6f036456...77bcb507b30e762e9375b0511b3763e0162aae53"
            },
            {
              "name": "https://github.com/ether/etherpad-lite/releases/tag/1.8.16",
              "refsource": "MISC",
              "url": "https://github.com/ether/etherpad-lite/releases/tag/1.8.16"
            }
          ]
        },
        "source": {
          "advisory": "GHSA-w3g3-qf3g-2mqc",
          "discovery": "UNKNOWN"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2021-43802",
    "datePublished": "2021-12-09T22:35:12.000Z",
    "dateReserved": "2021-11-16T00:00:00.000Z",
    "dateUpdated": "2024-08-04T04:03:08.907Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

GHSA-3222-M64X-QWPG

Vulnerability from github – Published: 2026-03-25 15:31 – Updated: 2026-03-27 21:31
VLAI
Details

Ericsson Indoor Connect 8855 versions prior to 2025.Q3 contains an Improper Filtering of Special Elements vulnerability which, if exploited, can lead to unauthorized modification of certain information

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-27260"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-790"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-03-25T14:16:30Z",
    "severity": "HIGH"
  },
  "details": "Ericsson\nIndoor Connect 8855 versions prior to 2025.Q3 contains an Improper Filtering of Special\nElements\u00a0vulnerability which, if exploited, can lead to unauthorized\nmodification of certain information",
  "id": "GHSA-3222-m64x-qwpg",
  "modified": "2026-03-27T21:31:32Z",
  "published": "2026-03-25T15:31:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-27260"
    },
    {
      "type": "WEB",
      "url": "https://www.ericsson.com/en/about-us/security/psirt/CVE-2025-27260"
    },
    {
      "type": "WEB",
      "url": "https://www.ericsson.com/en/about-us/security/psirt/security-bulletin-indoorconnect-march-2026"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-4H57-3GMX-G682

Vulnerability from github – Published: 2024-07-15 09:36 – Updated: 2024-07-15 09:36
VLAI
Details

Improper filtering of fields when using the export function in the ticket overview of the external interface could allow an authorized user to download a list of tickets containing information about tickets of other customers. The problem only occurs if the TicketSearchLegacyEngine has been disabled by the administrator. This issue affects OTRS: 8.0.X, 2023.X, from 2024.X through 2024.4.x

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-6540"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-790"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-07-15T08:15:02Z",
    "severity": "MODERATE"
  },
  "details": "Improper filtering of fields when using the export function in the ticket overview of the external interface could allow an authorized user to download a list of tickets containing information about tickets of other customers. The problem only occurs if the TicketSearchLegacyEngine has been disabled by the administrator.\nThis issue affects OTRS: 8.0.X, 2023.X, from 2024.X through 2024.4.x\n\n",
  "id": "GHSA-4h57-3gmx-g682",
  "modified": "2024-07-15T09:36:24Z",
  "published": "2024-07-15T09:36:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-6540"
    },
    {
      "type": "WEB",
      "url": "https://otrs.com/release-notes/otrs-security-advisory-2024-07"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-79G4-F35R-G3F6

Vulnerability from github – Published: 2024-08-26 09:30 – Updated: 2024-08-26 09:30
VLAI
Details

Improper Neutralization of Input done by an attacker with admin privileges ('Cross-site Scripting') in Process Management modules of OTRS and ((OTRS)) Community Edition allows Cross-Site Scripting (XSS) within the Process Management targeting other admins. This issue affects:

  • OTRS from 7.0.X through 7.0.50
  • OTRS 8.0.X
  • OTRS 2023.X
  • OTRS from 2024.X through 2024.5.X
  • ((OTRS)) Community Edition: 6.0.x

Products based on the ((OTRS)) Community Edition also very likely to be affected

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-43443"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-790"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-08-26T09:15:04Z",
    "severity": "MODERATE"
  },
  "details": "Improper Neutralization of Input done by an attacker with admin privileges (\u0027Cross-site Scripting\u0027) in Process Management modules of OTRS and ((OTRS)) Community Edition allows Cross-Site Scripting (XSS) within the Process Management targeting other admins.\nThis issue affects: \n\n  *  OTRS from 7.0.X through 7.0.50\n  *  OTRS 8.0.X\n  *  OTRS 2023.X\n  *  OTRS from 2024.X through 2024.5.X\n  *  ((OTRS)) Community Edition: 6.0.x\n\nProducts based on the ((OTRS)) Community Edition also very likely to be affected",
  "id": "GHSA-79g4-f35r-g3f6",
  "modified": "2024-08-26T09:30:44Z",
  "published": "2024-08-26T09:30:44Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-43443"
    },
    {
      "type": "WEB",
      "url": "https://otrs.com/release-notes/otrs-security-advisory-2024-11"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-899F-Q8CX-3V8R

Vulnerability from github – Published: 2024-04-24 00:30 – Updated: 2024-07-03 18:36
VLAI
Details

An issue discovered in RG-RSR10-01G-T(W)-S and RG-RSR10-01G-T(WA)-S routers with firmware version RSR10-01G-T-S_RSR_3.0(1)B9P2, Release(07150910) allows attackers to execute arbitrary code via the common_quick_config.lua file.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-31616"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-790"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-04-23T22:15:07Z",
    "severity": "HIGH"
  },
  "details": "An issue discovered in RG-RSR10-01G-T(W)-S and RG-RSR10-01G-T(WA)-S routers with firmware version RSR10-01G-T-S_RSR_3.0(1)B9P2, Release(07150910) allows attackers to execute arbitrary code via the common_quick_config.lua file.",
  "id": "GHSA-899f-q8cx-3v8r",
  "modified": "2024-07-03T18:36:44Z",
  "published": "2024-04-24T00:30:33Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-31616"
    },
    {
      "type": "WEB",
      "url": "https://gist.github.com/Swind1er/0c50e72428059fb72a4fd4d31c43f883"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-8MWQ-MJ73-QV68

Vulnerability from github – Published: 2023-02-16 15:30 – Updated: 2023-02-24 18:48
VLAI
Summary
Duplicate advisory: Sequelize vulnerable to Improper Filtering of Special Elements
Details

Duplicate advisory

This advisory has been withdrawn because it is a duplicate of GHSA-f598-mfpv-gmfx. This link is maintained to preserve external references.

Original Description

Due to improper attribute filtering in the sequelize js library, an attacker can peform SQL injections. This issue can be mitigated by not accepting untrusted input.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "@sequelize/core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "7.0.0-alpha.20"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 6.28.2"
      },
      "package": {
        "ecosystem": "npm",
        "name": "sequelize"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "6.29.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-790"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-02-22T23:16:24Z",
    "nvd_published_at": "2023-02-16T15:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "## Duplicate advisory\nThis advisory has been withdrawn because it is a duplicate of [GHSA-f598-mfpv-gmfx](https://github.com/advisories/GHSA-f598-mfpv-gmfx). This link is maintained to preserve external references.\n\n## Original Description\nDue to improper attribute filtering in the sequelize js library, an attacker can peform SQL injections. This issue can be mitigated by not accepting untrusted input.",
  "id": "GHSA-8mwq-mj73-qv68",
  "modified": "2023-02-24T18:48:34Z",
  "published": "2023-02-16T15:30:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-22578"
    },
    {
      "type": "WEB",
      "url": "https://csirt.divd.nl/CVE-2023-22578"
    },
    {
      "type": "WEB",
      "url": "https://csirt.divd.nl/DIVD-2022-00020"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/sequelize/sequelize"
    },
    {
      "type": "WEB",
      "url": "https://github.com/sequelize/sequelize/discussions/15694"
    },
    {
      "type": "WEB",
      "url": "https://github.com/sequelize/sequelize/releases/tag/v7.0.0-alpha.20"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Duplicate advisory: Sequelize vulnerable to Improper Filtering of Special Elements",
  "withdrawn": "2023-02-24T18:48:34Z"
}

GHSA-F598-MFPV-GMFX

Vulnerability from github – Published: 2023-02-24 18:48 – Updated: 2023-02-24 18:48
VLAI
Summary
Sequelize - Default support for “raw attributes” when using parentheses
Details

Impact

Sequelize 6.28.2 and prior has a dangerous feature where using parentheses in the attribute option would make Sequelize use the string as-is in the SQL

User.findAll({
  attributes: [
    ['count(id)', 'count']
  ]
});

Produced

SELECT count(id) AS "count" FROM "users"

Patches

This feature was deprecated in Sequelize 5, and using it prints a deprecation warning.

This issue has been patched in @sequelize/core@7.0.0.alpha-20 and sequelize@6.29.0.

In Sequelize 7, it now produces the following:

SELECT "count(id)" AS "count" FROM "users"

In Sequelize 6, it throws an error explaining that we had to introduce a breaking change, and requires the user to explicitly opt-in to either the Sequelize 7 behavior (always escape) or the Sequelize 5 behavior (inline attributes that include () without escaping). See https://github.com/sequelize/sequelize/pull/15710 for more information.

Mitigations

Do not use user-provided content to build your list or attributes. If you do, make sure that attribute in question actually exists on your model by checking that it exists in the rawAttributes property of your model first.


A discussion thread about this issue is open at https://github.com/sequelize/sequelize/discussions/15694 CVE: CVE-2023-22578

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "@sequelize/core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "7.0.0-alpha.20"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "sequelize"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "6.29.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-22578"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-790"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-02-24T18:48:49Z",
    "nvd_published_at": null,
    "severity": "CRITICAL"
  },
  "details": "### Impact\n\nSequelize 6.28.2 and prior has a dangerous feature where using parentheses in the attribute option would make Sequelize use the string as-is in the SQL\n\n```ts\nUser.findAll({\n  attributes: [\n    [\u0027count(id)\u0027, \u0027count\u0027]\n  ]\n});\n```\n\nProduced\n\n```sql\nSELECT count(id) AS \"count\" FROM \"users\"\n```\n\n### Patches\n\nThis feature was deprecated in Sequelize 5, and using it prints a deprecation warning.\n\nThis issue has been patched in [`@sequelize/core@7.0.0.alpha-20`](https://github.com/sequelize/sequelize/pull/15374) and [`sequelize@6.29.0`](https://github.com/sequelize/sequelize/pull/15710). \n\nIn Sequelize 7, it now produces the following:\n\n```sql\nSELECT \"count(id)\" AS \"count\" FROM \"users\"\n```\n\nIn Sequelize 6, it throws an error explaining that we had to introduce a breaking change, and requires the user to explicitly opt-in to either the Sequelize 7 behavior (always escape) or the Sequelize 5 behavior (inline attributes that include `()` without escaping). See https://github.com/sequelize/sequelize/pull/15710 for more information.\n\n### Mitigations\n\nDo not use user-provided content to build your list or attributes. If you do, make sure that attribute in question actually exists on your model by checking that it exists in the `rawAttributes` property of your model first.\n\n---\n\nA discussion thread about this issue is open at https://github.com/sequelize/sequelize/discussions/15694\nCVE: CVE-2023-22578",
  "id": "GHSA-f598-mfpv-gmfx",
  "modified": "2023-02-24T18:48:49Z",
  "published": "2023-02-24T18:48:49Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/sequelize/sequelize/security/advisories/GHSA-f598-mfpv-gmfx"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-22578"
    },
    {
      "type": "WEB",
      "url": "https://github.com/sequelize/sequelize/pull/15710"
    },
    {
      "type": "WEB",
      "url": "https://csirt.divd.nl/CVE-2023-22578"
    },
    {
      "type": "WEB",
      "url": "https://csirt.divd.nl/DIVD-2022-00020"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/sequelize/sequelize"
    },
    {
      "type": "WEB",
      "url": "https://github.com/sequelize/sequelize/discussions/15694"
    },
    {
      "type": "WEB",
      "url": "https://github.com/sequelize/sequelize/releases/tag/v6.29.0"
    },
    {
      "type": "WEB",
      "url": "https://github.com/sequelize/sequelize/releases/tag/v7.0.0-alpha.20"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Sequelize - Default support for \u201craw attributes\u201d when using parentheses"
}

GHSA-G24F-94PQ-JR67

Vulnerability from github – Published: 2024-08-26 09:30 – Updated: 2024-08-26 18:33
VLAI
Details

Improper Neutralization of Input done by an attacker with admin privileges ('Cross-site Scripting') in  OTRS (System Configuration modules) and ((OTRS)) Community Edition allows Cross-Site Scripting (XSS) within the System Configuration targeting other admins. This issue affects: 

  • OTRS from 7.0.X through 7.0.50
  • OTRS 8.0.X
  • OTRS 2023.X
  • OTRS from 2024.X through 2024.5.X
  • ((OTRS)) Community Edition: 6.0.x

Products based on the ((OTRS)) Community Edition also very likely to be affected

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-43442"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79",
      "CWE-790"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-08-26T09:15:04Z",
    "severity": "MODERATE"
  },
  "details": "Improper Neutralization of Input done by an attacker with admin privileges (\u0027Cross-site Scripting\u0027) in\u00a0 OTRS (System Configuration modules) and ((OTRS)) Community Edition allows Cross-Site Scripting (XSS) within the System Configuration targeting other admins.\nThis issue affects:\u00a0\n\n  *  OTRS from 7.0.X through 7.0.50\n  *  OTRS 8.0.X\n  *  OTRS 2023.X\n  *  OTRS from 2024.X through 2024.5.X\n  *  ((OTRS)) Community Edition: 6.0.x\n\nProducts based on the ((OTRS)) Community Edition also very likely to be affected",
  "id": "GHSA-g24f-94pq-jr67",
  "modified": "2024-08-26T18:33:33Z",
  "published": "2024-08-26T09:30:44Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-43442"
    },
    {
      "type": "WEB",
      "url": "https://otrs.com/release-notes/otrs-security-advisory-2024-10"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-HFG6-72XH-M6QG

Vulnerability from github – Published: 2026-03-30 09:31 – Updated: 2026-03-30 09:31
VLAI
Details

An unauthenticated remote attacker can exploit insufficient input validation to access backend components beyond their intended scope via path traversal, resulting in exposure of sensitive information.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-2328"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-790"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-03-30T08:16:17Z",
    "severity": "HIGH"
  },
  "details": "An unauthenticated remote attacker can exploit insufficient input validation to access backend components beyond their intended scope via path traversal, resulting in exposure of sensitive information.",
  "id": "GHSA-hfg6-72xh-m6qg",
  "modified": "2026-03-30T09:31:28Z",
  "published": "2026-03-30T09:31:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2328"
    },
    {
      "type": "WEB",
      "url": "https://certvde.com/de/advisories/VDE-2026-010"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

No mitigation information available for this CWE.

No CAPEC attack patterns related to this CWE.