CWE-790
Allowed-with-ReviewImproper Filtering of Special Elements
Abstraction: Class · Status: Incomplete
The product receives data from an upstream component, but does not filter or incorrectly filters special elements before sending it to a downstream component.
23 vulnerabilities reference this CWE, most recent first.
CVE-2023-22578 (GCVE-0-2023-22578)
Vulnerability from cvelistv5 – Published: 2023-02-16 14:11 – Updated: 2025-04-01 04:48- CWE-790 - Improper Filtering of Special Elements
| URL | Tags |
|---|---|
| https://csirt.divd.nl/CVE-2023-22578 | third-party-advisory |
| https://csirt.divd.nl/DIVD-2022-00020/ | related |
| Vendor | Product | Version | |
|---|---|---|---|
| Feathers-Sequalize | Sequelize.js |
Affected:
<v7.0.0-alpha.20
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T10:13:49.012Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"third-party-advisory",
"x_transferred"
],
"url": "https://csirt.divd.nl/CVE-2023-22578"
},
{
"tags": [
"related",
"x_transferred"
],
"url": "https://csirt.divd.nl/DIVD-2022-00020/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-22578",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-18T14:48:23.245936Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-18T14:48:34.841Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Sequelize.js",
"vendor": "Feathers-Sequalize",
"versions": [
{
"status": "affected",
"version": "\u003cv7.0.0-alpha.20"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Thomas Rinsma (Codean)"
},
{
"lang": "en",
"type": "finder",
"value": "Kevin Valk (Codean)"
},
{
"lang": "en",
"type": "analyst",
"value": "Victor Pasman (DIVD)"
},
{
"lang": "en",
"type": "analyst",
"value": "Frank Breedijk (DIVD)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Due to improper artibute filtering in the sequalize js library, can a attacker peform SQL injections."
}
],
"value": "Due to improper artibute filtering in the sequalize js library, can a attacker peform SQL injections."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 10,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-790",
"description": "CWE-790: Improper Filtering of Special Elements",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-01T04:48:17.055Z",
"orgId": "b87402ff-ae37-4194-9dae-31abdbd6f217",
"shortName": "DIVD"
},
"references": [
{
"tags": [
"third-party-advisory"
],
"url": "https://csirt.divd.nl/CVE-2023-22578"
},
{
"tags": [
"related"
],
"url": "https://csirt.divd.nl/DIVD-2022-00020/"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Sequalize - Default support for \u201craw attributes\u201d when using parentheses",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "b87402ff-ae37-4194-9dae-31abdbd6f217",
"assignerShortName": "DIVD",
"cveId": "CVE-2023-22578",
"datePublished": "2023-02-16T14:11:36.631Z",
"dateReserved": "2023-01-03T07:33:48.701Z",
"dateUpdated": "2025-04-01T04:48:17.055Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-43802 (GCVE-0-2021-43802)
Vulnerability from cvelistv5 – Published: 2021-12-09 22:35 – Updated: 2024-08-04 04:03| URL | Tags |
|---|---|
| https://github.com/ether/etherpad-lite/security/a… | x_refsource_CONFIRM |
| https://github.com/ether/etherpad-lite/issues/5010 | x_refsource_MISC |
| https://github.com/ether/etherpad-lite/compare/b7… | x_refsource_MISC |
| https://github.com/ether/etherpad-lite/releases/t… | x_refsource_MISC |
| Vendor | Product | Version | |
|---|---|---|---|
| ether | etherpad-lite |
Affected:
< 1.8.16
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T04:03:08.907Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/ether/etherpad-lite/security/advisories/GHSA-w3g3-qf3g-2mqc"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/ether/etherpad-lite/issues/5010"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/ether/etherpad-lite/compare/b7065eb9a0ec7c3c265f8cfeb2534efe6f036456...77bcb507b30e762e9375b0511b3763e0162aae53"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/ether/etherpad-lite/releases/tag/1.8.16"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "etherpad-lite",
"vendor": "ether",
"versions": [
{
"status": "affected",
"version": "\u003c 1.8.16"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Etherpad is a real-time collaborative editor. In versions prior to 1.8.16, an attacker can craft an `*.etherpad` file that, when imported, might allow the attacker to gain admin privileges for the Etherpad instance. This, in turn, can be used to install a malicious Etherpad plugin that can execute arbitrary code (including system commands). To gain privileges, the attacker must be able to trigger deletion of `express-session` state or wait for old `express-session` state to be cleaned up. Core Etherpad does not delete any `express-session` state, so the only known attacks require either a plugin that can delete session state or a custom cleanup process (such as a cron job that deletes old `sessionstorage:*` records). The problem has been fixed in version 1.8.16. If users cannot upgrade to 1.8.16 or install patches manually, several workarounds are available. Users may configure their reverse proxies to reject requests to `/p/*/import`, which will block all imports, not just `*.etherpad` imports; limit all users to read-only access; and/or prevent the reuse of `express_sid` cookie values that refer to deleted express-session state. More detailed information and general mitigation strategies may be found in the GitHub Security Advisory."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-790",
"description": "CWE-790: Improper Filtering of Special Elements",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-1287",
"description": "CWE-1287: Improper Validation of Specified Type of Input",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-12-09T22:35:12.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/ether/etherpad-lite/security/advisories/GHSA-w3g3-qf3g-2mqc"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/ether/etherpad-lite/issues/5010"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/ether/etherpad-lite/compare/b7065eb9a0ec7c3c265f8cfeb2534efe6f036456...77bcb507b30e762e9375b0511b3763e0162aae53"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/ether/etherpad-lite/releases/tag/1.8.16"
}
],
"source": {
"advisory": "GHSA-w3g3-qf3g-2mqc",
"discovery": "UNKNOWN"
},
"title": "Admin privilege escalation and arbitrary code execution via malicious *.etherpad imports",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2021-43802",
"STATE": "PUBLIC",
"TITLE": "Admin privilege escalation and arbitrary code execution via malicious *.etherpad imports"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "etherpad-lite",
"version": {
"version_data": [
{
"version_value": "\u003c 1.8.16"
}
]
}
}
]
},
"vendor_name": "ether"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Etherpad is a real-time collaborative editor. In versions prior to 1.8.16, an attacker can craft an `*.etherpad` file that, when imported, might allow the attacker to gain admin privileges for the Etherpad instance. This, in turn, can be used to install a malicious Etherpad plugin that can execute arbitrary code (including system commands). To gain privileges, the attacker must be able to trigger deletion of `express-session` state or wait for old `express-session` state to be cleaned up. Core Etherpad does not delete any `express-session` state, so the only known attacks require either a plugin that can delete session state or a custom cleanup process (such as a cron job that deletes old `sessionstorage:*` records). The problem has been fixed in version 1.8.16. If users cannot upgrade to 1.8.16 or install patches manually, several workarounds are available. Users may configure their reverse proxies to reject requests to `/p/*/import`, which will block all imports, not just `*.etherpad` imports; limit all users to read-only access; and/or prevent the reuse of `express_sid` cookie values that refer to deleted express-session state. More detailed information and general mitigation strategies may be found in the GitHub Security Advisory."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-790: Improper Filtering of Special Elements"
}
]
},
{
"description": [
{
"lang": "eng",
"value": "CWE-1287: Improper Validation of Specified Type of Input"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/ether/etherpad-lite/security/advisories/GHSA-w3g3-qf3g-2mqc",
"refsource": "CONFIRM",
"url": "https://github.com/ether/etherpad-lite/security/advisories/GHSA-w3g3-qf3g-2mqc"
},
{
"name": "https://github.com/ether/etherpad-lite/issues/5010",
"refsource": "MISC",
"url": "https://github.com/ether/etherpad-lite/issues/5010"
},
{
"name": "https://github.com/ether/etherpad-lite/compare/b7065eb9a0ec7c3c265f8cfeb2534efe6f036456...77bcb507b30e762e9375b0511b3763e0162aae53",
"refsource": "MISC",
"url": "https://github.com/ether/etherpad-lite/compare/b7065eb9a0ec7c3c265f8cfeb2534efe6f036456...77bcb507b30e762e9375b0511b3763e0162aae53"
},
{
"name": "https://github.com/ether/etherpad-lite/releases/tag/1.8.16",
"refsource": "MISC",
"url": "https://github.com/ether/etherpad-lite/releases/tag/1.8.16"
}
]
},
"source": {
"advisory": "GHSA-w3g3-qf3g-2mqc",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2021-43802",
"datePublished": "2021-12-09T22:35:12.000Z",
"dateReserved": "2021-11-16T00:00:00.000Z",
"dateUpdated": "2024-08-04T04:03:08.907Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
GHSA-3222-M64X-QWPG
Vulnerability from github – Published: 2026-03-25 15:31 – Updated: 2026-03-27 21:31Ericsson Indoor Connect 8855 versions prior to 2025.Q3 contains an Improper Filtering of Special Elements vulnerability which, if exploited, can lead to unauthorized modification of certain information
{
"affected": [],
"aliases": [
"CVE-2025-27260"
],
"database_specific": {
"cwe_ids": [
"CWE-790"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-03-25T14:16:30Z",
"severity": "HIGH"
},
"details": "Ericsson\nIndoor Connect 8855 versions prior to 2025.Q3 contains an Improper Filtering of Special\nElements\u00a0vulnerability which, if exploited, can lead to unauthorized\nmodification of certain information",
"id": "GHSA-3222-m64x-qwpg",
"modified": "2026-03-27T21:31:32Z",
"published": "2026-03-25T15:31:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-27260"
},
{
"type": "WEB",
"url": "https://www.ericsson.com/en/about-us/security/psirt/CVE-2025-27260"
},
{
"type": "WEB",
"url": "https://www.ericsson.com/en/about-us/security/psirt/security-bulletin-indoorconnect-march-2026"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-4H57-3GMX-G682
Vulnerability from github – Published: 2024-07-15 09:36 – Updated: 2024-07-15 09:36Improper filtering of fields when using the export function in the ticket overview of the external interface could allow an authorized user to download a list of tickets containing information about tickets of other customers. The problem only occurs if the TicketSearchLegacyEngine has been disabled by the administrator. This issue affects OTRS: 8.0.X, 2023.X, from 2024.X through 2024.4.x
{
"affected": [],
"aliases": [
"CVE-2024-6540"
],
"database_specific": {
"cwe_ids": [
"CWE-790"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-07-15T08:15:02Z",
"severity": "MODERATE"
},
"details": "Improper filtering of fields when using the export function in the ticket overview of the external interface could allow an authorized user to download a list of tickets containing information about tickets of other customers. The problem only occurs if the TicketSearchLegacyEngine has been disabled by the administrator.\nThis issue affects OTRS: 8.0.X, 2023.X, from 2024.X through 2024.4.x\n\n",
"id": "GHSA-4h57-3gmx-g682",
"modified": "2024-07-15T09:36:24Z",
"published": "2024-07-15T09:36:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-6540"
},
{
"type": "WEB",
"url": "https://otrs.com/release-notes/otrs-security-advisory-2024-07"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-79G4-F35R-G3F6
Vulnerability from github – Published: 2024-08-26 09:30 – Updated: 2024-08-26 09:30Improper Neutralization of Input done by an attacker with admin privileges ('Cross-site Scripting') in Process Management modules of OTRS and ((OTRS)) Community Edition allows Cross-Site Scripting (XSS) within the Process Management targeting other admins. This issue affects:
- OTRS from 7.0.X through 7.0.50
- OTRS 8.0.X
- OTRS 2023.X
- OTRS from 2024.X through 2024.5.X
- ((OTRS)) Community Edition: 6.0.x
Products based on the ((OTRS)) Community Edition also very likely to be affected
{
"affected": [],
"aliases": [
"CVE-2024-43443"
],
"database_specific": {
"cwe_ids": [
"CWE-790"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-08-26T09:15:04Z",
"severity": "MODERATE"
},
"details": "Improper Neutralization of Input done by an attacker with admin privileges (\u0027Cross-site Scripting\u0027) in Process Management modules of OTRS and ((OTRS)) Community Edition allows Cross-Site Scripting (XSS) within the Process Management targeting other admins.\nThis issue affects: \n\n * OTRS from 7.0.X through 7.0.50\n * OTRS 8.0.X\n * OTRS 2023.X\n * OTRS from 2024.X through 2024.5.X\n * ((OTRS)) Community Edition: 6.0.x\n\nProducts based on the ((OTRS)) Community Edition also very likely to be affected",
"id": "GHSA-79g4-f35r-g3f6",
"modified": "2024-08-26T09:30:44Z",
"published": "2024-08-26T09:30:44Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-43443"
},
{
"type": "WEB",
"url": "https://otrs.com/release-notes/otrs-security-advisory-2024-11"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-899F-Q8CX-3V8R
Vulnerability from github – Published: 2024-04-24 00:30 – Updated: 2024-07-03 18:36An issue discovered in RG-RSR10-01G-T(W)-S and RG-RSR10-01G-T(WA)-S routers with firmware version RSR10-01G-T-S_RSR_3.0(1)B9P2, Release(07150910) allows attackers to execute arbitrary code via the common_quick_config.lua file.
{
"affected": [],
"aliases": [
"CVE-2024-31616"
],
"database_specific": {
"cwe_ids": [
"CWE-790"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-04-23T22:15:07Z",
"severity": "HIGH"
},
"details": "An issue discovered in RG-RSR10-01G-T(W)-S and RG-RSR10-01G-T(WA)-S routers with firmware version RSR10-01G-T-S_RSR_3.0(1)B9P2, Release(07150910) allows attackers to execute arbitrary code via the common_quick_config.lua file.",
"id": "GHSA-899f-q8cx-3v8r",
"modified": "2024-07-03T18:36:44Z",
"published": "2024-04-24T00:30:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-31616"
},
{
"type": "WEB",
"url": "https://gist.github.com/Swind1er/0c50e72428059fb72a4fd4d31c43f883"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-8MWQ-MJ73-QV68
Vulnerability from github – Published: 2023-02-16 15:30 – Updated: 2023-02-24 18:48Duplicate advisory
This advisory has been withdrawn because it is a duplicate of GHSA-f598-mfpv-gmfx. This link is maintained to preserve external references.
Original Description
Due to improper attribute filtering in the sequelize js library, an attacker can peform SQL injections. This issue can be mitigated by not accepting untrusted input.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "@sequelize/core"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "7.0.0-alpha.20"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 6.28.2"
},
"package": {
"ecosystem": "npm",
"name": "sequelize"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "6.29.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-790"
],
"github_reviewed": true,
"github_reviewed_at": "2023-02-22T23:16:24Z",
"nvd_published_at": "2023-02-16T15:15:00Z",
"severity": "CRITICAL"
},
"details": "## Duplicate advisory\nThis advisory has been withdrawn because it is a duplicate of [GHSA-f598-mfpv-gmfx](https://github.com/advisories/GHSA-f598-mfpv-gmfx). This link is maintained to preserve external references.\n\n## Original Description\nDue to improper attribute filtering in the sequelize js library, an attacker can peform SQL injections. This issue can be mitigated by not accepting untrusted input.",
"id": "GHSA-8mwq-mj73-qv68",
"modified": "2023-02-24T18:48:34Z",
"published": "2023-02-16T15:30:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-22578"
},
{
"type": "WEB",
"url": "https://csirt.divd.nl/CVE-2023-22578"
},
{
"type": "WEB",
"url": "https://csirt.divd.nl/DIVD-2022-00020"
},
{
"type": "PACKAGE",
"url": "https://github.com/sequelize/sequelize"
},
{
"type": "WEB",
"url": "https://github.com/sequelize/sequelize/discussions/15694"
},
{
"type": "WEB",
"url": "https://github.com/sequelize/sequelize/releases/tag/v7.0.0-alpha.20"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Duplicate advisory: Sequelize vulnerable to Improper Filtering of Special Elements",
"withdrawn": "2023-02-24T18:48:34Z"
}
GHSA-F598-MFPV-GMFX
Vulnerability from github – Published: 2023-02-24 18:48 – Updated: 2023-02-24 18:48Impact
Sequelize 6.28.2 and prior has a dangerous feature where using parentheses in the attribute option would make Sequelize use the string as-is in the SQL
User.findAll({
attributes: [
['count(id)', 'count']
]
});
Produced
SELECT count(id) AS "count" FROM "users"
Patches
This feature was deprecated in Sequelize 5, and using it prints a deprecation warning.
This issue has been patched in @sequelize/core@7.0.0.alpha-20 and sequelize@6.29.0.
In Sequelize 7, it now produces the following:
SELECT "count(id)" AS "count" FROM "users"
In Sequelize 6, it throws an error explaining that we had to introduce a breaking change, and requires the user to explicitly opt-in to either the Sequelize 7 behavior (always escape) or the Sequelize 5 behavior (inline attributes that include () without escaping). See https://github.com/sequelize/sequelize/pull/15710 for more information.
Mitigations
Do not use user-provided content to build your list or attributes. If you do, make sure that attribute in question actually exists on your model by checking that it exists in the rawAttributes property of your model first.
A discussion thread about this issue is open at https://github.com/sequelize/sequelize/discussions/15694 CVE: CVE-2023-22578
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "@sequelize/core"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "7.0.0-alpha.20"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "sequelize"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "6.29.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-22578"
],
"database_specific": {
"cwe_ids": [
"CWE-790"
],
"github_reviewed": true,
"github_reviewed_at": "2023-02-24T18:48:49Z",
"nvd_published_at": null,
"severity": "CRITICAL"
},
"details": "### Impact\n\nSequelize 6.28.2 and prior has a dangerous feature where using parentheses in the attribute option would make Sequelize use the string as-is in the SQL\n\n```ts\nUser.findAll({\n attributes: [\n [\u0027count(id)\u0027, \u0027count\u0027]\n ]\n});\n```\n\nProduced\n\n```sql\nSELECT count(id) AS \"count\" FROM \"users\"\n```\n\n### Patches\n\nThis feature was deprecated in Sequelize 5, and using it prints a deprecation warning.\n\nThis issue has been patched in [`@sequelize/core@7.0.0.alpha-20`](https://github.com/sequelize/sequelize/pull/15374) and [`sequelize@6.29.0`](https://github.com/sequelize/sequelize/pull/15710). \n\nIn Sequelize 7, it now produces the following:\n\n```sql\nSELECT \"count(id)\" AS \"count\" FROM \"users\"\n```\n\nIn Sequelize 6, it throws an error explaining that we had to introduce a breaking change, and requires the user to explicitly opt-in to either the Sequelize 7 behavior (always escape) or the Sequelize 5 behavior (inline attributes that include `()` without escaping). See https://github.com/sequelize/sequelize/pull/15710 for more information.\n\n### Mitigations\n\nDo not use user-provided content to build your list or attributes. If you do, make sure that attribute in question actually exists on your model by checking that it exists in the `rawAttributes` property of your model first.\n\n---\n\nA discussion thread about this issue is open at https://github.com/sequelize/sequelize/discussions/15694\nCVE: CVE-2023-22578",
"id": "GHSA-f598-mfpv-gmfx",
"modified": "2023-02-24T18:48:49Z",
"published": "2023-02-24T18:48:49Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/sequelize/sequelize/security/advisories/GHSA-f598-mfpv-gmfx"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-22578"
},
{
"type": "WEB",
"url": "https://github.com/sequelize/sequelize/pull/15710"
},
{
"type": "WEB",
"url": "https://csirt.divd.nl/CVE-2023-22578"
},
{
"type": "WEB",
"url": "https://csirt.divd.nl/DIVD-2022-00020"
},
{
"type": "PACKAGE",
"url": "https://github.com/sequelize/sequelize"
},
{
"type": "WEB",
"url": "https://github.com/sequelize/sequelize/discussions/15694"
},
{
"type": "WEB",
"url": "https://github.com/sequelize/sequelize/releases/tag/v6.29.0"
},
{
"type": "WEB",
"url": "https://github.com/sequelize/sequelize/releases/tag/v7.0.0-alpha.20"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Sequelize - Default support for \u201craw attributes\u201d when using parentheses"
}
GHSA-G24F-94PQ-JR67
Vulnerability from github – Published: 2024-08-26 09:30 – Updated: 2024-08-26 18:33Improper Neutralization of Input done by an attacker with admin privileges ('Cross-site Scripting') in OTRS (System Configuration modules) and ((OTRS)) Community Edition allows Cross-Site Scripting (XSS) within the System Configuration targeting other admins. This issue affects:
- OTRS from 7.0.X through 7.0.50
- OTRS 8.0.X
- OTRS 2023.X
- OTRS from 2024.X through 2024.5.X
- ((OTRS)) Community Edition: 6.0.x
Products based on the ((OTRS)) Community Edition also very likely to be affected
{
"affected": [],
"aliases": [
"CVE-2024-43442"
],
"database_specific": {
"cwe_ids": [
"CWE-79",
"CWE-790"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-08-26T09:15:04Z",
"severity": "MODERATE"
},
"details": "Improper Neutralization of Input done by an attacker with admin privileges (\u0027Cross-site Scripting\u0027) in\u00a0 OTRS (System Configuration modules) and ((OTRS)) Community Edition allows Cross-Site Scripting (XSS) within the System Configuration targeting other admins.\nThis issue affects:\u00a0\n\n * OTRS from 7.0.X through 7.0.50\n * OTRS 8.0.X\n * OTRS 2023.X\n * OTRS from 2024.X through 2024.5.X\n * ((OTRS)) Community Edition: 6.0.x\n\nProducts based on the ((OTRS)) Community Edition also very likely to be affected",
"id": "GHSA-g24f-94pq-jr67",
"modified": "2024-08-26T18:33:33Z",
"published": "2024-08-26T09:30:44Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-43442"
},
{
"type": "WEB",
"url": "https://otrs.com/release-notes/otrs-security-advisory-2024-10"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-HFG6-72XH-M6QG
Vulnerability from github – Published: 2026-03-30 09:31 – Updated: 2026-03-30 09:31An unauthenticated remote attacker can exploit insufficient input validation to access backend components beyond their intended scope via path traversal, resulting in exposure of sensitive information.
{
"affected": [],
"aliases": [
"CVE-2026-2328"
],
"database_specific": {
"cwe_ids": [
"CWE-790"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-03-30T08:16:17Z",
"severity": "HIGH"
},
"details": "An unauthenticated remote attacker can exploit insufficient input validation to access backend components beyond their intended scope via path traversal, resulting in exposure of sensitive information.",
"id": "GHSA-hfg6-72xh-m6qg",
"modified": "2026-03-30T09:31:28Z",
"published": "2026-03-30T09:31:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2328"
},
{
"type": "WEB",
"url": "https://certvde.com/de/advisories/VDE-2026-010"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
No mitigation information available for this CWE.
No CAPEC attack patterns related to this CWE.