Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWh4NXgtNDltbS12bWh3

SQL Injection in sails-mysql

Versions of sails-mysql prior to 0.10.8 are vulnerable to SQL Injection. The sort keyword is not properly sanitized and may allow attackers to inject SQL statements and execute arbitrary SQL queries

Recommendation

Upgrade to version 0.10.8 or later.

Permalink: https://github.com/advisories/GHSA-hx5x-49mm-vmhw
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWh4NXgtNDltbS12bWh3
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: almost 4 years ago
Updated: over 1 year ago


CVSS Score: 7.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Identifiers: GHSA-hx5x-49mm-vmhw
References: Repository: https://github.com/balderdashy/sails
Blast Radius: 22.9

Affected Packages

npm:sails-mysql
Dependent packages: 72
Dependent repositories: 1,144
Downloads: 23,927 last month
Affected Version Ranges: < 0.10.8
Fixed in: 0.10.8
All affected versions: 0.6.0, 0.7.0, 0.7.1, 0.7.2, 0.7.3, 0.7.4, 0.7.5, 0.7.6, 0.7.7, 0.7.8, 0.9.0, 0.9.1, 0.9.2, 0.9.3, 0.9.4, 0.9.5, 0.9.6, 0.9.7, 0.9.8, 0.9.9, 0.9.10, 0.10.1, 0.10.2, 0.10.3, 0.10.4, 0.10.5, 0.10.6, 0.10.7
All unaffected versions: 0.10.8, 0.10.9, 0.10.10, 0.10.11, 0.10.12, 0.11.0, 0.11.1, 0.11.2, 0.11.3, 0.11.4, 0.11.5, 0.12.0, 0.12.1, 0.12.2, 1.0.0, 1.0.1, 1.0.2, 1.0.3, 2.0.0, 3.0.0, 3.0.1