ByteOS Network

NVD Vulnerability Details :

CVE-2016-10551

Modified

Source-support@hackerone.com

Published At-29 May, 2018 | 20:29

Updated At-09 Oct, 2019 | 23:16

waterline-sequel is a module that helps generate SQL statements for Waterline apps Any user input that goes into Waterline's `like`, `contains`, `startsWith`, or `endsWith` will end up in waterline-sequel with the potential for malicious code. A malicious user can input their own SQL statements in waterline-sequel 0.50 that will get executed and have full access to the database.

Date Added	Due Date	Vulnerability Name	Required Action
	N/A

Metrics

Type	Version	Base score	Base severity	Vector
Primary	3.0	9.8	CRITICAL	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary	2.0	7.5	HIGH	AV:N/AC:L/Au:N/C:P/I:P/A:P

CPE Matches

balderdash>>waterline-sequel>>0.5.0

cpe:2.3:a:balderdash:waterline-sequel:0.5.0:*:*:*:*:node.js:*:*

Weaknesses

CWE ID	Type	Source
CWE-89	Primary	nvd@nist.gov
CWE-89	Secondary	support@hackerone.com

References

Hyperlink	Source	Resource
https://github.com/balderdashy/waterline/issues/1219#issuecomment-157294530	support@hackerone.com	Exploit Issue Tracking Third Party Advisory
https://nodesecurity.io/advisories/115	support@hackerone.com	Third Party Advisory

CISA Catalog

Metrics

CPE Matches

Weaknesses

Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References

Change History