{"id":"CVE-2020-11010","details":"In Tortoise ORM before versions 0.15.23 and 0.16.6, various forms of SQL injection have been found for MySQL and when filtering or doing mass-updates on char/text fields. SQLite & PostgreSQL are only affected when filtering with contains, starts_with, or ends_with filters (and their case-insensitive counterparts).","aliases":["GHSA-9j2c-x8qm-qmjq","PYSEC-2020-144"],"modified":"2026-03-13T22:15:49.068076Z","published":"2020-04-20T22:15:13.587Z","related":["GHSA-9j2c-x8qm-qmjq"],"references":[{"type":"ADVISORY","url":"https://github.com/tortoise/tortoise-orm/security/advisories/GHSA-9j2c-x8qm-qmjq"},{"type":"FIX","url":"https://github.com/tortoise/tortoise-orm/commit/91c364053e0ddf77edc5442914c6f049512678b3"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/tortoise/tortoise-orm","events":[{"introduced":"0"},{"fixed":"d9b0c2ded9ee5a140493f9940dc2abeae4c53aa5"},{"introduced":"558f4651eeb13068b91ff6d50703480cd086fa49"},{"fixed":"50bf70855abbd10833131ff8f8ee3add5a563db7"},{"fixed":"91c364053e0ddf77edc5442914c6f049512678b3"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"0.15.23"},{"introduced":"0.16.0"},{"fixed":"0.16.6"}]}}],"versions":["0.15.19","0.16.0","0.16.1","0.16.2","0.16.3","0.16.4","0.16.5"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-11010.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}]}