Search
Total
2383 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-24849 | 1 Wclovers | 1 Frontend Manager For Woocommerce Along With Bookings Subscription Listings Compatible | 2021-12-27 | 7.5 HIGH | 9.8 CRITICAL |
| The wcfm_ajax_controller AJAX action of the WCFM Marketplace WordPress plugin before 3.4.12, available to unauthenticated and authenticated user, does not properly sanitise multiple parameters before using them in SQL statements, leading to SQL injections | |||||
| CVE-2021-44655 | 1 Online Pre-owned\/used Car Showroom Management System Project | 1 Online Pre-owned\/used Car Showroom Management System | 2021-12-22 | 7.5 HIGH | 9.8 CRITICAL |
| Online Pre-owned/Used Car Showroom Management System 1.0 contains a SQL injection authentication bypass vulnerability. Admin panel authentication can be bypassed due to SQL injection vulnerability in the login form allowing attacker to get admin access on the application. | |||||
| CVE-2021-43451 | 1 Employee Record Management System Project | 1 Employee Record Management System | 2021-12-22 | 7.5 HIGH | 9.8 CRITICAL |
| SQL Injection vulnerability exists in PHPGURUKUL Employee Record Management System 1.2 via the Email POST parameter in /forgetpassword.php. | |||||
| CVE-2021-44280 | 1 Attendance Management System Project | 1 Attendance Management System | 2021-12-22 | 7.5 HIGH | 9.8 CRITICAL |
| attendance management system 1.0 is affected by a SQL injection vulnerability in admin/incFunctions.php through the makeSafe function. | |||||
| CVE-2021-40850 | 1 Tcman | 1 Gim | 2021-12-21 | 7.5 HIGH | 9.8 CRITICAL |
| TCMAN GIM is vulnerable to a SQL injection vulnerability inside several available webservice methods in /PC/WebService.asmx. | |||||
| CVE-2021-44350 | 1 Thinkphp | 1 Thinkphp | 2021-12-20 | 7.5 HIGH | 9.8 CRITICAL |
| SQL Injection vulnerability exists in ThinkPHP5 5.0.x <=5.1.22 via the parseOrder function in Builder.php. | |||||
| CVE-2018-18805 | 1 Pointofsales Project | 1 Pointofsales | 2021-12-17 | 7.5 HIGH | 9.8 CRITICAL |
| Point Of Sales 1.0 allows SQL injection via the login screen, related to LoginForm1.vb. | |||||
| CVE-2021-44966 | 1 Employee Record Management System Project | 1 Employee Record Management System | 2021-12-17 | 10.0 HIGH | 9.8 CRITICAL |
| SQL injection bypass authentication vulnerability in PHPGURUKUL Employee Record Management System 1.2 via index.php. An attacker can log in as an admin account of this system and can destroy, change or manipulate all sensitive information on the system. | |||||
| CVE-2021-24863 | 1 Stopbadbots | 1 Block And Stop Bad Bots | 2021-12-16 | 7.5 HIGH | 9.8 CRITICAL |
| The WP Block and Stop Bad Bots Crawlers and Spiders and Anti Spam Protection Plugin StopBadBots WordPress plugin before 6.67 does not sanitise and escape the User Agent before using it in a SQL statement to save it, leading to a SQL injection | |||||
| CVE-2021-42668 | 1 Engineers Online Portal Project | 1 Engineers Online Portal | 2021-12-16 | 7.5 HIGH | 9.8 CRITICAL |
| A SQL Injection vulnerability exists in Sourcecodester Engineers Online Portal in PHP via the id parameter in the my_classmates.php web page.. As a result, an attacker can extract sensitive data from the web server and in some cases can use this vulnerability in order to get a remote code execution on the remote web server. | |||||
| CVE-2021-42064 | 1 Sap | 1 Commerce | 2021-12-16 | 6.8 MEDIUM | 9.8 CRITICAL |
| If configured to use an Oracle database and if a query is created using the flexible search java api with a parameterized "in" clause, SAP Commerce - versions 1905, 2005, 2105, 2011, allows attacker to execute crafted database queries, exposing backend database. The vulnerability is present if the parameterized "in" clause accepts more than 1000 values. | |||||
| CVE-2021-44026 | 3 Debian, Fedoraproject, Roundcube | 3 Debian Linux, Fedora, Webmail | 2021-12-16 | 7.5 HIGH | 9.8 CRITICAL |
| Roundcube before 1.3.17 and 1.4.x before 1.4.12 is prone to a potential SQL injection via search or search_params. | |||||
| CVE-2021-24951 | 1 Thimpress | 1 Learnpress | 2021-12-16 | 7.5 HIGH | 9.8 CRITICAL |
| The LearnPress WordPress plugin before 4.1.4 does not sanitise, validate and escape the id parameter before using it in SQL statements when duplicating course/lesson/quiz/question, leading to SQL Injections issues | |||||
| CVE-2021-42945 | 1 Zzcms | 1 Zzcms | 2021-12-15 | 7.5 HIGH | 9.8 CRITICAL |
| A SQL Injection vulnerability exists in ZZCMS 2021 via the askbigclassid parameter in /admin/ask.php. | |||||
| CVE-2021-45014 | 1 Taogogo | 1 Taocms | 2021-12-15 | 7.5 HIGH | 9.8 CRITICAL |
| There is an upload sql injection vulnerability in the background of taocms 3.0.2 in parameter id:action=cms&ctrl=update&id=26 | |||||
| CVE-2021-41492 | 1 Simple Cashiering System Project | 1 Simple Cashiering System | 2021-12-15 | 7.5 HIGH | 9.8 CRITICAL |
| Multiple SQL Injection vulnerabilities exist in Sourcecodester Simple Cashiering System (POS) 1.0 via the (1) Product Code in the pos page in cashiering. (2) id parameter in manage_products and the (3) t paramater in actions.php. | |||||
| CVE-2021-33701 | 1 Sap | 3 Dmis, S4core, Sapscore | 2021-12-15 | 6.5 MEDIUM | 9.1 CRITICAL |
| DMIS Mobile Plug-In or SAP S/4HANA, versions - DMIS 2011_1_620, 2011_1_640, 2011_1_700, 2011_1_710, 2011_1_730, 710, 2011_1_731, 710, 2011_1_752, 2020, SAPSCORE 125, S4CORE 102, 102, 103, 104, 105, allows an attacker with access to highly privileged account to execute manipulated query in NDZT tool to gain access to Superuser account, leading to SQL Injection vulnerability, that highly impacts systems Confidentiality, Integrity and Availability. | |||||
| CVE-2021-24915 | 1 Contest Gallery | 1 Contest Gallery | 2021-12-15 | 7.5 HIGH | 9.8 CRITICAL |
| The Contest Gallery WordPress plugin before 13.1.0.6 does not have capability checks and does not sanitise or escape the cg-search-user-name-original parameter before using it in a SQL statement when exporting users from a gallery, which could allow unauthenticated to perform SQL injections attacks, as well as get the list of all users registered on the blog, including their username and email address | |||||
| CVE-2021-43608 | 1 Doctrine-project | 1 Database Abstraction Layer | 2021-12-15 | 7.5 HIGH | 9.8 CRITICAL |
| Doctrine DBAL 3.x before 3.1.4 allows SQL Injection. The escaping of offset and length inputs to the generation of a LIMIT clause was not probably cast to an integer, allowing SQL injection to take place if application developers passed unescaped user input to the DBAL QueryBuilder or any other API that ultimately uses the AbstractPlatform::modifyLimitQuery API. | |||||
| CVE-2020-23935 | 1 Student Management System Project | 1 Student Management System | 2021-12-14 | 7.5 HIGH | 9.8 CRITICAL |
| Kabir Alhasan Student Management System 1.0 is vulnerable to Authentication Bypass via "Username: admin'# && Password: (Write Something)". | |||||
| CVE-2021-41695 | 1 Globaldatingsoftware | 1 Premiumdatingscript | 2021-12-14 | 7.5 HIGH | 9.8 CRITICAL |
| An SQL Injection vulnerability exists in Premiumdatingscript 4.2.7.7 via the ip parameter in connect.php. . | |||||
| CVE-2021-43789 | 1 Prestashop | 1 Prestashop | 2021-12-08 | 7.5 HIGH | 9.8 CRITICAL |
| PrestaShop is an Open Source e-commerce web application. Versions of PrestaShop prior to 1.7.8.2 are vulnerable to blind SQL injection using search filters with `orderBy` and `sortOrder` parameters. The problem is fixed in version 1.7.8.2. | |||||
| CVE-2019-18413 | 1 Typestack Class-validator Project | 1 Typestack Class-validator | 2021-12-07 | 7.5 HIGH | 9.8 CRITICAL |
| In TypeStack class-validator 0.10.2, validate() input validation can be bypassed because certain internal attributes can be overwritten via a conflicting name. Even though there is an optional forbidUnknownValues parameter that can be used to reduce the risk of this bypass, this option is not documented and thus most developers configure input validation in the vulnerable default manner. With this vulnerability, attackers can launch SQL Injection or XSS attacks by injecting arbitrary malicious input. NOTE: a software maintainer agrees with the "is not documented" finding but suggests that much of the responsibility for the risk lies in a different product. | |||||
| CVE-2021-24943 | 1 Roundupwp | 1 Registrations For The Events Calendar | 2021-12-07 | 7.5 HIGH | 9.8 CRITICAL |
| The Registrations for the Events Calendar WordPress plugin before 2.7.6 does not sanitise and escape the event_id in the rtec_send_unregister_link AJAX action (available to both unauthenticated and authenticated users) before using it in a SQL statement, leading to an unauthenticated SQL injection. | |||||
| CVE-2021-31632 | 1 B2evolution | 1 B2evolution Cms | 2021-12-07 | 7.5 HIGH | 9.8 CRITICAL |
| b2evolution CMS v7.2.3 was discovered to contain a SQL injection vulnerability via the parameter cfqueryparam in the User login section. This vulnerability allows attackers to execute arbitrary code via a crafted input. | |||||
| CVE-2021-24866 | 1 Wpdataaccess | 1 Wp Data Access | 2021-12-07 | 7.5 HIGH | 9.8 CRITICAL |
| The WP Data Access WordPress plugin before 5.0.0 does not properly sanitise and escape the backup_date parameter before using it a SQL statement, leading to a SQL injection issue and could allow arbitrary table deletion | |||||
| CVE-2021-44348 | 1 Yejiao | 1 Tuzicms | 2021-12-06 | 7.5 HIGH | 9.8 CRITICAL |
| SQL Injection vulnerability exists in TuziCMS v2.0.6 via the id parameer in App\Manage\Controller\AdvertController.class.php. | |||||
| CVE-2021-35414 | 1 Chamilo | 1 Chamilo Lms | 2021-12-06 | 7.5 HIGH | 9.8 CRITICAL |
| Chamilo LMS v1.11.x was discovered to contain a SQL injection via the doc parameter in main/plagiarism/compilatio/upload.php. | |||||
| CVE-2021-44349 | 1 Yejiao | 1 Tuzicms | 2021-12-06 | 7.5 HIGH | 9.8 CRITICAL |
| SQL Injection vulnerability exists in TuziCMS v2.0.6 via the id parameter in App\Manage\Controller\DownloadController.class.php. | |||||
| CVE-2020-10549 | 1 Rconfig | 1 Rconfig | 2021-12-06 | 7.5 HIGH | 9.8 CRITICAL |
| rConfig 3.9.4 and previous versions has unauthenticated snippets.inc.php SQL injection. Because, by default, nodes' passwords are stored in cleartext, this vulnerability leads to lateral movement, granting an attacker access to monitored network devices. | |||||
| CVE-2020-10548 | 1 Rconfig | 1 Rconfig | 2021-12-06 | 7.5 HIGH | 9.8 CRITICAL |
| rConfig 3.9.4 and previous versions has unauthenticated devices.inc.php SQL injection. Because, by default, nodes' passwords are stored in cleartext, this vulnerability leads to lateral movement, granting an attacker access to monitored network devices. | |||||
| CVE-2021-43035 | 1 Kaseya | 1 Unitrends Backup | 2021-12-06 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in Kaseya Unitrends Backup Appliance before 10.5.5. Two unauthenticated SQL injection vulnerabilities were discovered, allowing arbitrary SQL queries to be injected and executed under the postgres superuser account. Remote code execution was possible, leading to full access to the postgres user account. | |||||
| CVE-2020-10547 | 1 Rconfig | 1 Rconfig | 2021-12-06 | 7.5 HIGH | 9.8 CRITICAL |
| rConfig 3.9.4 and previous versions has unauthenticated compliancepolicyelements.inc.php SQL injection. Because, by default, nodes' passwords are stored in cleartext, this vulnerability leads to lateral movement, granting an attacker access to monitored network devices. | |||||
| CVE-2021-44347 | 1 Yejiao | 1 Tuzicms | 2021-12-06 | 7.5 HIGH | 9.8 CRITICAL |
| SQL Injection vulnerability exists in TuziCMS v2.0.6 in App\Manage\Controller\GuestbookController.class.php. | |||||
| CVE-2020-10546 | 1 Rconfig | 1 Rconfig | 2021-12-06 | 7.5 HIGH | 9.8 CRITICAL |
| rConfig 3.9.4 and previous versions has unauthenticated compliancepolicies.inc.php SQL injection. Because, by default, nodes' passwords are stored in cleartext, this vulnerability leads to lateral movement, granting an attacker access to monitored network devices. | |||||
| CVE-2021-42169 | 1 Simple Payroll System With Dynamic Tax Bracket Project | 1 Simple Payroll System With Dynamic Tax Bracket | 2021-12-03 | 7.5 HIGH | 9.8 CRITICAL |
| The Simple Payroll System with Dynamic Tax Bracket in PHP using SQLite Free Source Code (by: oretnom23 ) is vulnerable from remote SQL-Injection-Bypass-Authentication for the admin account. The parameter (username) from the login form is not protected correctly and there is no security and escaping from malicious payloads. | |||||
| CVE-2019-7164 | 5 Debian, Opensuse, Oracle and 2 more | 9 Debian Linux, Backports Sle, Leap and 6 more | 2021-12-03 | 7.5 HIGH | 9.8 CRITICAL |
| SQLAlchemy through 1.2.17 and 1.3.x through 1.3.0b2 allows SQL Injection via the order_by parameter. | |||||
| CVE-2021-43679 | 1 Shopex | 1 Ecshop | 2021-12-03 | 7.5 HIGH | 9.8 CRITICAL |
| ecshop v2.7.3 is affected by a SQL injection vulnerability in shopex\ecshop\upload\api\client\api.php. | |||||
| CVE-2021-41511 | 1 Lodging Reservation Management System Project | 1 Lodging Reservation Management System | 2021-11-30 | 7.5 HIGH | 9.8 CRITICAL |
| The username and password field of login in Lodging Reservation Management System V1 can give access to any user by using SQL injection to bypass authentication. | |||||
| CVE-2021-41678 | 1 Os4ed | 1 Opensis | 2021-11-30 | 6.8 MEDIUM | 9.8 CRITICAL |
| A SQL injection vulnerability exists in version 8.0 of openSIS when MySQL or MariaDB is used as the application database. An attacker can then issue the SQL command through the /opensis/modules/users/Staff.php, staff{TITLE] parameter. | |||||
| CVE-2021-41679 | 1 Os4ed | 1 Opensis | 2021-11-30 | 6.8 MEDIUM | 9.8 CRITICAL |
| A SQL injection vulnerability exists in version 8.0 of openSIS when MySQL or MariaDB is used as the application database. An attacker can then issue the SQL command through the /opensis/modules/grades/InputFinalGrades.php, period parameter. | |||||
| CVE-2021-41677 | 1 Os4ed | 1 Opensis | 2021-11-30 | 6.8 MEDIUM | 9.8 CRITICAL |
| A SQL injection vulnerability exists in version 8.0 of openSIS when MySQL or MariaDB is used as the application database. An attacker can then issue the SQL command through the /opensis/functions/GetStuListFnc.php &Grade= parameter. | |||||
| CVE-2021-44427 | 1 Rosariosis | 1 Rosariosis | 2021-11-30 | 7.5 HIGH | 9.8 CRITICAL |
| An unauthenticated SQL Injection vulnerability in Rosario Student Information System (aka rosariosis) before 8.1.1 allows remote attackers to execute PostgreSQL statements (e.g., SELECT, INSERT, UPDATE, and DELETE) through /Side.php via the syear parameter. | |||||
| CVE-2021-42667 | 1 Online Event Booking And Reservation System Project | 1 Online Event Booking And Reservation System | 2021-11-28 | 7.5 HIGH | 9.8 CRITICAL |
| A SQL Injection vulnerability exists in Sourcecodester Online Event Booking and Reservation System in PHP in event-management/views. An attacker can leverage this vulnerability in order to manipulate the sql query performed. As a result he can extract sensitive data from the web server and in some cases he can use this vulnerability in order to get a remote code execution on the remote web server. | |||||
| CVE-2021-38840 | 1 Simple Water Refilling Station Management System Project | 1 Simple Water Refilling Station Management System | 2021-11-28 | 7.5 HIGH | 9.8 CRITICAL |
| SQL Injection can occur in Simple Water Refilling Station Management System 1.0 via the water_refilling/classes/Login.php username parameter. | |||||
| CVE-2021-38727 | 1 Thedaylightstudio | 1 Fuel Cms | 2021-11-28 | 7.5 HIGH | 9.8 CRITICAL |
| FUEL CMS 1.5.0 allows SQL Injection via parameter 'col' in /fuel/index.php/fuel/logs/items | |||||
| CVE-2021-41674 | 1 E-negosyo System Project | 1 E-negosyo System | 2021-11-26 | 7.5 HIGH | 9.8 CRITICAL |
| An SQL Injection vulnerability exists in Sourcecodester E-Negosyo System 1.0 via the user_email parameter in /admin/login.php. | |||||
| CVE-2021-41676 | 1 Pharmacy Point Of Sale System Project | 1 Pharmacy Point Of Sale System | 2021-11-26 | 7.5 HIGH | 9.8 CRITICAL |
| An SQL Injection vulnerabilty exists in the oretnom23 Pharmacy Point of Sale System 1.0 in the login function in actions.php. | |||||
| CVE-2021-42325 | 1 Froxlor | 1 Froxlor | 2021-11-26 | 7.5 HIGH | 9.8 CRITICAL |
| Froxlor through 0.10.29.1 allows SQL injection in Database/Manager/DbManagerMySQL.php via a custom DB name. | |||||
| CVE-2021-36916 | 1 Wpwave | 1 Hide My Wp | 2021-11-26 | 7.5 HIGH | 9.8 CRITICAL |
| The SQL injection vulnerability in the Hide My WP WordPress plugin (versions <= 6.2.3) is possible because of how the IP address is retrieved and used inside a SQL query. The function "hmwp_get_user_ip" tries to retrieve the IP address from multiple headers, including IP address headers that the user can spoof, such as "X-Forwarded-For." As a result, the malicious payload supplied in one of these IP address headers will be directly inserted into the SQL query, making SQL injection possible. | |||||