Search
Total
2383 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-20122 | 1 Wuzhicms | 1 Wuzhi Cms | 2021-10-06 | 7.5 HIGH | 9.8 CRITICAL |
| Wuzhi CMS v4.1 contains a SQL injection vulnerability in the checktitle() function in /coreframe/app/content/admin/content.php. | |||||
| CVE-2021-24666 | 1 Podlove | 1 Podlove Podcast Publisher | 2021-10-05 | 6.8 MEDIUM | 9.8 CRITICAL |
| The Podlove Podcast Publisher WordPress plugin before 3.5.6 contains a 'Social & Donations' module (not activated by default), which adds the rest route '/services/contributor/(?P<id>[\d]+), takes an 'id' and 'category' parameters as arguments. Both parameters can be used for the SQLi. | |||||
| CVE-2020-20796 | 1 Flamecms Project | 1 Flamecms | 2021-10-04 | 7.5 HIGH | 9.8 CRITICAL |
| FlameCMS 3.3.5 contains a SQL injection vulnerability in /master/article.php via the "Id" parameter. | |||||
| CVE-2020-20797 | 1 Flamecms Project | 1 Flamecms | 2021-10-04 | 7.5 HIGH | 9.8 CRITICAL |
| FlameCMS 3.3.5 contains a time-based blind SQL injection vulnerability in /account/register.php. | |||||
| CVE-2021-24741 | 1 Schiocco | 1 Support Board - Chat And Help Desk | 2021-10-01 | 7.5 HIGH | 9.8 CRITICAL |
| The Support Board WordPress plugin before 3.3.4 does not escape multiple POST parameters (such as status_code, department, user_id, conversation_id, conversation_status_code, and recipient_id) before using them in SQL statements, leading to SQL injections which are exploitable by unauthenticated users. | |||||
| CVE-2021-38303 | 1 Surelinesystems | 1 Sureedge Migrator | 2021-10-01 | 7.5 HIGH | 9.8 CRITICAL |
| A SQL injection vulnerability exists in Sureline SUREedge Migrator 7.0.7.29360. | |||||
| CVE-2021-36880 | 1 Stylemixthemes | 1 Ulisting | 2021-10-01 | 7.5 HIGH | 9.8 CRITICAL |
| Unauthenticated SQL Injection (SQLi) vulnerability in WordPress uListing plugin (versions <= 2.0.3), vulnerable parameter: custom. | |||||
| CVE-2019-10910 | 2 Drupal, Sensiolabs | 2 Drupal, Symfony | 2021-09-29 | 7.5 HIGH | 9.8 CRITICAL |
| In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, when service ids allow user input, this could allow for SQL Injection and remote code execution. This is related to symfony/dependency-injection. | |||||
| CVE-2021-40674 | 1 Wuzhicms | 1 Wuzhicms | 2021-09-28 | 7.5 HIGH | 9.8 CRITICAL |
| An SQL injection vulnerability exists in Wuzhi CMS v4.1.0 via the KeyValue parameter in coreframe/app/order/admin/index.php. | |||||
| CVE-2020-21121 | 1 Kliqqi | 1 Kliqqi Cms | 2021-09-28 | 7.5 HIGH | 9.8 CRITICAL |
| Pligg CMS 2.0.2 contains a time-based SQL injection vulnerability via the $recordIDValue parameter in the admin_update_module_widgets.php file. | |||||
| CVE-2021-40670 | 1 Wuzhicms | 1 Wuzhicms | 2021-09-27 | 7.5 HIGH | 9.8 CRITICAL |
| SQL Injection vulnerability exists in Wuzhi CMS 4.1.0 via the keywords iparameter under the /coreframe/app/order/admin/card.php file. | |||||
| CVE-2021-40669 | 1 Wuzhicms | 1 Wuzhicms | 2021-09-27 | 7.5 HIGH | 9.8 CRITICAL |
| SQL Injection vulnerability exists in Wuzhi CMS 4.1.0 via the keywords parameter under the coreframe/app/promote/admin/index.php file. | |||||
| CVE-2020-21127 | 1 Metinfo | 1 Metinfo | 2021-09-23 | 7.5 HIGH | 9.8 CRITICAL |
| MetInfo 7.0.0 contains a SQL injection vulnerability via admin/?n=logs&c=index&a=dodel. | |||||
| CVE-2021-37593 | 1 Peel | 1 Peel Shopping | 2021-09-21 | 6.4 MEDIUM | 9.1 CRITICAL |
| PEEL Shopping version 9.4.0 allows remote SQL injection. A public user/guest (unauthenticated) can inject a malicious SQL query in order to affect the execution of predefined SQL commands. Upon a successful SQL injection attack, an attacker can read sensitive data from the database and possibly modify database data. | |||||
| CVE-2021-35042 | 2 Djangoproject, Fedoraproject | 2 Django, Fedora | 2021-09-21 | 7.5 HIGH | 9.8 CRITICAL |
| Django 3.1.x before 3.1.13 and 3.2.x before 3.2.5 allows QuerySet.order_by SQL injection if order_by is untrusted input from a client of a web application. | |||||
| CVE-2020-35427 | 1 Employee Record Management System Project | 1 Employee Record Management System | 2021-09-21 | 7.5 HIGH | 9.8 CRITICAL |
| SQL injection vulnerability in PHPGurukul Employee Record Management System 1.1 allows remote attackers to execute arbitrary SQL commands and bypass authentication. | |||||
| CVE-2021-37422 | 1 Zohocorp | 1 Manageengine Adselfservice Plus | 2021-09-17 | 7.5 HIGH | 9.8 CRITICAL |
| Zoho ManageEngine ADSelfService Plus 6111 and prior is vulnerable to SQL Injection while linking the databases. | |||||
| CVE-2021-39378 | 1 Os4ed | 1 Opensis | 2021-09-16 | 7.5 HIGH | 9.8 CRITICAL |
| A SQL Injection vulnerability exists in openSIS 8.0 when MySQL (MariaDB) is being used as the application database. A malicious attacker can issue SQL commands to the MySQL (MariaDB) database through the NamesList.php str parameter. | |||||
| CVE-2021-40814 | 1 Mypresta | 1 Customer Photo Gallery | 2021-09-15 | 7.5 HIGH | 9.8 CRITICAL |
| The Customer Photo Gallery addon before 2.9.4 for PrestaShop is vulnerable to SQL injection. | |||||
| CVE-2021-35048 | 1 Fidelissecurity | 2 Deception, Network | 2021-09-14 | 7.5 HIGH | 9.8 CRITICAL |
| Vulnerability in Fidelis Network and Deception CommandPost enables unauthenticated SQL injection through the web interface. The vulnerability could lead to exposure of authentication tokens in some versions of Fidelis software. The vulnerability is present in Fidelis Network and Deception versions prior to 9.3.7 and in version 9.4. Patches and updates are available to address this vulnerability. | |||||
| CVE-2020-18667 | 1 Webport | 1 Webport | 2021-09-13 | 7.5 HIGH | 9.8 CRITICAL |
| SQL Injection vulnerability in WebPort <=1.19.1 via the new connection, parameter name in type-conn. | |||||
| CVE-2014-5071 | 1 Microsemi | 2 S350i, S350i Firmware | 2021-09-13 | 7.5 HIGH | 9.8 CRITICAL |
| SQL injection vulnerability in the checkPassword function in Symmetricom s350i 2.70.15 allows remote attackers to execute arbitrary SQL commands via vectors involving a username. | |||||
| CVE-2020-19853 | 1 Bluecms Project | 1 Bluecms | 2021-09-10 | 7.5 HIGH | 9.8 CRITICAL |
| BlueCMS v1.6 contains a SQL injection vulnerability via /ad_js.php. | |||||
| CVE-2017-13137 | 1 Formcrafts | 1 Formcraft | 2021-09-10 | 7.5 HIGH | 9.8 CRITICAL |
| The FormCraft Basic plugin 1.0.5 for WordPress has SQL injection in the id parameter to form.php. | |||||
| CVE-2016-4351 | 1 Trendmicro | 1 Email Encryption Gateway | 2021-09-09 | 7.5 HIGH | 9.8 CRITICAL |
| SQL injection vulnerability in the authentication functionality in Trend Micro Email Encryption Gateway (TMEEG) 5.5 before build 1107 allows remote attackers to execute arbitrary SQL commands via unspecified vectors. | |||||
| CVE-2021-39377 | 1 Os4ed | 1 Opensis | 2021-09-09 | 7.5 HIGH | 9.8 CRITICAL |
| A SQL Injection vulnerability exists in openSIS 8.0 when MySQL (MariaDB) is being used as the application database. A malicious attacker can issue SQL commands to the MySQL (MariaDB) database through the index.php username parameter. | |||||
| CVE-2021-39379 | 1 Os4ed | 1 Opensis | 2021-09-09 | 7.5 HIGH | 9.8 CRITICAL |
| A SQL Injection vulnerability exists in openSIS 8.0 when MySQL (MariaDB) is being used as the application database. A malicious attacker can issue SQL commands to the MySQL (MariaDB) database through the ResetUserInfo.php password_stn_id parameter. | |||||
| CVE-2021-40353 | 1 Os4ed | 1 Opensis | 2021-09-09 | 7.5 HIGH | 9.8 CRITICAL |
| A SQL injection vulnerability exists in version 8.0 of openSIS when MySQL or MariaDB is used as the application database. An attacker can then issue the SQL command through the index.php USERNAME parameter. NOTE: this issue may exist because of an incomplete fix for CVE-2020-6637. | |||||
| CVE-2021-38145 | 1 Formtools | 1 Core | 2021-09-08 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in Form Tools through 3.0.20. SQL Injection can occur via the export_group_id field when a low-privileged user (client) tries to export a form with data, e.g., manipulation of modules/export_manager/export.php?export_group_id=1&export_group_1_results=all&export_type_id=1. | |||||
| CVE-2021-38390 | 1 Deltaww | 1 Diaenergie | 2021-09-07 | 10.0 HIGH | 9.8 CRITICAL |
| A Blind SQL injection vulnerability exists in the /DataHandler/HandlerEnergyType.ashx endpoint of Delta Electronics DIAEnergie Version 1.7.5 and prior. The application does not properly validate the user-controlled value supplied through the parameter egyid before using it as part of an SQL query. A remote, unauthenticated attacker can exploit this issue to execute arbitrary code in the context of NT SERVICE\MSSQLSERVER. | |||||
| CVE-2021-38391 | 1 Deltaww | 1 Diaenergie | 2021-09-07 | 10.0 HIGH | 9.8 CRITICAL |
| A Blind SQL injection vulnerability exists in the /DataHandler/AM/AM_Handler.ashx endpoint of Delta Electronics DIAEnergie Version 1.7.5 and prior. The application does not properly validate the user-controlled value supplied through the parameter type before using it as part of an SQL query. A remote, unauthenticated attacker can exploit this issue to execute arbitrary code in the context of NT SERVICE\MSSQLSERVER. | |||||
| CVE-2021-38393 | 1 Deltaww | 1 Diaenergie | 2021-09-07 | 10.0 HIGH | 9.8 CRITICAL |
| A Blind SQL injection vulnerability exists in the /DataHandler/HandlerAlarmGroup.ashx endpoint of Delta Electronics DIAEnergie Version 1.7.5 and prior. The application does not properly validate the user-controlled value supplied through the parameter agid before using it as part of an SQL query. A remote, unauthenticated attacker can exploit this issue to execute arbitrary code in the context of NT SERVICE\MSSQLSERVER. | |||||
| CVE-2021-32983 | 1 Deltaww | 1 Diaenergie | 2021-09-07 | 10.0 HIGH | 9.8 CRITICAL |
| A Blind SQL injection vulnerability exists in the /DataHandler/Handler_CFG.ashx endpoint of Delta Electronics DIAEnergie Version 1.7.5 and prior. The application does not properly validate the user-controlled value supplied through the parameter keyword before using it as part of an SQL query. A remote, unauthenticated attacker can exploit this issue to execute arbitrary code in the context of NT SERVICE\MSSQLSERVER. | |||||
| CVE-2021-37749 | 1 Hexagongeospatial | 1 Geomedia Webmap | 2021-09-01 | 10.0 HIGH | 9.8 CRITICAL |
| MapService.svc in Hexagon GeoMedia WebMap 2020 before Update 2 (aka 16.6.2.66) allows blind SQL Injection via the Id (within sourceItems) parameter to the GetMap method. | |||||
| CVE-2020-19705 | 1 Thinkphp-zcms Project | 1 Thinkphp-zcms | 2021-09-01 | 7.5 HIGH | 9.8 CRITICAL |
| thinkphp-zcms as of 20190715 allows SQL injection via index.php?m=home&c=message&a=add. | |||||
| CVE-2020-18106 | 1 Wms Project | 1 Wms | 2021-09-01 | 7.5 HIGH | 9.8 CRITICAL |
| The GET parameter "id" in WMS v1.0 is passed without filtering, which allows attackers to perform SQL injection. | |||||
| CVE-2021-37538 | 1 Smartdatasoft | 1 Smartblog | 2021-08-31 | 7.5 HIGH | 9.8 CRITICAL |
| Multiple SQL injection vulnerabilities in SmartDataSoft SmartBlog for PrestaShop before 4.06 allow a remote unauthenticated attacker to execute arbitrary SQL commands via the day, month, or year parameter to the controllers/front/archive.php archive controller, or the id_category parameter to the controllers/front/category.php category controller. | |||||
| CVE-2021-36385 | 1 Cerner | 1 Mobile Care | 2021-08-31 | 10.0 HIGH | 9.8 CRITICAL |
| A SQL Injection vulnerability in Cerner Mobile Care 5.0.0 allows remote unauthenticated attackers to execute arbitrary SQL commands via a Fullwidth Apostrophe (aka U+FF07) in the default.aspx User ID field. Arbitrary system commands can be executed through the use of xp_cmdshell. | |||||
| CVE-2021-37358 | 1 Seacms | 1 Seacms | 2021-08-28 | 7.5 HIGH | 9.8 CRITICAL |
| SQL Injection in SEACMS v210530 (2021-05-30) allows remote attackers to execute arbitrary code via the component "admin_ajax.php?action=checkrepeat&v_name=". | |||||
| CVE-2020-20675 | 1 Nuishop | 1 Nuishop | 2021-08-27 | 7.5 HIGH | 9.8 CRITICAL |
| Nuishop v2.3 contains a SQL injection vulnerability in /goods/getGoodsListByConditions/. | |||||
| CVE-2021-24551 | 1 Edit Comments Project | 1 Edit Comments | 2021-08-26 | 7.5 HIGH | 9.8 CRITICAL |
| The Edit Comments WordPress plugin through 0.3 does not sanitise, validate or escape the jal_edit_comments GET parameter before using it in a SQL statement, leading to a SQL injection issue | |||||
| CVE-2020-18164 | 1 Tp-shop | 1 Tp-shop | 2021-08-25 | 7.5 HIGH | 9.8 CRITICAL |
| SQL Injection vulnerability exists in tp-shop 2.x-3.x via the /index.php/home/api/shop fBill parameter. | |||||
| CVE-2021-38302 | 1 Newsletter Project | 1 Newsletter | 2021-08-23 | 7.5 HIGH | 9.8 CRITICAL |
| The Newsletter extension through 4.0.0 for TYPO3 allows SQL Injection. | |||||
| CVE-2021-28890 | 1 J2eefast | 1 J2eefast | 2021-08-23 | 7.5 HIGH | 9.8 CRITICAL |
| J2eeFAST 2.2.1 allows remote attackers to perform SQL injection via the (1) compId parameter to fast/sys/user/list, (2) deptId parameter to fast/sys/role/list, or (3) roleId parameter to fast/sys/role/authUser/list, related to the use of ${} to join SQL statements. | |||||
| CVE-2021-37350 | 1 Nagios | 1 Nagios Xi | 2021-08-23 | 7.5 HIGH | 9.8 CRITICAL |
| Nagios XI before version 5.8.5 is vulnerable to SQL injection vulnerability in Bulk Modifications Tool due to improper input sanitisation. | |||||
| CVE-2021-37599 | 1 Nuance | 1 Winscribe Dictation | 2021-08-23 | 7.5 HIGH | 9.8 CRITICAL |
| The exporter/Login.aspx login form in the Exporter in Nuance Winscribe Dictation 4.1.0.99 is vulnerable to SQL injection that allows a remote, unauthenticated attacker to read the database (and execute code in some situations) via the txtPassword parameter. | |||||
| CVE-2021-39302 | 1 Misp | 1 Misp | 2021-08-23 | 6.8 MEDIUM | 9.8 CRITICAL |
| MISP 2.4.148, in certain configurations, allows SQL injection via the app/Model/Log.php $conditions['org'] value. | |||||
| CVE-2018-17988 | 1 Layerbb | 1 Layerbb | 2021-08-20 | 7.5 HIGH | 9.8 CRITICAL |
| LayerBB 1.1.1 and 1.1.3 has SQL Injection via the search.php search_query parameter. | |||||
| CVE-2020-20975 | 1 Gxlcms | 1 Gxlcms | 2021-08-20 | 7.5 HIGH | 9.8 CRITICAL |
| In \lib\admin\action\dataaction.class.php in Gxlcms v1.1, SQL Injection exists via the $filename parameter. | |||||
| CVE-2021-36789 | 1 Dated News Project | 1 Dated News | 2021-08-20 | 7.5 HIGH | 9.8 CRITICAL |
| The dated_news (aka Dated News) extension through 5.1.1 for TYPO3 allows SQL Injection. | |||||