Search
Total
2383 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-24507 | 1 Brainstormforce | 1 Astra | 2021-08-17 | 7.5 HIGH | 9.8 CRITICAL |
| The Astra Pro Addon WordPress plugin before 3.5.2 did not properly sanitise or escape some of the POST parameters from the astra_pagination_infinite and astra_shop_pagination_infinite AJAX action (available to both unauthenticated and authenticated user) before using them in SQL statement, leading to an SQL Injection issues | |||||
| CVE-2021-38159 | 1 Progress | 1 Moveit Transfer | 2021-08-14 | 7.5 HIGH | 9.8 CRITICAL |
| In certain Progress MOVEit Transfer versions before 2021.0.4 (aka 13.0.4), SQL injection in the MOVEit Transfer web application could allow an unauthenticated remote attacker to gain access to the database. Depending on the database engine being used (MySQL, Microsoft SQL Server, or Azure SQL), an attacker may be able to infer information about the structure and contents of the database, or execute SQL statements that alter or delete database elements, via crafted strings sent to unique MOVEit Transfer transaction types. The fixed versions are 2019.0.8 (11.0.8), 2019.1.7 (11.1.7), 2019.2.4 (11.2.4), 2020.0.7 (12.0.7), 2020.1.6 (12.1.6), and 2021.0.4 (13.0.4). | |||||
| CVE-2021-38167 | 1 Roxy-wi | 1 Roxy-wi | 2021-08-13 | 7.5 HIGH | 9.8 CRITICAL |
| Roxy-WI through 5.2.2.0 allows SQL Injection via check_login. An unauthenticated attacker can extract a valid uuid to bypass authentication. | |||||
| CVE-2021-24321 | 1 Bold-themes | 1 Bello | 2021-08-12 | 7.5 HIGH | 9.8 CRITICAL |
| The Bello - Directory & Listing WordPress theme before 1.6.0 did not sanitise the bt_bb_listing_field_price_range_to, bt_bb_listing_field_now_open, bt_bb_listing_field_my_lng, listing_list_view and bt_bb_listing_field_my_lat parameters before using them in a SQL statement, leading to SQL Injection issues | |||||
| CVE-2021-38574 | 1 Foxitsoftware | 2 Foxit Reader, Phantompdf | 2021-08-12 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in Foxit Reader and PhantomPDF before 10.1.4. It allows SQL Injection via crafted data at the end of a string. | |||||
| CVE-2021-36351 | 1 Care2x | 1 Hospital Information Management System | 2021-08-12 | 7.5 HIGH | 9.8 CRITICAL |
| SQL Injection Vulnerability in Care2x Open Source Hospital Information Management 2.7 Alpha via the (1) pday, (2) pmonth, and (3) pyear parameters in GET requests sent to /modules/nursing/nursing-station.php. | |||||
| CVE-2021-20028 | 1 Sonicwall | 6 Sma 210, Sma 210 Firmware, Sma 410 and 3 more | 2021-08-11 | 7.5 HIGH | 9.8 CRITICAL |
| ** UNSUPPORTED WHEN ASSIGNED ** Improper neutralization of a SQL Command leading to SQL Injection vulnerability impacting end-of-life Secure Remote Access (SRA) products, specifically the SRA appliances running all 8.x firmware and 9.0.0.9-26sv or earlier. | |||||
| CVE-2021-37832 | 1 Digitaldruid | 1 Hoteldruid | 2021-08-11 | 7.5 HIGH | 9.8 CRITICAL |
| A SQL injection vulnerability exists in version 3.0.2 of Hotel Druid when SQLite is being used as the application database. A malicious attacker can issue SQL commands to the SQLite database through the vulnerable idappartamenti parameter. | |||||
| CVE-2021-37558 | 1 Centreon | 1 Centreon | 2021-08-10 | 7.5 HIGH | 9.8 CRITICAL |
| A SQL injection vulnerability in a MediaWiki script in Centreon before 20.04.14, 20.10.8, and 21.04.2 allows remote unauthenticated attackers to execute arbitrary SQL commands via the host_name and service_description parameters. The vulnerability can be exploited only when a valid Knowledge Base URL is configured on the Knowledge Base configuration page and points to a MediaWiki instance. This relates to the proxy feature in class/centreon-knowledge/ProceduresProxy.class.php and include/configuration/configKnowledge/proxy/proxy.php. | |||||
| CVE-2020-35847 | 1 Agentejo | 1 Cockpit | 2021-08-10 | 7.5 HIGH | 9.8 CRITICAL |
| Agentejo Cockpit before 0.11.2 allows NoSQL injection via the Controller/Auth.php resetpassword function. | |||||
| CVE-2020-35848 | 1 Agentejo | 1 Cockpit | 2021-08-10 | 7.5 HIGH | 9.8 CRITICAL |
| Agentejo Cockpit before 0.11.2 allows NoSQL injection via the Controller/Auth.php newpassword function. | |||||
| CVE-2019-10141 | 2 Openstack, Redhat | 3 Ironic-inspector, Enterprise Linux, Openstack | 2021-08-04 | 6.4 MEDIUM | 9.1 CRITICAL |
| A vulnerability was found in openstack-ironic-inspector all versions excluding 5.0.2, 6.0.3, 7.2.4, 8.0.3 and 8.2.1. A SQL-injection vulnerability was found in openstack-ironic-inspector's node_cache.find_node(). This function makes a SQL query using unfiltered data from a server reporting inspection results (by a POST to the /v1/continue endpoint). Because the API is unauthenticated, the flaw could be exploited by an attacker with access to the network on which ironic-inspector is listening. Because of how ironic-inspector uses the query results, it is unlikely that data could be obtained. However, the attacker could pass malicious data and create a denial of service. | |||||
| CVE-2021-34165 | 1 Basic Shopping Cart Project | 1 Basic Shopping Cart | 2021-08-04 | 7.5 HIGH | 9.8 CRITICAL |
| A SQL Injection vulnerability in Sourcecodester Basic Shopping Cart 1.0 allows a remote attacker to Bypass Authentication and become Admin. | |||||
| CVE-2020-21809 | 1 Nukeviet | 1 Nukeviet | 2021-08-03 | 7.5 HIGH | 9.8 CRITICAL |
| SQL Injection vulnerability in NukeViet CMS module Shops 4.0.29 and 4.3 via the (1) listid parameter in detail.php and the (2) group_price or groupid parameters in search_result.php. | |||||
| CVE-2020-21808 | 1 Nukeviet | 1 Nukeviet | 2021-08-03 | 7.5 HIGH | 9.8 CRITICAL |
| SQL Injection vulnerability in NukeViet CMS 4.0.10 - 4.3.07 via:the topicsid parameter in modules/news/admin/addtotopics.php. | |||||
| CVE-2020-18175 | 1 Metinfo | 1 Metinfo | 2021-08-03 | 7.5 HIGH | 9.8 CRITICAL |
| SQL Injection vulnerability in Metinfo 6.1.3 via a dosafety_emailadd action in basic.php. | |||||
| CVE-2020-21806 | 1 Ectouch | 1 Ectouch | 2021-08-03 | 7.5 HIGH | 9.8 CRITICAL |
| SQL Injection Vulnerability in ECTouch v2 via the shop page in index.php.. | |||||
| CVE-2021-37478 | 1 Naviwebs | 1 Navigatecms | 2021-08-03 | 7.5 HIGH | 9.8 CRITICAL |
| In NavigateCMS version 2.9.4 and below, function `block` is vulnerable to sql injection on parameter `block-order`, which results in arbitrary sql query execution in the backend database. | |||||
| CVE-2020-18013 | 1 Whatsns | 1 Whatsns | 2021-08-03 | 7.5 HIGH | 9.8 CRITICAL |
| SQL Injextion vulnerability exists in Whatsns 4.0 via the ip parameter in index.php?admin_banned/add.htm. | |||||
| CVE-2021-25212 | 1 Alumni Management System Project | 1 Alumni Management System | 2021-07-30 | 7.5 HIGH | 9.8 CRITICAL |
| SQL injection vulnerability in SourceCodester Alumni Management System v 1.0 allows remote attackers to execute arbitrary SQL statements, via the id parameter to manage_event.php. | |||||
| CVE-2021-25202 | 1 Sales And Inventory System Project | 1 Sales And Inventory System | 2021-07-30 | 7.5 HIGH | 9.8 CRITICAL |
| SQL injection vulnerability in SourceCodester Sales and Inventory System v 1.0 allows remote attackers to execute arbitrary SQL statements, via the id parameter to \ahira\admin\inventory.php. | |||||
| CVE-2021-26223 | 1 Casap Automated Enrollment System Project | 1 Casap Automated Enrollment System | 2021-07-30 | 7.5 HIGH | 9.8 CRITICAL |
| SQL injection vulnerability in SourceCodester CASAP Automated Enrollment System v 1.0 allows remote attackers to execute arbitrary SQL statements, via the id parameter to view_pay.php. | |||||
| CVE-2021-26226 | 1 Casap Automated Enrollment System Project | 1 Casap Automated Enrollment System | 2021-07-30 | 7.5 HIGH | 9.8 CRITICAL |
| SQL injection vulnerability in SourceCodester CASAP Automated Enrollment System v 1.0 allows remote attackers to execute arbitrary SQL statements, via the id parameter to edit_user.php. | |||||
| CVE-2020-36033 | 1 Water Billing System Project | 1 Water Billing System | 2021-07-30 | 7.5 HIGH | 9.8 CRITICAL |
| SQL injection vulnerability in SourceCodester Water Billing System 1.0 via the id parameter to edituser.php. | |||||
| CVE-2021-26232 | 1 Simple College Website Project | 1 Simple College Website | 2021-07-30 | 7.5 HIGH | 9.8 CRITICAL |
| SQL injection vulnerability in SourceCodester Simple College Website v 1.0 allows remote attackers to execute arbitrary SQL statements via the id parameter to news.php. | |||||
| CVE-2021-26231 | 1 Fantastic Blog Cms Project | 1 Fantastic Blog Cms | 2021-07-30 | 7.5 HIGH | 9.8 CRITICAL |
| SQL injection vulnerability in SourceCodester Fantastic Blog CMS v 1.0 allows remote attackers to execute arbitrary SQL statements, via the id parameter to category.php. | |||||
| CVE-2021-26229 | 1 Casap Automated Enrollment System Project | 1 Casap Automated Enrollment System | 2021-07-30 | 7.5 HIGH | 9.8 CRITICAL |
| SQL injection vulnerability in SourceCodester CASAP Automated Enrollment System v 1.0 allows remote attackers to execute arbitrary SQL statements, via the id parameter to edit_stud.php. | |||||
| CVE-2021-26228 | 1 Casap Automated Enrollment System Project | 1 Casap Automated Enrollment System | 2021-07-30 | 7.5 HIGH | 9.8 CRITICAL |
| SQL injection vulnerability in SourceCodester CASAP Automated Enrollment System v 1.0 allows remote attackers to execute arbitrary SQL statements, via the id parameter to edit_class1.php. | |||||
| CVE-2020-18155 | 1 Intelliants | 1 Subrion | 2021-07-29 | 7.5 HIGH | 9.8 CRITICAL |
| SQL Injection vulnerability in Subrion CMS v4.2.1 in the search page if a website uses a PDO connection. | |||||
| CVE-2021-25213 | 1 Travel Management System Project | 1 Travel Management System | 2021-07-29 | 7.5 HIGH | 9.8 CRITICAL |
| SQL injection vulnerability in SourceCodester Travel Management System v 1.0 allows remote attackers to execute arbitrary SQL statements, via the catid parameter to subcat.php. | |||||
| CVE-2021-25209 | 1 Theme Park Ticketing System Project | 1 Theme Park Ticketing System | 2021-07-29 | 7.5 HIGH | 9.8 CRITICAL |
| SQL injection vulnerability in SourceCodester Theme Park Ticketing System v 1.0 allows remote attackers to execute arbitrary SQL statements, via the id parameter to view_user.php . | |||||
| CVE-2021-25205 | 1 E-commerce Website Project | 1 E-commerce Website | 2021-07-29 | 7.5 HIGH | 9.8 CRITICAL |
| SQL injection vulnerability in SourceCodester E-Commerce Website V 1.0 allows remote attackers to execute arbitrary SQL statements, via the update parameter to empViewUpdate.php . | |||||
| CVE-2021-37475 | 1 Naviwebs | 1 Navigatecms | 2021-07-28 | 7.5 HIGH | 9.8 CRITICAL |
| In NavigateCMS version 2.9.4 and below, function in `templates.php` is vulnerable to sql injection on parameter `template-properties-order`, which results in arbitrary sql query execution in the backend database. | |||||
| CVE-2021-37477 | 1 Naviwebs | 1 Navigatecms | 2021-07-28 | 7.5 HIGH | 9.8 CRITICAL |
| In NavigateCMS version 2.9.4 and below, function in `structure.php` is vulnerable to sql injection on parameter `children_order`, which results in arbitrary sql query execution in the backend database. | |||||
| CVE-2021-37476 | 1 Naviwebs | 1 Navigatecms | 2021-07-28 | 7.5 HIGH | 9.8 CRITICAL |
| In NavigateCMS version 2.9.4 and below, function in `product.php` is vulnerable to sql injection on parameter `id` through a post request, which results in arbitrary sql query execution in the backend database. | |||||
| CVE-2021-37473 | 1 Naviwebs | 1 Navigatecms | 2021-07-28 | 7.5 HIGH | 9.8 CRITICAL |
| In NavigateCMS version 2.9.4 and below, function in `product.php` is vulnerable to sql injection on parameter `products-order` through a post request, which results in arbitrary sql query execution in the backend database. | |||||
| CVE-2020-18144 | 1 Ectouch | 1 Ectouch | 2021-07-22 | 7.5 HIGH | 9.8 CRITICAL |
| SQL Injection Vulnerability in ECTouch v2 via the integral_min parameter in index.php. | |||||
| CVE-2020-9006 | 1 Sygnoos | 1 Popup Builder | 2021-07-21 | 7.5 HIGH | 9.8 CRITICAL |
| The Popup Builder plugin 2.2.8 through 2.6.7.6 for WordPress is vulnerable to SQL injection (in the sgImportPopups function in sg_popup_ajax.php) via PHP Deserialization on attacker-controlled data with the attachmentUrl POST variable. This allows creation of an arbitrary WordPress Administrator account, leading to possible Remote Code Execution because Administrators can run PHP code on Wordpress instances. (This issue has been fixed in the 3.x branch of popup-builder.) | |||||
| CVE-2021-35456 | 1 Online Pet Shop Web Application Project | 1 Online Pet Shop Web Application | 2021-07-01 | 7.5 HIGH | 9.8 CRITICAL |
| Online Pet Shop We App 1.0 is vulnerable to remote SQL injection and shell upload | |||||
| CVE-2021-34187 | 1 Chamilo | 1 Chamilo | 2021-07-01 | 7.5 HIGH | 9.8 CRITICAL |
| main/inc/ajax/model.ajax.php in Chamilo through 1.11.14 allows SQL Injection via the searchField, filters, or filters2 parameter. | |||||
| CVE-2020-23711 | 1 Naviwebs | 1 Navigate Cms | 2021-07-01 | 7.5 HIGH | 9.8 CRITICAL |
| SQL Injection vulnerability in NavigateCMS 2.9 via the URL encoded GET input category in navigate.php. | |||||
| CVE-2020-26712 | 1 Vanderbilt | 1 Redcap | 2021-07-01 | 10.0 HIGH | 9.8 CRITICAL |
| REDCap 10.3.4 contains a SQL injection vulnerability in the ToDoList function via sort parameter. The application uses the addition of a string of information from the submitted user that is not validated well in the database query, resulting in an SQL injection vulnerability where an attacker can exploit and compromise all databases. | |||||
| CVE-2020-18662 | 1 Gnuboard | 1 Gnuboard5 | 2021-06-28 | 7.5 HIGH | 9.8 CRITICAL |
| SQL Injection vulnerability in gnuboard5 <=v5.3.2.8 via the table_prefix parameter in install_db.php. | |||||
| CVE-2020-20392 | 1 Txjia | 1 Imcat | 2021-06-25 | 7.5 HIGH | 9.8 CRITICAL |
| SQL Injection vulnerability in imcat v5.2 via the fm[auser] parameters in coms/add_coms.php. | |||||
| CVE-2021-3604 | 1 Primion-digitek | 1 Secure 8 | 2021-06-24 | 7.5 HIGH | 9.8 CRITICAL |
| Secure 8 (Evalos) does not validate user input data correctly, allowing a remote attacker to perform a Blind SQL Injection. An attacker could exploit this vulnerability in order to extract information of users and administrator accounts stored in the database. | |||||
| CVE-2021-24361 | 1 Ayecode | 1 Location Manager | 2021-06-24 | 7.5 HIGH | 9.8 CRITICAL |
| In the Location Manager WordPress plugin before 2.1.0.10, the AJAX action gd_popular_location_list did not properly sanitise or validate some of its POST parameters, which are then used in a SQL statement, leading to unauthenticated SQL Injection issues. | |||||
| CVE-2020-29214 | 1 Alumni Management System Project | 1 Alumni Management System | 2021-06-22 | 7.5 HIGH | 9.8 CRITICAL |
| SQL injection vulnerability in SourceCodester Alumni Management System 1.0 allows the user to inject SQL payload to bypass the authentication via admin/login.php. | |||||
| CVE-2020-22203 | 1 Phpcms | 1 Phpcms | 2021-06-21 | 7.5 HIGH | 9.8 CRITICAL |
| SQL Injection in phpCMS 2008 sp4 via the genre parameter to yp/job.php. | |||||
| CVE-2020-22198 | 1 Dedecms | 1 Dedecms | 2021-06-21 | 7.5 HIGH | 9.8 CRITICAL |
| SQL Injection vulnerability in DedeCMS 5.7 via mdescription parameter to member/ajax_membergroup.php. | |||||
| CVE-2020-22206 | 1 Shopex | 1 Ecshop | 2021-06-21 | 7.5 HIGH | 9.8 CRITICAL |
| SQL Injection in ECShop 3.0 via the aid parameter to admin/affiliate_ck.php. | |||||