Search
Total
2383 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-6805 | 1 S-cms | 1 S-cms | 2019-01-25 | 7.5 HIGH | 9.8 CRITICAL |
| SQL Injection was found in S-CMS version V3.0 via the alipay/alipayapi.php O_id parameter. | |||||
| CVE-2018-20715 | 1 Oxid-esales | 1 Eshop | 2019-01-23 | 7.5 HIGH | 9.8 CRITICAL |
| The DB abstraction layer of OXID eSales 4.10.6 is vulnerable to SQL injection via the oxid or synchoxid parameter to the oxConfig::getRequestParameter() method in core/oxconfig.php. | |||||
| CVE-2018-20716 | 1 Cubecart | 1 Cubecart | 2019-01-23 | 7.5 HIGH | 9.8 CRITICAL |
| CubeCart before 6.1.13 has SQL Injection via the validate[] parameter of the "I forgot my Password!" feature. | |||||
| CVE-2019-6497 | 1 Hotels Server Project | 1 Hotels Server | 2019-01-23 | 7.5 HIGH | 9.8 CRITICAL |
| Hotels_Server through 2018-11-05 has SQL Injection via the controller/fetchpwd.php username parameter. | |||||
| CVE-2019-6295 | 1 Skymoonlabs | 1 Cleanto | 2019-01-18 | 7.5 HIGH | 9.8 CRITICAL |
| Cleanto 5.0 has SQL Injection via the assets/lib/service_method_ajax.php service_id parameter. | |||||
| CVE-2019-6296 | 1 Skymoonlabs | 1 Cleanto | 2019-01-18 | 7.5 HIGH | 9.8 CRITICAL |
| Cleanto 5.0 has SQL Injection via the assets/lib/export_ajax.php id parameter. | |||||
| CVE-2019-5893 | 1 Nelson-it | 1 Open Source Erp | 2019-01-17 | 7.5 HIGH | 9.8 CRITICAL |
| Nelson Open Source ERP v6.3.1 allows SQL Injection via the db/utils/query/data.xml query parameter. | |||||
| CVE-2019-6259 | 1 Icmsdev | 1 Icms | 2019-01-16 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in idreamsoft iCMS V7.0.13. There is SQL Injection via the app/article/article.admincp.php _data_id parameter. | |||||
| CVE-2018-19415 | 1 Plikli | 1 Plikli Cms | 2019-01-14 | 7.5 HIGH | 9.8 CRITICAL |
| Multiple SQL injection vulnerabilities in Plikli CMS 4.0.0 allow remote attackers to execute arbitrary SQL commands via the (1) id parameter to join_group.php or (2) comment_id parameter to story.php. | |||||
| CVE-2018-19925 | 1 Sales \& Company Management System Project | 1 Sales \& Company Management System | 2019-01-11 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in Sales & Company Management System (SCMS) through 2018-06-06. It has SQL injection via the member/member_order.php type parameter, related to the O_state parameter. | |||||
| CVE-2018-1000631 | 1 Battelle | 1 V2i Hub | 2019-01-11 | 7.5 HIGH | 9.8 CRITICAL |
| Battelle V2I Hub 3.0 is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements to the tmx/TmxCtl/src/lib/PluginStatus.cpp and TmxControl::user_info() function, which could allow the attacker to view, add, modify or delete information in the back-end database. | |||||
| CVE-2018-20569 | 1 Generic Content Management System Project | 1 Generic Content Management System | 2019-01-10 | 7.5 HIGH | 9.8 CRITICAL |
| user/index.php in Ivan Cordoba Generic Content Management System (CMS) through 2018-04-28 allows SQL injection for authentication bypass. | |||||
| CVE-2018-20572 | 1 Wuzhicms | 1 Wuzhicms | 2019-01-09 | 7.5 HIGH | 9.8 CRITICAL |
| WUZHI CMS 4.1.0 allows coreframe/app/coupon/admin/copyfrom.php SQL injection via the index.php?m=promote&f=index&v=search keywords parameter, a related issue to CVE-2018-15893. | |||||
| CVE-2018-18399 | 1 Jco | 1 Karma | 2019-01-09 | 7.5 HIGH | 9.8 CRITICAL |
| SQL injection vulnerability in the "ContentPlaceHolder1_uxTitle" component in ArchiveNews.aspx in jco.ir KARMA 6.0.0 allows a remote attacker to execute arbitrary SQL commands via the "id" parameter. | |||||
| CVE-2018-13045 | 1 Yeswiki | 1 Cercopitheque | 2019-01-09 | 7.5 HIGH | 9.8 CRITICAL |
| SQL injection vulnerability in the "Bazar" page in Yeswiki Cercopitheque 2018-06-19-1 and earlier allows attackers to execute arbitrary SQL commands via the "id" parameter. | |||||
| CVE-2018-1000869 | 1 Phpipam | 1 Phpipam | 2019-01-08 | 7.5 HIGH | 9.8 CRITICAL |
| phpIPAM version 1.3.2 contains a CWE-89 vulnerability in /app/admin/nat/item-add-submit.php that can result in SQL Injection.. This attack appear to be exploitable via Rough user, exploiting the vulnerability to access information he/she does not have access to.. This vulnerability appears to have been fixed in 1.4. | |||||
| CVE-2018-20508 | 1 Crashfix Project | 1 Crashfix | 2019-01-08 | 7.5 HIGH | 9.8 CRITICAL |
| CrashFix 1.0.4 has SQL Injection via the User[status] parameter. This is related to actionIndex in UserController.php, and the protected\models\User.php search() function. | |||||
| CVE-2018-1000871 | 1 Digitaldruid | 1 Hoteldruid | 2019-01-07 | 7.5 HIGH | 9.8 CRITICAL |
| HotelDruid HotelDruid 2.3.0 version 2.3.0 and earlier contains a SQL Injection vulnerability in "id_utente_mod" parameter in gestione_utenti.php file that can result in An attacker can dump all the database records of backend webserver. This attack appear to be exploitable via the attack can be done by anyone via specially crafted sql query passed to the "id_utente_mod=1" parameter. | |||||
| CVE-2018-18923 | 1 Abisoftgt | 1 Ticketly | 2019-01-02 | 7.5 HIGH | 9.8 CRITICAL |
| AbiSoft Ticketly 1.0 is affected by multiple SQL Injection vulnerabilities through the parameters name, category_id and description in action/addproject.php; kind_id, priority_id, project_id, status_id and title in action/addticket.php; and kind_id and status_id in reports.php. | |||||
| CVE-2018-20479 | 1 S-cms | 1 S-cms | 2018-12-31 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in S-CMS 1.0. It allows SQL Injection via the wap_index.php?type=newsinfo S_id parameter. | |||||
| CVE-2018-20480 | 1 S-cms | 1 S-cms | 2018-12-31 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in S-CMS 1.0. It allows SQL Injection via the js/pic.php P_id parameter. | |||||
| CVE-2018-20477 | 1 S-cms | 1 S-cms | 2018-12-30 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in S-CMS 3.0. It allows SQL Injection via the bank/callback1.php P_no field. | |||||
| CVE-2018-18619 | 1 Advanced Comment System Project | 1 Advanced Comment System | 2018-12-28 | 7.5 HIGH | 9.8 CRITICAL |
| internal/advanced_comment_system/admin.php in Advanced Comment System 1.0 is prone to an SQL injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query, allowing remote attackers to execute the sqli attack via a URL in the "page" parameter. NOTE: The product is discontinued. | |||||
| CVE-2018-19893 | 1 Pbootcms | 1 Pbootcms | 2018-12-26 | 7.5 HIGH | 9.8 CRITICAL |
| SearchController.php in PbootCMS 1.2.1 has SQL injection via the index.php/Search/index.html query string. | |||||
| CVE-2018-13350 | 1 Terra-master | 1 Terramaster Operating System | 2018-12-19 | 7.5 HIGH | 9.8 CRITICAL |
| SQL injection in logtable.php in TerraMaster TOS version 3.1.03 allows attackers to execute SQL queries via the "Event" parameter. | |||||
| CVE-2018-19468 | 1 Hucart | 1 Hucart | 2018-12-19 | 7.5 HIGH | 9.8 CRITICAL |
| HuCart 5.7.4 has SQL injection in get_ip() in system/class/helper_class.php via the X-Forwarded-For HTTP header to the user/index.php?load=login&act=act_login URI. | |||||
| CVE-2018-19557 | 1 Arcms Project | 1 Arcms | 2018-12-19 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in arcms through 2018-03-19. No authentication is required for index/main, user/useradd, or img/images. | |||||
| CVE-2018-19558 | 1 Arcms Project | 1 Arcms | 2018-12-19 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in arcms through 2018-03-19. SQL injection exists via the json/newslist limit parameter because of ctl/main/Json.php, ctl/main/service/Data.php, and comp/Db/Mysql.php. | |||||
| CVE-2018-19559 | 1 Cuppacms | 1 Cuppacms | 2018-12-18 | 7.5 HIGH | 9.8 CRITICAL |
| CuppaCMS before 2018-11-12 has SQL Injection in administrator/classes/ajax/functions.php via the reference_id parameter. | |||||
| CVE-2018-18822 | 1 Grapixel | 1 New Media | 2018-12-18 | 7.5 HIGH | 9.8 CRITICAL |
| Grapixel New Media v2.0 allows SQL Injection via the pages.aspx pageref parameter. | |||||
| CVE-2016-10731 | 1 Projectsend | 1 Projectsend | 2018-12-18 | 7.5 HIGH | 9.8 CRITICAL |
| ProjectSend (formerly cFTP) r582 allows SQL injection via manage-files.php with the request parameter status, manage-files.php with the request parameter files, clients.php with the request parameter selected_clients, clients.php with the request parameter status, process-zip-download.php with the request parameter file, or home-log.php with the request parameter action. | |||||
| CVE-2018-18801 | 1 Bsen Ordering Software Project | 1 Bsen Ordering Software | 2018-12-18 | 7.5 HIGH | 9.8 CRITICAL |
| The BSEN Ordering software 1.0 has SQL Injection via student/index.php?view=view&id=[SQL] or index.php?q=single-item&id=[SQL]. | |||||
| CVE-2018-18796 | 1 Library Management System Project | 1 Library Management System | 2018-12-18 | 7.5 HIGH | 9.8 CRITICAL |
| Library Management System 1.0 has SQL Injection via the "Search for Books" screen. | |||||
| CVE-2018-18795 | 1 School Event Management System Project | 1 School Event Management System | 2018-12-18 | 7.5 HIGH | 9.8 CRITICAL |
| School Event Management System 1.0 has SQL Injection via the student/index.php or event/index.php id parameter. | |||||
| CVE-2018-18763 | 1 Saltos | 1 Saltos | 2018-12-18 | 7.5 HIGH | 9.8 CRITICAL |
| SaltOS 3.1 r8126 allows action=ajax&query=numbers&page=usuarios&action2=[SQL] SQL Injection. | |||||
| CVE-2018-18806 | 1 School Equipment Monitoring System Project | 1 School Equipment Monitoring System | 2018-12-17 | 7.5 HIGH | 9.8 CRITICAL |
| School Equipment Monitoring System 1.0 allows SQL injection via the login screen, related to include/user.vb. | |||||
| CVE-2018-18804 | 1 Bakeshop Inventory System Project | 1 Bakeshop Inventory System | 2018-12-17 | 7.5 HIGH | 9.8 CRITICAL |
| Bakeshop Inventory System 1.0 has SQL injection via the login screen, related to include/publicfunction.vb. | |||||
| CVE-2018-18803 | 1 Curriculum Evaluation System Project | 1 Curriculum Evaluation System | 2018-12-17 | 7.5 HIGH | 9.8 CRITICAL |
| Curriculum Evaluation System 1.0 allows SQL Injection via the login screen, related to frmCourse.vb and includes/user.vb. | |||||
| CVE-2018-18476 | 1 Nedap | 1 Mysql-binuuid-rails | 2018-12-13 | 7.5 HIGH | 9.8 CRITICAL |
| mysql-binuuid-rails 1.1.0 and earlier allows SQL Injection because it removes default string escaping for affected database columns. | |||||
| CVE-2018-18963 | 1 Degraupublicidade | 1 Degraupublicidade | 2018-12-13 | 7.5 HIGH | 9.8 CRITICAL |
| Busca.aspx.cs in Degrau Publicidade e Internet Plataforma de E-commerce allows SQL Injection via the busca/ URI. | |||||
| CVE-2018-19221 | 1 Laobancms | 1 Laobancms | 2018-12-11 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in LAOBANCMS 2.0. It allows SQL Injection via the admin/login.php guanliyuan parameter. | |||||
| CVE-2016-6818 | 1 Sap | 1 Business Intelligence Platform | 2018-12-10 | 10.0 HIGH | 9.8 CRITICAL |
| SQL injection vulnerability in SAP Business Intelligence platform before January 2017 allows remote attackers to obtain sensitive information, modify data, cause a denial of service (data deletion), or launch administrative operations or possibly OS commands via a crafted SQL query. The vendor response is SAP Security Note 2361633. | |||||
| CVE-2018-19061 | 1 Dedecms | 1 Dedecms | 2018-12-10 | 7.5 HIGH | 9.8 CRITICAL |
| DedeCMS 5.7 SP2 has SQL Injection via the dede\co_do.php ids parameter. | |||||
| CVE-2018-18887 | 1 S-cms | 1 S-cms | 2018-12-08 | 7.5 HIGH | 9.8 CRITICAL |
| S-CMS PHP 1.0 has SQL injection in member/member_news.php via the type parameter (aka the $N_type field). | |||||
| CVE-2018-18832 | 1 Dkcms | 1 Dkcms | 2018-12-06 | 7.5 HIGH | 9.8 CRITICAL |
| admin/check.asp in DKCMS 9.4 allows SQL Injection via an ASPSESSIONID cookie to admin/admin.asp. | |||||
| CVE-2015-4633 | 1 Koha | 1 Koha | 2018-12-06 | 7.5 HIGH | 9.8 CRITICAL |
| Multiple SQL injection vulnerabilities in Koha 3.14.x before 3.14.16, 3.16.x before 3.16.12, 3.18.x before 3.18.08, and 3.20.x before 3.20.1 allow (1) remote attackers to execute arbitrary SQL commands via the number parameter to opac-tags_subject.pl in the OPAC interface or (2) remote authenticated users to execute arbitrary SQL commands via the Filter or (3) Criteria parameter to reports/borrowers_out.pl in the Staff interface. | |||||
| CVE-2018-18546 | 1 Thinkphp | 1 Thinkphp | 2018-12-04 | 7.5 HIGH | 9.8 CRITICAL |
| ThinkPHP 3.2.4 has SQL Injection via the order parameter because the Library/Think/Db/Driver.class.php parseOrder function mishandles the key variable. | |||||
| CVE-2018-18705 | 1 Phptpoint | 1 Hospital Management System | 2018-12-04 | 7.5 HIGH | 9.8 CRITICAL |
| PhpTpoint hospital management system suffers from multiple SQL injection vulnerabilities via the index.php user parameter associated with LOGIN.php, or the rno parameter to ALIST.php, DUNDEL.php, PDEL.php, or PUNDEL.php. | |||||
| CVE-2018-18704 | 1 Phptpoint | 1 Pharmacy Management System | 2018-12-04 | 7.5 HIGH | 9.8 CRITICAL |
| PhpTpoint Pharmacy Management System suffers from a SQL injection vulnerability in the index.php username parameter. | |||||
| CVE-2018-18702 | 1 Icmsdev | 1 Icms | 2018-12-04 | 7.5 HIGH | 9.8 CRITICAL |
| spider.admincp.php in iCMS v7.0.11 allows SQL injection via admincp.php?app=spider&do=import_rule because the upfile content is base64 decoded, deserialized, and used for database insertion. | |||||