Search
Total
1733 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-42369 | 1 Zucchetti | 1 Imagicle Uc Suite | 2021-10-21 | 6.5 MEDIUM | 8.8 HIGH |
| Imagicle Application Suite (for Cisco UC) before 2021.Summer.2 allows SQL injection. A low-privileged user could inject a SQL statement through the "Export to CSV" feature of the Contact Manager web GUI. | |||||
| CVE-2021-37737 | 1 Arubanetworks | 1 Clearpass Policy Manager | 2021-10-20 | 6.5 MEDIUM | 8.8 HIGH |
| A remote SQL injection vulnerability was discovered in Aruba ClearPass Policy Manager version(s): ClearPass Policy Manager 6.10.x prior to 6.10.2 - - ClearPass Policy Manager 6.9.x prior to 6.9.7-HF1 - - ClearPass Policy Manager 6.8.x prior to 6.8.9-HF1. Aruba has released patches for ClearPass Policy Manager that address this security vulnerability. | |||||
| CVE-2021-42334 | 1 Huaju | 1 Easytest Online Learning Test Platform | 2021-10-20 | 6.5 MEDIUM | 8.8 HIGH |
| The Easytest contains SQL injection vulnerabilities. After obtaining a user’s privilege, remote attackers can inject SQL commands into the parameters of the elective course management page to obtain all database and administrator permissions. | |||||
| CVE-2021-42333 | 1 Huaju | 1 Easytest Online Learning Test Platform | 2021-10-20 | 6.5 MEDIUM | 8.8 HIGH |
| The Easytest contains SQL injection vulnerabilities. After obtaining user’s privilege, remote attackers can inject SQL commands into the parameters of the learning history page to access all database and obtain administrator permissions. | |||||
| CVE-2021-33177 | 1 Nagios | 1 Nagios Xi | 2021-10-20 | 6.5 MEDIUM | 8.8 HIGH |
| The Bulk Modifications functionality in Nagios XI versions prior to 5.8.5 is vulnerable to SQL injection. Exploitation requires the malicious actor to be authenticated to the vulnerable system, but once authenticated they would be able to execute arbitrary sql queries. | |||||
| CVE-2020-19957 | 1 Zzcms | 1 Zzcms | 2021-10-19 | 5.0 MEDIUM | 7.5 HIGH |
| A SQL injection vulnerability has been discovered in zz cms version 2019 which allows attackers to retrieve sensitive data via the id parameter on the /dl/dl_print.php page. | |||||
| CVE-2020-19959 | 1 Zzcms | 1 Zzcms | 2021-10-19 | 5.0 MEDIUM | 7.5 HIGH |
| A SQL injection vulnerability has been discovered in zz cms version 2019 which allows attackers to retrieve sensitive data via the dlid parameter in the /dl/dl_sendmail.php page cookie. | |||||
| CVE-2020-19960 | 1 Zzcms | 1 Zzcms | 2021-10-19 | 5.0 MEDIUM | 7.5 HIGH |
| A SQL injection vulnerability has been discovered in zz cms version 2019 which allows attackers to retrieve sensitive data via the dlid parameter in the /dl/dl_sendsms.php page cookie. | |||||
| CVE-2020-19961 | 1 Zzcms | 1 Zzcms | 2021-10-19 | 5.0 MEDIUM | 7.5 HIGH |
| A SQL injection vulnerability has been discovered in zz cms version 2019 which allows attackers to retrieve sensitive data via the component subzs.php. | |||||
| CVE-2021-33736 | 1 Siemens | 1 Sinec Nms | 2021-10-18 | 6.5 MEDIUM | 7.2 HIGH |
| A vulnerability has been identified in SINEC NMS (All versions < V1.0 SP2 Update 1). A privileged authenticated attacker could execute arbitrary commands in the local database by sending crafted requests to the webserver of the affected application. | |||||
| CVE-2021-33735 | 1 Siemens | 1 Sinec Nms | 2021-10-18 | 6.5 MEDIUM | 7.2 HIGH |
| A vulnerability has been identified in SINEC NMS (All versions < V1.0 SP2 Update 1). A privileged authenticated attacker could execute arbitrary commands in the local database by sending crafted requests to the webserver of the affected application. | |||||
| CVE-2021-33734 | 1 Siemens | 1 Sinec Nms | 2021-10-18 | 6.5 MEDIUM | 7.2 HIGH |
| A vulnerability has been identified in SINEC NMS (All versions < V1.0 SP2 Update 1). A privileged authenticated attacker could execute arbitrary commands in the local database by sending crafted requests to the webserver of the affected application. | |||||
| CVE-2021-33732 | 1 Siemens | 1 Sinec Nms | 2021-10-18 | 6.5 MEDIUM | 7.2 HIGH |
| A vulnerability has been identified in SINEC NMS (All versions < V1.0 SP2 Update 1). A privileged authenticated attacker could execute arbitrary commands in the local database by sending crafted requests to the webserver of the affected application. | |||||
| CVE-2021-33733 | 1 Siemens | 1 Sinec Nms | 2021-10-18 | 6.5 MEDIUM | 7.2 HIGH |
| A vulnerability has been identified in SINEC NMS (All versions < V1.0 SP2 Update 1). A privileged authenticated attacker could execute arbitrary commands in the local database by sending crafted requests to the webserver of the affected application. | |||||
| CVE-2021-33730 | 1 Siemens | 1 Sinec Nms | 2021-10-18 | 6.5 MEDIUM | 7.2 HIGH |
| A vulnerability has been identified in SINEC NMS (All versions < V1.0 SP2 Update 1). A privileged authenticated attacker could execute arbitrary commands in the local database by sending crafted requests to the webserver of the affected application. | |||||
| CVE-2021-33731 | 1 Siemens | 1 Sinec Nms | 2021-10-18 | 6.5 MEDIUM | 7.2 HIGH |
| A vulnerability has been identified in SINEC NMS (All versions < V1.0 SP2 Update 1). A privileged authenticated attacker could execute arbitrary commands in the local database by sending crafted requests to the webserver of the affected application. | |||||
| CVE-2021-33729 | 1 Siemens | 1 Sinec Nms | 2021-10-18 | 6.5 MEDIUM | 8.8 HIGH |
| A vulnerability has been identified in SINEC NMS (All versions < V1.0 SP2 Update 1). An authenticated attacker that is able to import firmware containers to an affected system could execute arbitrary commands in the local database. | |||||
| CVE-2021-24400 | 1 Wp-display-users Project | 1 Wp-display-users | 2021-10-18 | 6.5 MEDIUM | 7.2 HIGH |
| The Edit Role functionality in the Display Users WordPress plugin through 2.0.0 had an `id` parameter which is not sanitised, escaped or validated before inserting to a SQL statement, leading to SQL injection. | |||||
| CVE-2021-36621 | 1 Online Covid Vaccination Scheduler System Project | 1 Online Covid Vaccination Scheduler System | 2021-10-18 | 6.8 MEDIUM | 8.1 HIGH |
| Sourcecodester Online Covid Vaccination Scheduler System 1.0 is vulnerable to SQL Injection. The username parameter is vulnerable to time-based SQL injection. Upon successful dumping the admin password hash, an attacker can decrypt and obtain the plain-text password. Hence, the attacker could authenticate as Administrator. | |||||
| CVE-2021-29004 | 1 Rconfig | 1 Rconfig | 2021-10-16 | 6.5 MEDIUM | 8.8 HIGH |
| rConfig 3.9.6 is affected by SQL Injection. A user must be authenticated to exploit the vulnerability. If --secure-file-priv in MySQL server is not set and the Mysql server is the same as rConfig, an attacker may successfully upload a webshell to the server and access it remotely. | |||||
| CVE-2021-41920 | 1 Webtareas Project | 1 Webtareas | 2021-10-15 | 5.0 MEDIUM | 7.5 HIGH |
| webTareas version 2.4 and earlier allows an unauthenticated user to perform Time and Boolean-based blind SQL Injection on the endpoint /includes/library.php, via the sor_cible, sor_champs, and sor_ordre HTTP POST parameters. This allows an attacker to access all the data in the database and obtain access to the webTareas application. | |||||
| CVE-2021-41651 | 1 Hotel Management System Project | 1 Hotel Management System | 2021-10-12 | 5.0 MEDIUM | 7.5 HIGH |
| A blind SQL injection vulnerability exists in the Raymart DG / Ahmed Helal Hotel-mgmt-system. A malicious attacker can retrieve sensitive database information and interact with the database using the vulnerable cid parameter in process_update_profile.php. | |||||
| CVE-2021-24465 | 1 Meowapps | 1 Meow Gallery | 2021-10-08 | 5.5 MEDIUM | 8.1 HIGH |
| The Meow Gallery WordPress plugin before 4.1.9 does not sanitise, validate or escape the ids attribute of its gallery shortcode (available for users as low as Contributor) before using it in an SQL statement, leading to an authenticated SQL Injection issue. The injection also allows the returned values to be manipulated in a way that could lead to data disclosure and arbitrary objects to be deserialized. | |||||
| CVE-2020-21013 | 1 Emlog | 1 Emlog | 2021-10-08 | 6.5 MEDIUM | 7.2 HIGH |
| emlog v6.0.0 contains a SQL injection via /admin/comment.php. | |||||
| CVE-2021-24606 | 1 Offshorewebmaster | 1 Availability Calendar | 2021-10-01 | 6.5 MEDIUM | 8.8 HIGH |
| The Availability Calendar WordPress plugin before 1.2.1 does not escape the category attribute from its shortcode before using it in a SQL statement, leading to a SQL Injection issue, which can be exploited by any user able to add shortcode to posts/pages, such as contributor+ | |||||
| CVE-2020-20692 | 1 Gilacms | 1 Gila Cms | 2021-10-01 | 6.5 MEDIUM | 7.2 HIGH |
| GilaCMS v1.11.4 was discovered to contain a SQL injection vulnerability via the $_GET parameter in /src/core/controllers/cm.php. | |||||
| CVE-2021-40309 | 1 Os4ed | 1 Opensis | 2021-10-01 | 6.5 MEDIUM | 8.8 HIGH |
| A SQL injection vulnerability exists in the Take Attendance functionality of OS4Ed's OpenSIS 8.0. allows an attacker to inject their own SQL query. The cp_id_miss_attn parameter from TakeAttendance.php is vulnerable to SQL injection. An attacker can make an authenticated HTTP request as a user with access to "Take Attendance" functionality to trigger this vulnerability. | |||||
| CVE-2021-24398 | 1 Webpsilon | 1 Responsive 3d Slider | 2021-09-29 | 6.5 MEDIUM | 7.2 HIGH |
| The Add new scene functionality in the Responsive 3D Slider WordPress plugin through 1.2 uses an id parameter which is not sanitised, escaped or validated before being inserted to a SQL statement, leading to SQL injection. This is a time based SQLI and in the same function vulnerable parameter is passed twice so if we pass time as 5 seconds it takes 10 seconds to return since the query is ran twice. | |||||
| CVE-2021-24401 | 1 Wp-domain-redirect Project | 1 Wp-domain-redirect | 2021-09-29 | 6.5 MEDIUM | 7.2 HIGH |
| The Edit domain functionality in the WP Domain Redirect WordPress plugin through 1.0 has an `editid` parameter which is not sanitised, escaped or validated before inserting to a SQL statement, leading to SQL injection. | |||||
| CVE-2021-24402 | 1 Solvercircle | 1 Wp Icommerce | 2021-09-29 | 6.5 MEDIUM | 7.2 HIGH |
| The Orders functionality in the WP iCommerce WordPress plugin through 1.1.1 has an `order_id` parameter which is not sanitised, escaped or validated before inserting to a SQL statement, leading to SQL injection. The feature is available to low privilege users such as contributors | |||||
| CVE-2021-24511 | 1 Dpl | 1 Product Feed On Woocommerce | 2021-09-29 | 6.5 MEDIUM | 7.2 HIGH |
| The fetch_product_ajax functionality in the Product Feed on WooCommerce WordPress plugin before 3.3.1.0 uses a `product_id` POST parameter which is not properly sanitised, escaped or validated before inserting to a SQL statement, leading to SQL injection. | |||||
| CVE-2021-24403 | 1 Wpagecontact Project | 1 Wpagecontact | 2021-09-29 | 6.5 MEDIUM | 7.2 HIGH |
| The Orders functionality in the WordPress Page Contact plugin through 1.0 has an order_id parameter which is not sanitised, escaped or validated before inserting to a SQL statement, leading to SQL injection. The feature is available to low privilege users such as contributors | |||||
| CVE-2021-24397 | 1 Activemedia | 1 Microcopy | 2021-09-29 | 6.5 MEDIUM | 7.2 HIGH |
| The edit functionality in the MicroCopy WordPress plugin through 1.1.0 makes a get request to fetch the related option. The id parameter used is not sanitised, escaped or validated before inserting to a SQL statement, leading to SQL injection. | |||||
| CVE-2021-24404 | 1 Wp-board Project | 1 Wp-board | 2021-09-28 | 6.5 MEDIUM | 8.8 HIGH |
| The options.php file of the WP-Board WordPress plugin through 1.1 beta accepts a postid parameter which is not sanitised, escaped or validated before inserting to a SQL statement, leading to SQL injection. This is a time based SQLI and in the same function vulnerable parameter is passed twice so if we pass time as 5 seconds it takes 10 seconds to return since the query ran twice. | |||||
| CVE-2021-24399 | 1 Ombu | 1 The Sorter | 2021-09-28 | 6.5 MEDIUM | 7.2 HIGH |
| The check_order function of The Sorter WordPress plugin through 1.0 uses an `area_id` parameter which is not sanitised, escaped or validated before inserting to a SQL statement, leading to SQL injection. | |||||
| CVE-2021-24396 | 1 Bestiaweb | 1 Gseor | 2021-09-28 | 6.5 MEDIUM | 7.2 HIGH |
| A pageid GET parameter of the GSEOR – WordPress SEO Plugin WordPress plugin through 1.3 is not sanitised, escaped or validated before inserting to a SQL statement, leading to SQL injection. | |||||
| CVE-2021-23040 | 1 F5 | 1 Big-ip Advanced Firewall Manager | 2021-09-24 | 6.5 MEDIUM | 8.8 HIGH |
| On BIG-IP AFM version 16.0.x before 16.0.1.2, 15.1.x before 15.1.3, 14.1.x before 14.1.4.2, 13.1.x before 13.1.4.1, and all versions of 12.1.x, a SQL injection vulnerability exists in an undisclosed page of the BIG-IP Configuration utility. This issue is exposed only when BIG-IP AFM is provisioned. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. | |||||
| CVE-2021-24726 | 1 Wpsimplebookingcalendar | 1 Wp Simple Booking Calendar | 2021-09-23 | 6.5 MEDIUM | 8.8 HIGH |
| The WP Simple Booking Calendar WordPress plugin before 2.0.6 did not escape, validate or sanitise the orderby parameter in its Search Calendars action, before using it in a SQL statement, leading to an authenticated SQL injection issue | |||||
| CVE-2021-24727 | 1 Stopbadbots | 1 Block And Stop Bad Bots | 2021-09-23 | 6.5 MEDIUM | 8.8 HIGH |
| The StopBadBots WordPress plugin before 6.60 did not validate or escape the order and orderby GET parameter in some of its admin dashboard pages, leading to Authenticated SQL Injections | |||||
| CVE-2021-38324 | 1 Smartypantsplugins | 1 Sp Rental Manager | 2021-09-22 | 5.0 MEDIUM | 7.5 HIGH |
| The SP Rental Manager WordPress plugin is vulnerable to SQL Injection via the orderby parameter found in the ~/user/shortcodes.php file which allows attackers to retrieve information contained in a site's database, in versions up to and including 1.5.3. | |||||
| CVE-2021-27890 | 1 Mybb | 1 Mybb | 2021-09-21 | 6.8 MEDIUM | 8.8 HIGH |
| SQL Injection vulnerablity in MyBB before 1.8.26 via theme properties included in theme XML files. | |||||
| CVE-2021-38723 | 1 Thedaylightstudio | 1 Fuel Cms | 2021-09-20 | 6.5 MEDIUM | 8.8 HIGH |
| FUEL CMS 1.5.0 allows SQL Injection via parameter 'col' in /fuel/index.php/fuel/pages/items | |||||
| CVE-2021-39375 | 1 Philips | 1 Tasy Electronic Medical Record | 2021-09-14 | 6.5 MEDIUM | 8.8 HIGH |
| Philips Healthcare Tasy Electronic Medical Record (EMR) 3.06 allows SQL injection via the WAdvancedFilter/getDimensionItemsByCode FilterValue parameter. | |||||
| CVE-2019-7481 | 1 Sonicwall | 2 Sma 100, Sma 100 Firmware | 2021-09-14 | 5.0 MEDIUM | 7.5 HIGH |
| Vulnerability in SonicWall SMA100 allow unauthenticated user to gain read-only access to unauthorized resources. This vulnerablity impacted SMA100 version 9.0.0.3 and earlier. | |||||
| CVE-2015-6028 | 1 Castlerock | 1 Snmpc | 2021-09-13 | 6.5 MEDIUM | 8.8 HIGH |
| Castle Rock Computing SNMPc before 2015-12-17 has SQL injection via the sc parameter. | |||||
| CVE-2016-3675 | 1 Huawei | 2 Policy Center, Policy Center Firmware | 2021-09-13 | 6.5 MEDIUM | 8.1 HIGH |
| SQL injection vulnerability in Huawei Policy Center with software before V100R003C10SPC020 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors related to system databases. | |||||
| CVE-2021-38706 | 1 Cliniccases | 1 Cliniccases | 2021-09-10 | 6.5 MEDIUM | 8.8 HIGH |
| messages_load.php in ClinicCases 7.3.3 suffers from a blind SQL injection vulnerability, which allows low-privileged attackers to execute arbitrary SQL commands through a vulnerable parameter. | |||||
| CVE-2020-7819 | 2 Microsoft, Ntracker | 2 Windows, Ntracker Usb Enterprise | 2021-09-10 | 5.0 MEDIUM | 7.5 HIGH |
| A SQL-Injection vulnerability in the nTracker USB Enterprise(secure USB management solution) allows a remote unauthenticated attacker to perform SQL query to access username password and other session related information. | |||||
| CVE-2020-20340 | 1 S-cms | 1 S-cms | 2021-09-10 | 5.0 MEDIUM | 7.5 HIGH |
| A SQL injection vulnerability in the 4.edu.php\conn\function.php component of S-CMS v1.0 allows attackers to access sensitive database information. | |||||
| CVE-2021-24303 | 1 Jiangqie | 1 Official Website Mini Program | 2021-09-09 | 6.5 MEDIUM | 8.8 HIGH |
| The JiangQie Official Website Mini Program WordPress plugin before 1.1.1 does not escape or validate the id GET parameter before using it in SQL statements, leading to SQL injection issues | |||||