Search
Total
1733 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2018-1000650 | 1 Librehealth | 1 Librehealth Ehr | 2018-10-16 | 6.5 MEDIUM | 8.8 HIGH |
| LibreHealthIO lh-ehr version REL-2.0.0 contains a SQL Injection vulnerability in Show Groups Popup SQL query functions that can result in Ability to perform malicious database queries. This attack appear to be exploitable via User controlled parameters. | |||||
| CVE-2018-15151 | 1 Open-emr | 1 Openemr | 2018-10-12 | 6.5 MEDIUM | 8.8 HIGH |
| SQL injection vulnerability in interface/de_identification_forms/find_code_popup.php in versions of OpenEMR before 5.0.1.4 allows a remote authenticated attacker to execute arbitrary SQL commands via the 'search_term' parameter. | |||||
| CVE-2018-15149 | 1 Open-emr | 1 Openemr | 2018-10-12 | 6.5 MEDIUM | 8.8 HIGH |
| SQL injection vulnerability in interface/forms/eye_mag/php/Anything_simple.php from library/forms.inc in versions of OpenEMR before 5.0.1.4 allows a remote authenticated attacker to execute arbitrary SQL commands via the 'encounter' parameter. | |||||
| CVE-2018-15150 | 1 Open-emr | 1 Openemr | 2018-10-12 | 6.5 MEDIUM | 8.8 HIGH |
| SQL injection vulnerability in interface/de_identification_forms/de_identification_screen2.php in versions of OpenEMR before 5.0.1.4 allows a remote authenticated attacker to execute arbitrary SQL commands via the 'temporary_files_dir' variable in interface/super/edit_globals.php. | |||||
| CVE-2018-15148 | 1 Open-emr | 1 Openemr | 2018-10-12 | 6.5 MEDIUM | 8.8 HIGH |
| SQL injection vulnerability in interface/patient_file/encounter/search_code.php in versions of OpenEMR before 5.0.1.4 allows a remote authenticated attacker to execute arbitrary SQL commands via the 'text' parameter. | |||||
| CVE-2018-15147 | 1 Open-emr | 1 Openemr | 2018-10-12 | 6.5 MEDIUM | 8.8 HIGH |
| SQL injection vulnerability in interface/forms_admin/forms_admin.php from library/registry.inc in versions of OpenEMR before 5.0.1.4 allows a remote authenticated attacker to execute arbitrary SQL commands via the 'id' parameter. | |||||
| CVE-2018-2450 | 1 Sap | 1 Maxdb | 2018-10-11 | 6.5 MEDIUM | 7.2 HIGH |
| SAP MaxDB (liveCache), versions 7.8 and 7.9, allows an attacker who gets DBM operator privileges to execute crafted database queries and therefore read, modify or delete sensitive data from database. | |||||
| CVE-2018-15146 | 1 Open-emr | 1 Openemr | 2018-10-11 | 6.5 MEDIUM | 8.8 HIGH |
| SQL injection vulnerability in interface/de_identification_forms/find_immunization_popup.php in versions of OpenEMR before 5.0.1.4 allows a remote authenticated attacker to execute arbitrary SQL commands via the 'search_term' parameter. | |||||
| CVE-2018-15144 | 1 Open-emr | 1 Openemr | 2018-10-10 | 6.5 MEDIUM | 8.8 HIGH |
| SQL injection vulnerability in interface/de_identification_forms/find_drug_popup.php in versions of OpenEMR before 5.0.1.4 allows a remote authenticated attacker to execute arbitrary SQL commands via the search_term parameter. | |||||
| CVE-2016-4338 | 1 Zabbix | 1 Zabbix | 2018-10-09 | 6.8 MEDIUM | 8.1 HIGH |
| The mysql user parameter configuration script (userparameter_mysql.conf) in the agent in Zabbix before 2.0.18, 2.2.x before 2.2.13, and 3.0.x before 3.0.3, when used with a shell other than bash, allows context-dependent attackers to execute arbitrary code or SQL commands via the mysql.size parameter. | |||||
| CVE-2015-8356 | 1 Bitrix Project | 1 Bitrix | 2018-10-09 | 6.0 MEDIUM | 8.0 HIGH |
| Multiple SQL injection vulnerabilities in the mcart.xls module 6.5.2 and earlier for Bitrix allow remote authenticated users to execute arbitrary SQL commands via the (1) xls_profile parameter to admin/mcart_xls_import.php or the (2) xls_iblock_id, (3) xls_iblock_section_id, (4) firstRow, (5) titleRow, (6) firstColumn, (7) highestColumn, (8) sku_iblock_id, or (9) xls_iblock_section_id_new parameter to admin/mcart_xls_import_step_2.php. | |||||
| CVE-2015-8355 | 1 Orion-soft | 1 Bitrix | 2018-10-09 | 6.5 MEDIUM | 8.8 HIGH |
| Multiple SQL injection vulnerabilities in the orion.extfeedbackform module before 2.1.3 for Bitrix allow remote authenticated users to execute arbitrary SQL commands via the (1) order or (2) "by" parameter to admin/orion.extfeedbackform_efbf_forms.php. | |||||
| CVE-2015-4669 | 1 Xceedium | 1 Xsuite | 2018-10-09 | 7.2 HIGH | 7.8 HIGH |
| The MySQL "root" user in Xsuite 2.x does not have a password set, which allows local users to access databases on the system. | |||||
| CVE-2015-5533 | 1 Count Per Day Project | 1 Count Per Day | 2018-10-09 | 6.5 MEDIUM | 7.2 HIGH |
| SQL injection vulnerability in counter-options.php in the Count Per Day plugin before 3.4.1 for WordPress allows remote authenticated administrators to execute arbitrary SQL commands via the cpd_keep_month parameter to wp-admin/options-general.php. NOTE: this can be leveraged using CSRF to allow remote attackers to execute arbitrary SQL commands. | |||||
| CVE-2018-14967 | 1 Emlsoft Project | 1 Emlsoft | 2018-10-04 | 6.5 MEDIUM | 8.8 HIGH |
| An issue was discovered in EMLsoft 5.4.5. upload\eml\action\action.user.php has SQL Injection via the numPerPage parameter. | |||||
| CVE-2018-12482 | 1 Ocsinventory-ng | 1 Ocsinventory Ng | 2018-10-01 | 6.5 MEDIUM | 8.8 HIGH |
| OCS Inventory 2.4.1 contains multiple SQL injections in the search engine. Authentication is needed in order to exploit the issues. | |||||
| CVE-2018-12942 | 1 Seeddms | 1 Seeddms | 2018-09-28 | 9.0 HIGH | 8.8 HIGH |
| SQL injection vulnerability in the "Users management" functionality in SeedDMS (formerly LetoDMS and MyDMS) before 5.1.8 allows authenticated attackers to manipulate an SQL query within the application by sending additional SQL commands to the application server. An attacker can use this vulnerability to perform malicious tasks such as to extract, change, or delete sensitive information within the database supporting the application, and potentially run system commands on the underlying operating system. | |||||
| CVE-2018-0607 | 1 Cybozu | 1 Garoon | 2018-09-24 | 6.5 MEDIUM | 8.8 HIGH |
| SQL injection vulnerability in the Notifications application in the Cybozu Garoon 3.5.0 to 4.6.2 allows remote authenticated attackers to execute arbitrary SQL commands via unspecified vectors. | |||||
| CVE-2017-10936 | 1 Zte | 2 Zxcdn-sns, Zxcdn-sns Firmware | 2018-09-20 | 5.0 MEDIUM | 7.5 HIGH |
| SQL injection vulnerability in all versions prior to V4.01.01 of the ZTE ZXCDN-SNS product allows remote attackers to execute arbitrary SQL commands via the aoData parameter, resulting in the disclosure of database information. | |||||
| CVE-2017-10937 | 1 Zte | 2 Zxiptv-ucm, Zxiptv-ucm Firmware | 2018-09-20 | 5.0 MEDIUM | 7.5 HIGH |
| SQL injection vulnerability in all versions prior to V2.01.05.09 of the ZTE ZXIPTV-UCM product allows remote attackers to execute arbitrary SQL commands via the opertype parameter, resulting in the disclosure of database information. | |||||
| CVE-2018-14472 | 1 Wuzhicms | 1 Wuzhicms | 2018-09-14 | 6.5 MEDIUM | 7.2 HIGH |
| An issue was discovered in WUZHI CMS 4.1.0. The vulnerable file is coreframe/app/order/admin/goods.php. The $keywords parameter is taken directly into execution without any filtering, leading to SQL injection. | |||||
| CVE-2018-12977 | 1 Softexpert | 1 Excellence Suite | 2018-09-05 | 6.5 MEDIUM | 8.8 HIGH |
| A SQL injection vulnerability in the SoftExpert (SE) Excellence Suite 2.0 allows remote authenticated users to perform SQL heuristics by pulling information from the database with the "cddocument" parameter in the "Downloading Electronic Documents" section. | |||||
| CVE-2018-3754 | 1 Query-mysql Project | 1 Query-mysql | 2018-09-04 | 6.5 MEDIUM | 8.8 HIGH |
| Node.js third-party module query-mysql versions 0.0.0, 0.0.1, and 0.0.2 are vulnerable to an SQL injection vulnerability due to lack of user input sanitization. This may allow an attacker to run arbitrary SQL queries when fetching data from database. | |||||
| CVE-2018-11643 | 1 Dialogic | 1 Powermedia Xms | 2018-08-31 | 6.5 MEDIUM | 8.8 HIGH |
| SQL injection vulnerability in the administrative console in Dialogic PowerMedia XMS through 3.5 allows remote authenticated users to execute arbitrary SQL commands via the filterPattern parameter. | |||||
| CVE-2018-13049 | 1 Glpi-project | 1 Glpi | 2018-08-30 | 6.5 MEDIUM | 8.8 HIGH |
| The constructSQL function in inc/search.class.php in GLPI 9.2.x through 9.3.0 allows SQL Injection, as demonstrated by triggering a crafted LIMIT clause to front/computer.php. | |||||
| CVE-2018-7772 | 1 Schneider-electric | 1 U.motion Builder | 2018-08-28 | 6.8 MEDIUM | 8.8 HIGH |
| The vulnerability exists within processing of applets which are exposed on the web service in Schneider Electric U.motion Builder software versions prior to v1.3.4. The underlying SQLite database query to determine whether a user is logged in is subject to SQL injection on the loginSeed parameter, which can be embedded in the HTTP cookie of the request. | |||||
| CVE-2018-7773 | 1 Schneider-electric | 1 U.motion Builder | 2018-08-23 | 6.8 MEDIUM | 8.8 HIGH |
| The vulnerability exists within processing of nfcserver.php in Schneider Electric U.motion Builder software versions prior to v1.3.4. The underlying SQLite database query is subject to SQL injection on the sessionid input parameter. | |||||
| CVE-2018-7767 | 1 Schneider-electric | 1 U.motion Builder | 2018-08-21 | 6.8 MEDIUM | 8.8 HIGH |
| The vulnerability exists within processing of editobject.php in Schneider Electric U.motion Builder software versions prior to v1.3.4. The underlying SQLite database query is subject to SQL injection on the type input parameter. | |||||
| CVE-2018-7774 | 1 Schneider-electric | 1 U.motion Builder | 2018-08-21 | 6.8 MEDIUM | 8.8 HIGH |
| The vulnerability exists within processing of localize.php in Schneider Electric U.motion Builder software versions prior to v1.3.4. The underlying SQLite database query is subject to SQL injection on the username input parameter. | |||||
| CVE-2018-7769 | 1 Schneider-electric | 1 U.motion Builder | 2018-08-21 | 6.8 MEDIUM | 8.8 HIGH |
| The vulnerability exists within processing of xmlserver.php in Schneider Electric U.motion Builder software versions prior to v1.3.4. The underlying SQLite database query is subject to SQL injection on the id input parameter. | |||||
| CVE-2018-7766 | 1 Schneider-electric | 1 U.motion Builder | 2018-08-21 | 6.8 MEDIUM | 8.8 HIGH |
| The vulnerability exists within processing of track_getdata.php in Schneider Electric U.motion Builder software versions prior to v1.3.4. The underlying SQLite database query is subject to SQL injection on the id input parameter. | |||||
| CVE-2018-7768 | 1 Schneider-electric | 1 U.motion Builder | 2018-08-21 | 6.8 MEDIUM | 8.8 HIGH |
| The vulnerability exists within processing of loadtemplate.php in Schneider Electric U.motion Builder software versions prior to v1.3.4. The underlying SQLite database query is subject to SQL injection on the tpl input parameter. | |||||
| CVE-2018-8802 | 1 Unisys | 2 Clearpath Eportal Manager, Eportal-2200 | 2018-08-21 | 6.5 MEDIUM | 8.1 HIGH |
| SQL injection vulnerability in the management interface in ePortal Manager allows remote attackers to execute arbitrary SQL commands via unspecified parameters. | |||||
| CVE-2018-12912 | 1 Hongcms Project | 1 Hongcms | 2018-08-20 | 6.5 MEDIUM | 7.2 HIGH |
| An issue wan discovered in admin\controllers\database.php in HongCMS 3.0.0. There is a SQL Injection vulnerability via an admin/index.php/database/operate?dbaction=emptytable&tablename= URI. | |||||
| CVE-2018-0606 | 1 Pixelpost | 1 Pixelpost | 2018-08-17 | 6.5 MEDIUM | 7.2 HIGH |
| SQL injection vulnerability in the Pixelpost v1.7.3 and earlier allows remote authenticated attackers to execute arbitrary SQL commands via unspecified vectors. | |||||
| CVE-2018-1000552 | 1 Trovebox | 1 Trovebox | 2018-08-17 | 6.5 MEDIUM | 8.8 HIGH |
| Trovebox version <= 4.0.0-rc6 contains a SQL Injection vulnerability in album component that can result in SQL code injection. This attack appear to be exploitable via HTTP request. This vulnerability appears to have been fixed in after commit 742b8ed. | |||||
| CVE-2017-16542 | 1 Zohocorp | 1 Manageengine Applications Manager | 2018-08-07 | 6.5 MEDIUM | 8.8 HIGH |
| Zoho ManageEngine Applications Manager 13 before build 13500 allows Post-authentication SQL injection via the name parameter in a manageApplications.do?method=insert request. | |||||
| CVE-2018-12254 | 1 Harmistechnology | 1 Ek Rishta | 2018-08-02 | 6.5 MEDIUM | 8.8 HIGH |
| router.php in the Harmis Ek rishta (aka ek-rishta) 2.10 component for Joomla! allows SQL Injection via the PATH_INFO to a home/requested_user/Sent%20interest/ URI. | |||||
| CVE-2018-12110 | 1 Portfoliocms Project | 1 Portfoliocms | 2018-07-27 | 6.5 MEDIUM | 7.2 HIGH |
| portfolioCMS 1.0.5 has SQL Injection via the admin/portfolio.php preview parameter. | |||||
| CVE-2016-6616 | 1 Phpmyadmin | 1 Phpmyadmin | 2018-07-08 | 6.8 MEDIUM | 7.5 HIGH |
| An issue was discovered in phpMyAdmin. In the "User group" and "Designer" features, a user can execute an SQL injection attack against the account of the control user. All 4.6.x versions (prior to 4.6.4) and 4.4.x versions (prior to 4.4.15.8) are affected. | |||||
| CVE-2016-6619 | 1 Phpmyadmin | 1 Phpmyadmin | 2018-07-08 | 6.5 MEDIUM | 8.8 HIGH |
| An issue was discovered in phpMyAdmin. In the user interface preference feature, a user can execute an SQL injection attack against the account of the control user. All 4.6.x versions (prior to 4.6.4), 4.4.x versions (prior to 4.4.15.8), and 4.0.x versions (prior to 4.0.10.17) are affected. | |||||
| CVE-2018-11470 | 1 Iscripts | 1 Eswap | 2018-06-27 | 6.5 MEDIUM | 8.8 HIGH |
| iScripts eSwap v2.4 has SQL injection via the "search.php" 'Told' parameter in the User Panel. | |||||
| CVE-2018-11231 | 1 Divido | 1 Divido | 2018-06-26 | 6.8 MEDIUM | 8.1 HIGH |
| In the Divido plugin for OpenCart, there is SQL injection. Attackers can use SQL injection to get some confidential information. | |||||
| CVE-2018-11414 | 1 Bearadmin Project | 1 Bearadmin | 2018-06-25 | 6.5 MEDIUM | 8.8 HIGH |
| An issue was discovered in BearAdmin 0.5. There is admin/admin_log/index.html?user_id= SQL injection because admin\controller\AdminLog.php constructs a MySQL query improperly. | |||||
| CVE-2018-10350 | 2 Linux, Trendmicro | 2 Linux Kernel, Smart Protection Server | 2018-06-25 | 9.0 HIGH | 8.8 HIGH |
| A SQL injection remote code execution vulnerability in Trend Micro Smart Protection Server (Standalone) 3.x could allow a remote attacker to execute arbitrary code on vulnerable installations due to a flaw within the handling of parameters provided to wcs\_bwlists\_handler.php. Authentication is required in order to exploit this vulnerability. | |||||
| CVE-2018-10356 | 1 Trendmicro | 1 Email Encryption Gateway | 2018-06-22 | 9.0 HIGH | 8.8 HIGH |
| A SQL injection remote code execution vulnerability in Trend Micro Email Encryption Gateway 5.5 could allow an attacker to execute arbitrary SQL statements on vulnerable installations due to a flaw in the formRequestDomains class. Authentication is required to exploit this vulnerability. | |||||
| CVE-2018-10352 | 1 Trendmicro | 1 Email Encryption Gateway | 2018-06-22 | 6.5 MEDIUM | 8.8 HIGH |
| A vulnerability in Trend Micro Email Encryption Gateway 5.5 could allow a remote attacker to execute arbitrary SQL statements on vulnerable installations due to a flaw in the formConfiguration class. Authentication is required to exploit this vulnerability. | |||||
| CVE-2018-10351 | 1 Trendmicro | 1 Email Encryption Gateway | 2018-06-22 | 9.0 HIGH | 8.8 HIGH |
| A vulnerability in Trend Micro Email Encryption Gateway 5.5 could allow a remote attacker to execute arbitrary SQL statements on vulnerable installations due to a flaw in the formRegistration2 class. Authentication is required to exploit this vulnerability. | |||||
| CVE-2018-9250 | 1 Open-emr | 1 Openemr | 2018-06-20 | 6.5 MEDIUM | 8.8 HIGH |
| interface\super\edit_list.php in OpenEMR before v5_0_1_1 allows remote authenticated users to execute arbitrary SQL commands via the newlistname parameter. | |||||
| CVE-2018-10737 | 1 Nagios | 1 Nagios Xi | 2018-06-15 | 6.5 MEDIUM | 7.2 HIGH |
| A SQL injection issue was discovered in Nagios XI before 5.4.13 via the admin/logbook.php txtSearch parameter. | |||||