Search
Total
1733 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-24407 | 3 Cyrusimap, Debian, Fedoraproject | 3 Cyrus-sasl, Debian Linux, Fedora | 2022-07-25 | 6.5 MEDIUM | 8.8 HIGH |
| In Cyrus SASL 2.1.17 through 2.1.27 before 2.1.28, plugins/sql.c does not escape the password for a SQL INSERT or UPDATE statement. | |||||
| CVE-2020-25638 | 4 Debian, Hibernate, Oracle and 1 more | 5 Debian Linux, Hibernate Orm, Communications Cloud Native Core Console and 2 more | 2022-07-25 | 5.8 MEDIUM | 7.4 HIGH |
| A flaw was found in hibernate-core in versions prior to and including 5.4.23.Final. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SQL comments of the query. This flaw could allow an attacker to access unauthorized information or possibly conduct further attacks. The highest threat from this vulnerability is to data confidentiality and integrity. | |||||
| CVE-2022-32297 | 1 Piwigo | 1 Piwigo | 2022-07-25 | 5.1 MEDIUM | 7.5 HIGH |
| Piwigo v12.2.0 was discovered to contain SQL injection vulnerability via the Search function. | |||||
| CVE-2022-34114 | 1 Dataease Project | 1 Dataease | 2022-07-25 | N/A | 8.8 HIGH |
| Dataease v1.11.1 was discovered to contain a SQL injection vulnerability via the parameter dataSourceId. | |||||
| CVE-2022-26120 | 1 Fortinet | 1 Fortiadc | 2022-07-25 | N/A | 8.8 HIGH |
| Multiple improper neutralization of special elements used in an SQL Command ('SQL Injection') vulnerabilities [CWE-89] in FortiADC management interface 7.0.0 through 7.0.1, 5.0.0 through 6.2.2 may allow an authenticated attacker to execute unauthorized code or commands via specifically crafted HTTP requests. | |||||
| CVE-2022-27386 | 1 Mariadb | 1 Mariadb | 2022-07-19 | 5.0 MEDIUM | 7.5 HIGH |
| MariaDB Server v10.7 and below was discovered to contain a segmentation fault via the component sql/sql_class.cc. | |||||
| CVE-2022-27380 | 1 Mariadb | 1 Mariadb | 2022-07-19 | 5.0 MEDIUM | 7.5 HIGH |
| An issue in the component my_decimal::operator= of MariaDB Server v10.6.3 and below was discovered to allow attackers to cause a Denial of Service (DoS) via specially crafted SQL statements. | |||||
| CVE-2022-2263 | 1 Online Hotel Booking Project | 1 Online Hotel Booking | 2022-07-19 | 6.5 MEDIUM | 7.2 HIGH |
| A vulnerability was found in Online Hotel Booking System 1.0 and classified as critical. Affected by this issue is some unknown functionality of the file edit_room_cat.php of the component Room Handler. The manipulation of the argument roomname leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2022-2262 | 1 Online Hotel Booking Project | 1 Online Hotel Booking | 2022-07-19 | 6.5 MEDIUM | 7.2 HIGH |
| A vulnerability has been found in Online Hotel Booking System 1.0 and classified as critical. Affected by this vulnerability is an unknown functionality of the file edit_all_room.php of the component Room Handler. The manipulation of the argument id with the input 2828%27%20AND%20(SELECT%203766%20FROM%20(SELECT(SLEEP(5)))BmIK)%20AND%20%27YLPl%27=%27YLPl leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2019-5117 | 1 Youphptube | 1 Youphptube | 2022-07-19 | 6.5 MEDIUM | 8.8 HIGH |
| Exploitable SQL injection vulnerabilities exists in the authenticated portion of YouPHPTube 7.6. Specially crafted web requests can cause SQL injections. An attacker can send a web request with parameters containing SQL injection attacks to trigger this vulnerability, potentially allowing exfiltration of the database, user credentials and in certain configuration, access the underlying operating system. | |||||
| CVE-2019-5116 | 1 Youphptube | 1 Youphptube | 2022-07-19 | 6.5 MEDIUM | 8.8 HIGH |
| An exploitable SQL injection vulnerability exists in the authenticated part of YouPHPTube 7.6. Specially crafted web requests can cause a SQL injection. An attacker can send a web request with parameters containing SQL injection attacks to trigger this vulnerability, potentially allowing exfiltration of the database, user credentials and in certain configuration, access the underlying operating system. | |||||
| CVE-2017-20137 | 1 Itechscripts | 1 B2b Script | 2022-07-19 | 5.0 MEDIUM | 7.5 HIGH |
| A vulnerability was found in Itech B2B Script 4.28. It has been rated as critical. This issue affects some unknown processing of the file /catcompany.php. The manipulation of the argument token with the input 704667c6a1e7ce56d3d6fa748ab6d9af3fd7' AND 6539=6539 AND 'Fakj'='Fakj leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2017-20136 | 1 Itechscripts | 1 Classifieds Script | 2022-07-19 | 5.0 MEDIUM | 7.5 HIGH |
| A vulnerability classified as critical has been found in Itech Classifieds Script 7.27. Affected is an unknown function of the file /subpage.php. The manipulation of the argument scat with the input =51' AND 4941=4941 AND 'hoCP'='hoCP leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2022-32416 | 1 Product Show Room Site Project | 1 Product Show Room Site | 2022-07-18 | 6.5 MEDIUM | 7.2 HIGH |
| Product Show Room Site v1.0 is vulnerable to SQL Injection via /psrs/classes/Master.php?f=delete_product. | |||||
| CVE-2022-32415 | 1 Product Show Room Site Project | 1 Product Show Room Site | 2022-07-18 | 6.5 MEDIUM | 8.8 HIGH |
| Product Show Room Site v1.0 is vulnerable to SQL Injection via /psrs/?p=products/view_product&id=. | |||||
| CVE-2019-5110 | 1 Formalms | 1 Formalms | 2022-07-17 | 6.5 MEDIUM | 8.8 HIGH |
| Exploitable SQL injection vulnerabilities exist in the authenticated portion of Forma LMS 2.2.1. Specially crafted web requests can cause SQL injections. An attacker can send a web request with parameters containing SQL injection attacks to trigger this vulnerability, potentially allowing exfiltration of the database, user credentials and, in certain configurations, access the underlying operating system. | |||||
| CVE-2019-5109 | 1 Formalms | 1 Formalms | 2022-07-17 | 6.5 MEDIUM | 8.8 HIGH |
| Exploitable SQL injection vulnerabilities exists in the authenticated portion of Forma LMS 2.2.1. Specially crafted web requests can cause SQL injections. An attacker can send a web request with parameters containing SQL injection attacks to trigger this vulnerability, potentially allowing exfiltration of the database, user credentials and, in certain configurations, access the underlying operating system. | |||||
| CVE-2019-5119 | 1 Youphptube | 1 Youphptube | 2022-07-17 | 6.5 MEDIUM | 8.8 HIGH |
| An exploitable SQL injection vulnerability exist in the authenticated part of YouPHPTube 7.6. Specially crafted web requests can cause SQL injections. An attacker can send a web request with parameters containing SQL injection attacks to trigger this vulnerability, potentially allowing exfiltration of the database, user credentials and in certain configurations, access the underlying operating system. | |||||
| CVE-2019-5120 | 1 Youphptube | 1 Youphptube | 2022-07-17 | 6.5 MEDIUM | 8.8 HIGH |
| An exploitable SQL injection vulnerability exists in the authenticated part of YouPHPTube 7.6. Specially crafted web requests can cause SQL injections. An attacker can send a web request with parameters containing SQL injection attacks to trigger this vulnerability, potentially allowing exfiltration of the database, user credentials and in certain configurations, access the underlying operating system. | |||||
| CVE-2019-5121 | 1 Youphptube | 1 Youphptube | 2022-07-17 | 6.5 MEDIUM | 8.8 HIGH |
| SQL injection vulnerabilities exists in the authenticated part of YouPHPTube 7.6. Specially crafted web requests can cause SQL injections. An attacker can send a web request with Parameter uuid in /objects/pluginSwitch.json.php | |||||
| CVE-2019-5111 | 1 Formalms | 1 Formalms | 2022-07-17 | 6.5 MEDIUM | 8.8 HIGH |
| Exploitable SQL injection vulnerability exists in the authenticated portion of Forma LMS 2.2.1. The /appLms/ajax.server.php URL and parameter filter_cat was confirmed to suffer from SQL injections and could be exploited by authenticated attackers. An attacker can send a web request with parameters containing SQL injection attacks to trigger this vulnerability, potentially allowing exfiltration of the database, user credentials and, in certain configurations, access the underlying operating system. | |||||
| CVE-2019-5112 | 1 Formalms | 1 Formalms | 2022-07-17 | 6.5 MEDIUM | 8.8 HIGH |
| Exploitable SQL injection vulnerability exists in the authenticated portion of Forma LMS 2.2.1. The /appLms/ajax.server.php URL and parameter filter_status was confirmed to suffer from SQL injections and could be exploited by authenticated attackers. An attacker can send a web request with parameters containing SQL injection attacks to trigger this vulnerability, potentially allowing exfiltration of the database, user credentials and, in certain configurations, access the underlying operating system. | |||||
| CVE-2022-31058 | 1 Enalean | 1 Tuleap | 2022-07-15 | 6.5 MEDIUM | 7.2 HIGH |
| Tuleap is a Free & Open Source Suite to improve management of software developments and collaboration. In versions prior to 13.9.99.95 Tuleap does not sanitize properly user inputs when constructing the SQL query to retrieve data for the tracker reports. An attacker with the capability to create a new tracker can execute arbitrary SQL queries. Users are advised to upgrade. There is no known workaround for this issue. | |||||
| CVE-2022-32055 | 1 Nesote | 1 Inout Homestay | 2022-07-15 | 5.0 MEDIUM | 7.5 HIGH |
| Inout Homestay v2.2 was discovered to contain a SQL injection vulnerability via the guests parameter at /index.php?page=search/rentals. | |||||
| CVE-2022-30619 | 1 Agilepoint | 1 Agilepoint Nx | 2022-07-14 | 6.5 MEDIUM | 8.8 HIGH |
| Editable SQL Queries behind Base64 encoding sending from the Client-Side to The Server-Side for a particular API used in legacy Work Center module. He attack is available for any authenticated user, in any kind of rule. under the function : /AgilePointServer/Extension/FetchUsingEncodedData in the parameter: EncodedData | |||||
| CVE-2022-34877 | 1 Vicidial | 1 Vicidial | 2022-07-13 | 9.0 HIGH | 8.8 HIGH |
| SQL Injection vulnerability in AST Agent Time Sheet interface ((/vicidial/AST_agent_time_sheet.php) of VICIdial via the agent parameter allows attacker to spoof identity, tamper with existing data, allow the complete disclosure of all data on the system, destroy the data or make it otherwise unavailable, and become administrators of the database server. This issue affects: VICIdial 2.14b0.5 versions prior to 3555. | |||||
| CVE-2022-34878 | 1 Vicidial | 1 Vicidial | 2022-07-13 | 9.0 HIGH | 8.8 HIGH |
| SQL Injection vulnerability in User Stats interface (/vicidial/user_stats.php) of VICIdial via the file_download parameter allows attacker to spoof identity, tamper with existing data, allow the complete disclosure of all data on the system, destroy the data or make it otherwise unavailable, and become administrators of the database server. | |||||
| CVE-2022-34876 | 1 Vicidial | 1 Vicidial | 2022-07-13 | 8.5 HIGH | 8.8 HIGH |
| SQL Injection vulnerability in admin interface (/vicidial/admin.php) of VICIdial via modify_email_accounts, access_recordings, and agentcall_email parameters allows attacker to spoof identity, tamper with existing data, allow the complete disclosure of all data on the system, destroy the data or make it otherwise unavailable, and become administrators of the database server. This issue affects: VICIdial 2.14b0.5 versions prior to 3555. | |||||
| CVE-2021-44915 | 1 Taogogo | 1 Taocms | 2022-07-13 | 6.5 MEDIUM | 7.2 HIGH |
| Taocms 3.0.2 was discovered to contain a blind SQL injection vulnerability via the function Edit category. | |||||
| CVE-2021-38176 | 1 Sap | 4 Landscape Transformation, Landscape Transformation Replication Server, S\/4hana and 1 more | 2022-07-12 | 9.0 HIGH | 8.8 HIGH |
| Due to improper input sanitization, an authenticated user with certain specific privileges can remotely call NZDT function modules listed in Solution Section to execute manipulated query or inject ABAP code to gain access to Backend Database. On successful exploitation the threat actor could completely compromise confidentiality, integrity, and availability of the system. | |||||
| CVE-2022-31092 | 1 Pimcore | 1 Pimcore | 2022-07-08 | 6.8 MEDIUM | 8.1 HIGH |
| Pimcore is an Open Source Data & Experience Management Platform. Pimcore offers developers listing classes to make querying data easier. This listing classes also allow to order or group the results based on one or more columns which should be quoted by default. The actual issue is that quoting is not done properly in both cases, so there's the theoretical possibility to inject custom SQL if the developer is using this methods with input data and not doing proper input validation in advance and so relies on the auto-quoting being done by the listing classes. This issue has been resolved in version 10.4.4. Users are advised to upgrade or to apple the patch manually. There are no known workarounds for this issue. | |||||
| CVE-2017-20124 | 1 Bestsoftinc | 1 Online Hotel Booking System | 2022-07-08 | 6.5 MEDIUM | 8.8 HIGH |
| A vulnerability classified as critical has been found in Online Hotel Booking System Pro Plugin 1.0. Affected is an unknown function of the file /front/roomtype-details.php. The manipulation of the argument tid leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2022-33042 | 1 Online Railway Reservation System Project | 1 Online Railway Reservation System | 2022-07-07 | 6.5 MEDIUM | 7.2 HIGH |
| Online Railway Reservation System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /admin/inquiries/view_details.php. | |||||
| CVE-2022-33061 | 1 Online Railway Reservation System Project | 1 Online Railway Reservation System | 2022-07-07 | 6.5 MEDIUM | 7.2 HIGH |
| Online Railway Reservation System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /classes/Master.php?f=delete_service. | |||||
| CVE-2022-33060 | 1 Online Railway Reservation System Project | 1 Online Railway Reservation System | 2022-07-07 | 6.5 MEDIUM | 7.2 HIGH |
| Online Railway Reservation System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /classes/Master.php?f=delete_schedule. | |||||
| CVE-2022-33059 | 1 Online Railway Reservation System Project | 1 Online Railway Reservation System | 2022-07-07 | 6.5 MEDIUM | 7.2 HIGH |
| Online Railway Reservation System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /classes/Master.php?f=delete_train. | |||||
| CVE-2022-33058 | 1 Online Railway Reservation System Project | 1 Online Railway Reservation System | 2022-07-07 | 6.5 MEDIUM | 7.2 HIGH |
| Online Railway Reservation System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /classes/Master.php?f=delete_message. | |||||
| CVE-2022-33057 | 1 Online Railway Reservation System Project | 1 Online Railway Reservation System | 2022-07-07 | 6.5 MEDIUM | 7.2 HIGH |
| Online Railway Reservation System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /classes/Master.php?f=delete_reservation. | |||||
| CVE-2017-20103 | 1 Wp-kama | 1 Kama Click Counter | 2022-07-07 | 6.5 MEDIUM | 8.8 HIGH |
| A vulnerability classified as critical has been found in Kama Click Counter Plugin up to 3.4.8. This affects an unknown part of the file wp-admin/admin.php. The manipulation of the argument order_by/order with the input ASC%2c(select*from(select(sleep(2)))a) leads to sql injection (Blind). It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 3.4.9 is able to address this issue. It is recommended to upgrade the affected component. | |||||
| CVE-2021-41460 | 1 Shopex | 1 Ecshop | 2022-07-07 | 5.0 MEDIUM | 7.5 HIGH |
| ECShop 4.1.0 has SQL injection vulnerability, which can be exploited by attackers to obtain sensitive information. | |||||
| CVE-2017-20104 | 1 Simplessus | 1 Simplessus | 2022-07-07 | 5.0 MEDIUM | 7.5 HIGH |
| A vulnerability was found in Simplessus 3.7.7. It has been declared as critical. This vulnerability affects unknown code of the component Cookie Handler. The manipulation of the argument UWA_SID leads to sql injection (Time). The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 3.8.3 is able to address this issue. It is recommended to upgrade the affected component. | |||||
| CVE-2022-2214 | 1 Library Management System Project | 1 Library Management System | 2022-07-07 | 6.5 MEDIUM | 8.8 HIGH |
| A vulnerability was found in SourceCodester Library Management System 1.0. It has been rated as critical. Affected by this issue is some unknown functionality of the file /librarian/bookdetails.php. The manipulation of the argument id with the input ' AND (SELECT 9198 FROM (SELECT(SLEEP(5)))iqZA)-- PbtB leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2022-31101 | 1 Prestashop | 1 Blockwishlist | 2022-07-06 | 6.5 MEDIUM | 8.8 HIGH |
| prestashop/blockwishlist is a prestashop extension which adds a block containing the customer's wishlists. In affected versions an authenticated customer can perform SQL injection. This issue is fixed in version 2.1.1. Users are advised to upgrade. There are no known workarounds for this issue. | |||||
| CVE-2021-24390 | 1 Alipay Project | 1 Alipay | 2022-07-02 | 6.5 MEDIUM | 7.2 HIGH |
| A proid GET parameter of the WordPress支付�Alipay|财付通Tenpay|��PayPal集��件 WordPress plugin through 3.7.2 is not sanitised, properly escaped or validated before inserting to a SQL statement not delimited by quotes, leading to SQL injection. | |||||
| CVE-2021-29350 | 1 Shipment 100-design Material Download System Project | 1 Shipment 100-design Material Download System | 2022-07-02 | 6.5 MEDIUM | 7.2 HIGH |
| SQL injection in the getip function in conn/function.php in ??100-???????? 1.1 allows remote attackers to inject arbitrary SQL commands via the X-Forwarded-For header to admin/product_add.php. | |||||
| CVE-2022-27384 | 1 Mariadb | 1 Mariadb | 2022-07-01 | 5.0 MEDIUM | 7.5 HIGH |
| An issue in the component Item_subselect::init_expr_cache_tracker of MariaDB Server v10.6 and below was discovered to allow attackers to cause a Denial of Service (DoS) via specially crafted SQL statements. | |||||
| CVE-2022-1472 | 1 Codesolz | 1 Better Find And Replace | 2022-07-01 | 6.5 MEDIUM | 7.2 HIGH |
| The Better Find and Replace WordPress plugin before 1.3.6 does not properly sanitise, validate and escape various parameters before using them in an SQL statement, leading to an SQL Injection | |||||
| CVE-2022-32392 | 1 Prison Management System Project | 1 Prison Management System | 2022-06-29 | 6.5 MEDIUM | 8.8 HIGH |
| Prison Management System v1.0 was discovered to contain a SQL injection vulnerability via the 'id' parameter at /pms/admin/actions/manage_action.php:4 | |||||
| CVE-2022-32391 | 1 Prison Management System Project | 1 Prison Management System | 2022-06-29 | 6.5 MEDIUM | 8.8 HIGH |
| Prison Management System v1.0 was discovered to contain a SQL injection vulnerability via the 'id' parameter at /pms/admin/actions/view_action.php:4 | |||||
| CVE-2022-32393 | 1 Prison Management System Project | 1 Prison Management System | 2022-06-29 | 6.5 MEDIUM | 8.8 HIGH |
| Prison Management System v1.0 was discovered to contain a SQL injection vulnerability via the 'id' parameter at /pms/admin/cells/view_cell.php:4 | |||||