Search
Total
280 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-21747 | 1 Wedevs | 1 Wp Erp | 2024-01-11 | N/A | 4.9 MEDIUM |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in weDevs WP ERP | Complete HR solution with recruitment & job listings | WooCommerce CRM & Accounting.This issue affects WP ERP | Complete HR solution with recruitment & job listings | WooCommerce CRM & Accounting: from n/a through 1.12.8. | |||||
| CVE-2023-39853 | 1 Dzzoffice | 1 Dzzoffice | 2024-01-11 | N/A | 6.5 MEDIUM |
| SQL Injection vulnerability in Dzzoffice version 2.01, allows remote attackers to obtain sensitive information via the doobj and doevent parameters in the Network Disk backend module. | |||||
| CVE-2022-2718 | 1 Beardev | 1 Joomsport | 2024-01-11 | N/A | 4.9 MEDIUM |
| The JoomSport – for Sports: Team & League, Football, Hockey & more plugin for WordPress is vulnerable to SQL Injection via the 'orderby' parameter on the joomsport-page-extrafields page in versions up to, and including, 5.2.5 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with administrative privileges, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | |||||
| CVE-2022-2717 | 1 Beardev | 1 Joomsport | 2024-01-11 | N/A | 4.9 MEDIUM |
| The JoomSport – for Sports: Team & League, Football, Hockey & more plugin for WordPress is vulnerable to SQL Injection via the 'orderby' parameter on the joomsport-events-form page in versions up to, and including, 5.2.5 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with administrative privileges, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | |||||
| CVE-2023-6981 | 1 Veronalabs | 1 Wp Sms | 2024-01-09 | N/A | 4.9 MEDIUM |
| The WP SMS – Messaging & SMS Notification for WordPress, WooCommerce, GravityForms, etc plugin for WordPress is vulnerable to SQL Injection via the 'group_id' parameter in all versions up to, and including, 6.5 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. This can leveraged to achieve Reflected Cross-site Scripting. | |||||
| CVE-2024-0270 | 1 Kashipara | 1 Food Management System | 2024-01-08 | N/A | 6.5 MEDIUM |
| A vulnerability, which was classified as critical, was found in Kashipara Food Management System up to 1.0. This affects an unknown part of the file item_list_submit.php. The manipulation of the argument item_name leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-249825 was assigned to this vulnerability. | |||||
| CVE-2024-0272 | 1 Kashipara | 1 Food Management System | 2024-01-08 | N/A | 6.5 MEDIUM |
| A vulnerability was found in Kashipara Food Management System up to 1.0 and classified as critical. This issue affects some unknown processing of the file addmaterialsubmit.php. The manipulation of the argument material_name leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-249827. | |||||
| CVE-2024-0271 | 1 Kashipara | 1 Food Management System | 2024-01-08 | N/A | 6.5 MEDIUM |
| A vulnerability has been found in Kashipara Food Management System up to 1.0 and classified as critical. This vulnerability affects unknown code of the file addmaterial_edit.php. The manipulation of the argument id leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. VDB-249826 is the identifier assigned to this vulnerability. | |||||
| CVE-2024-0275 | 1 Kashipara | 1 Food Management System | 2024-01-08 | N/A | 6.5 MEDIUM |
| A vulnerability was found in Kashipara Food Management System up to 1.0. It has been rated as critical. Affected by this issue is some unknown functionality of the file item_edit_submit.php. The manipulation of the argument id leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-249830 is the identifier assigned to this vulnerability. | |||||
| CVE-2024-0274 | 1 Kashipara | 1 Food Management System | 2024-01-08 | N/A | 6.5 MEDIUM |
| A vulnerability was found in Kashipara Food Management System up to 1.0. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file billAjax.php. The manipulation of the argument item_name leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-249829 was assigned to this vulnerability. | |||||
| CVE-2024-0273 | 1 Kashipara | 1 Food Management System | 2024-01-08 | N/A | 6.5 MEDIUM |
| A vulnerability was found in Kashipara Food Management System up to 1.0. It has been classified as critical. Affected is an unknown function of the file addwaste_entry.php. The manipulation of the argument item_name leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-249828. | |||||
| CVE-2024-0279 | 1 Kashipara | 1 Food Management System | 2024-01-08 | N/A | 6.5 MEDIUM |
| A vulnerability, which was classified as critical, was found in Kashipara Food Management System up to 1.0. Affected is an unknown function of the file item_list_edit.php. The manipulation of the argument id leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-249834 is the identifier assigned to this vulnerability. | |||||
| CVE-2024-0278 | 1 Kashipara | 1 Food Management System | 2024-01-08 | N/A | 6.5 MEDIUM |
| A vulnerability, which was classified as critical, has been found in Kashipara Food Management System up to 1.0. This issue affects some unknown processing of the file partylist_edit_submit.php. The manipulation of the argument id leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-249833 was assigned to this vulnerability. | |||||
| CVE-2024-0276 | 1 Kashipara | 1 Food Management System | 2024-01-08 | N/A | 6.5 MEDIUM |
| A vulnerability classified as critical has been found in Kashipara Food Management System up to 1.0. This affects an unknown part of the file rawstock_used_damaged_smt.php. The manipulation of the argument product_name leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-249831. | |||||
| CVE-2024-0277 | 1 Kashipara | 1 Food Management System | 2024-01-08 | N/A | 6.5 MEDIUM |
| A vulnerability classified as critical was found in Kashipara Food Management System up to 1.0. This vulnerability affects unknown code of the file party_submit.php. The manipulation of the argument party_name leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-249832. | |||||
| CVE-2024-0281 | 1 Kashipara | 1 Food Management System | 2024-01-08 | N/A | 6.5 MEDIUM |
| A vulnerability was found in Kashipara Food Management System up to 1.0 and classified as critical. Affected by this issue is some unknown functionality of the file loginCheck.php. The manipulation of the argument password leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-249836. | |||||
| CVE-2024-0280 | 1 Kashipara | 1 Food Management System | 2024-01-08 | N/A | 6.5 MEDIUM |
| A vulnerability has been found in Kashipara Food Management System up to 1.0 and classified as critical. Affected by this vulnerability is an unknown functionality of the file item_type_submit.php. The manipulation of the argument type_name leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-249835. | |||||
| CVE-2023-7180 | 1 Tongda2000 | 1 Office Anywhere 2017 | 2024-01-05 | N/A | 4.3 MEDIUM |
| A vulnerability has been found in Tongda OA 2017 up to 11.9 and classified as critical. Affected by this vulnerability is an unknown functionality of the file general/project/proj/delete.php. The manipulation of the argument PROJ_ID_STR leads to sql injection. The exploit has been disclosed to the public and may be used. Upgrading to version 11.10 is able to address this issue. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-249367. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2023-32743 | 1 Woocommerce | 1 Automatewoo | 2023-12-28 | N/A | 4.9 MEDIUM |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WooCommerce AutomateWoo.This issue affects AutomateWoo: from n/a through 5.7.1. | |||||
| CVE-2023-47236 | 1 Ipages Flipbook Project | 1 Ipages Flipbook | 2023-12-28 | N/A | 4.9 MEDIUM |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Avirtum iPages Flipbook For WordPress.This issue affects iPages Flipbook For WordPress: from n/a through 1.4.8. | |||||
| CVE-2023-38519 | 1 Mainwp | 1 Mainwp Dashboard | 2023-12-28 | N/A | 4.9 MEDIUM |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in MainWP MainWP Dashboard – WordPress Manager for Multiple Websites Maintenance.This issue affects MainWP Dashboard – WordPress Manager for Multiple Websites Maintenance: from n/a through 4.4.3.3. | |||||
| CVE-2022-3471 | 1 Oretnom23 | 1 Human Resource Management System | 2023-12-28 | N/A | 4.9 MEDIUM |
| A vulnerability was found in SourceCodester Human Resource Management System. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file city.php. The manipulation of the argument searccity leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-210715. | |||||
| CVE-2023-44284 | 1 Dell | 12 Apex Protection Storage, Dd3300, Dd6400 and 9 more | 2023-12-27 | N/A | 4.3 MEDIUM |
| Dell PowerProtect DD , versions prior to 7.13.0.10, LTS 7.7.5.25, LTS 7.10.1.15, 6.2.1.110 contain an SQL Injection vulnerability. A remote low privileged attacker could potentially exploit this vulnerability, leading to the execution of certain SQL commands on the application's backend database causing unauthorized read access to application data. | |||||
| CVE-2023-30872 | 1 Bannersky | 1 Bsk Forms Blacklist | 2023-12-26 | N/A | 6.5 MEDIUM |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in BannerSky BSK Forms Blacklist.This issue affects BSK Forms Blacklist: from n/a through 3.6.2. | |||||
| CVE-2023-48395 | 1 Kaifa | 1 Webitr Attendance System | 2023-12-22 | N/A | 6.5 MEDIUM |
| Kaifa Technology WebITR is an online attendance system, it has insufficient validation for user input within a special function. A remote attacker with regular user privilege can exploit this vulnerability to inject arbitrary SQL commands to read database. | |||||
| CVE-2023-30867 | 1 Apache | 1 Streampark | 2023-12-21 | N/A | 4.9 MEDIUM |
| In the Streampark platform, when users log in to the system and use certain features, some pages provide a name-based fuzzy search, such as job names, role names, etc. The sql syntax :select * from table where jobName like '%jobName%'. However, the jobName field may receive illegal parameters, leading to SQL injection. This could potentially result in information leakage. Mitigation: Users are recommended to upgrade to version 2.1.2, which fixes the issue. | |||||
| CVE-2023-1909 | 1 Phpgurukul | 1 Bp Monitoring Management System | 2023-12-21 | N/A | 6.5 MEDIUM |
| A vulnerability, which was classified as critical, was found in PHPGurukul BP Monitoring Management System 1.0. Affected is an unknown function of the file profile.php of the component User Profile Update Handler. The manipulation of the argument name/mobno leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-225318 is the identifier assigned to this vulnerability. | |||||
| CVE-2023-47558 | 1 Lindeni | 1 Who Hit The Page - Hit Counter | 2023-12-20 | N/A | 6.5 MEDIUM |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Mahlamusa Who Hit The Page – Hit Counter allows SQL Injection.This issue affects Who Hit The Page – Hit Counter: from n/a through 1.4.14.3. | |||||
| CVE-2023-36652 | 1 Prolion | 1 Cryptospike | 2023-12-13 | N/A | 4.3 MEDIUM |
| A SQL Injection in the users searching REST API endpoint in ProLion CryptoSpike 3.0.15P2 allows remote authenticated attackers to read database data via SQL commands injected in the search parameter. | |||||
| CVE-2023-46025 | 1 Phpgurukul | 1 Teacher Subject Allocation Management System | 2023-11-17 | N/A | 4.9 MEDIUM |
| SQL Injection vulnerability in teacher-info.php in phpgurukul Teacher Subject Allocation Management System 1.0 allows attackers to obtain sensitive information via the 'editid' parameter. | |||||
| CVE-2023-46023 | 1 Code-projects | 1 Simple Task List | 2023-11-17 | N/A | 6.5 MEDIUM |
| SQL injection vulnerability in addTask.php in Code-Projects Simple Task List 1.0 allows attackers to obtain sensitive information via the 'status' parameter. | |||||
| CVE-2023-46581 | 1 Code-projects | 1 Inventory Management | 2023-11-17 | N/A | 5.5 MEDIUM |
| SQL injection vulnerability in Inventory Management v.1.0 allows a local attacker to execute arbitrary code via the name, uname and email parameters in the registration.php component. | |||||
| CVE-2023-46021 | 1 Code-projects | 1 Blood Bank | 2023-11-16 | N/A | 5.5 MEDIUM |
| SQL Injection vulnerability in cancel.php in Code-Projects Blood Bank 1.0 allows attackers to run arbitrary commands via the 'reqid' parameter. | |||||
| CVE-2023-46014 | 1 Code-projects | 1 Blood Bank | 2023-11-16 | N/A | 5.5 MEDIUM |
| SQL Injection vulnerability in hospitalLogin.php in Code-Projects Blood Bank 1.0 allows attackers to run arbitrary SQL commands via 'hemail' and 'hpassword' parameters. | |||||
| CVE-2023-46018 | 1 Code-projects | 1 Blood Bank | 2023-11-16 | N/A | 5.5 MEDIUM |
| SQL injection vulnerability in receiverReg.php in Code-Projects Blood Bank 1.0 \allows attackers to run arbitrary SQL commands via 'remail' parameter. | |||||
| CVE-2023-46017 | 1 Code-projects | 1 Blood Bank | 2023-11-16 | N/A | 5.5 MEDIUM |
| SQL Injection vulnerability in receiverLogin.php in Code-Projects Blood Bank 1.0 allows attackers to run arbitrary SQL commands via 'remail' and 'rpassword' parameters. | |||||
| CVE-2023-5152 | 1 Dlink | 2 Dar-8000, Dar-8000 Firmware | 2023-11-16 | N/A | 6.5 MEDIUM |
| ** UNSUPPORTED WHEN ASSIGNED ** A vulnerability, which was classified as critical, has been found in D-Link DAR-7000 and DAR-8000 up to 20151231. Affected by this issue is some unknown functionality of the file /importexport.php. The manipulation of the argument sql leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-240248. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. NOTE: Vendor was contacted early and confirmed immediately that the product is end-of-life. It should be retired and replaced. | |||||
| CVE-2022-0842 | 1 Mcafee | 1 Epolicy Orchestrator | 2023-11-15 | 4.0 MEDIUM | 4.9 MEDIUM |
| A blind SQL injection vulnerability in McAfee Enterprise ePolicy Orchestrator (ePO) prior to 5.10 Update 13 allows a remote authenticated attacker to potentially obtain information from the ePO database. The data obtained is dependent on the privileges the attacker has and to obtain sensitive data the attacker would require administrator privileges. | |||||
| CVE-2021-27545 | 1 Phpgurukul | 1 Beauty Parlour Management System | 2023-11-14 | 4.0 MEDIUM | 6.5 MEDIUM |
| SQL Injection in the "add-services.php" component of PHPGurukul Beauty Parlour Management System v1.0 allows remote attackers to obtain sensitive database information by injecting SQL commands into the "sername" parameter. | |||||
| CVE-2023-5709 | 1 Web-dorado | 1 Wd Widgettwitter | 2023-11-14 | N/A | 6.5 MEDIUM |
| The WD WidgetTwitter plugin for WordPress is vulnerable to SQL Injection via the plugin's shortcode in versions up to, and including, 1.0.9 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers with contributor-level and above permissions to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | |||||
| CVE-2021-37808 | 1 Phpgurukul | 1 News Portal | 2023-11-14 | 4.3 MEDIUM | 5.9 MEDIUM |
| SQL Injection vulnerabilities exist in https://phpgurukul.com News Portal Project 3.1 via the (1) category, (2) subcategory, (3) sucatdescription, and (4) username parameters, the server response is about (N) seconds delay respectively which mean it is vulnerable to MySQL Blind (Time Based). An attacker can use sqlmap to further the exploitation for extracting sensitive information from the database. | |||||
| CVE-2021-37806 | 1 Phpgurukul | 1 Vehicle Parking Management System | 2023-11-14 | 4.3 MEDIUM | 5.9 MEDIUM |
| An SQL Injection vulnerability exists in https://phpgurukul.com Vehicle Parking Management System affected version 1.0. The system is vulnerable to time-based SQL injection on multiple endpoints. Based on the SLEEP(N) function payload that will sleep for a number of seconds used on the (1) editid , (2) viewid, and (3) catename parameters, the server response is about (N) seconds delay respectively which mean it is vulnerable to MySQL Blind (Time Based). An attacker can use sqlmap to further the exploitation for extracting sensitive information from the database. | |||||
| CVE-2023-46490 | 1 Cacti | 1 Cacti | 2023-11-13 | N/A | 6.5 MEDIUM |
| SQL Injection vulnerability in Cacti v1.2.25 allows a remote attacker to obtain sensitive information via the form_actions() function in the managers.php function. | |||||
| CVE-2023-39365 | 2 Cacti, Fedoraproject | 2 Cacti, Fedora | 2023-11-09 | N/A | 6.3 MEDIUM |
| Cacti is an open source operational monitoring and fault management framework. Issues with Cacti Regular Expression validation combined with the external links feature can lead to limited SQL Injections and subsequent data leakage. This issue has been addressed in version 1.2.25. Users are advised to upgrade. There are no known workarounds for this vulnerability. | |||||
| CVE-2023-37438 | 1 Arubanetworks | 1 Edgeconnect Sd-wan Orchestrator | 2023-08-29 | N/A | 6.5 MEDIUM |
| Multiple vulnerabilities in the web-based management interface of EdgeConnect SD-WAN Orchestrator could allow an authenticated remote attacker to conduct SQL injection attacks against the EdgeConnect SD-WAN Orchestrator instance. An attacker could exploit these vulnerabilities to obtain and modify sensitive information in the underlying database potentially leading to the exposure and corruption of sensitive data controlled by the EdgeConnect SD-WAN Orchestrator host. | |||||
| CVE-2023-37437 | 1 Arubanetworks | 1 Edgeconnect Sd-wan Orchestrator | 2023-08-29 | N/A | 6.5 MEDIUM |
| Multiple vulnerabilities in the web-based management interface of EdgeConnect SD-WAN Orchestrator could allow an authenticated remote attacker to conduct SQL injection attacks against the EdgeConnect SD-WAN Orchestrator instance. An attacker could exploit these vulnerabilities to obtain and modify sensitive information in the underlying database potentially leading to the exposure and corruption of sensitive data controlled by the EdgeConnect SD-WAN Orchestrator host. | |||||
| CVE-2023-37436 | 1 Arubanetworks | 1 Edgeconnect Sd-wan Orchestrator | 2023-08-29 | N/A | 6.5 MEDIUM |
| Multiple vulnerabilities in the web-based management interface of EdgeConnect SD-WAN Orchestrator could allow an authenticated remote attacker to conduct SQL injection attacks against the EdgeConnect SD-WAN Orchestrator instance. An attacker could exploit these vulnerabilities to obtain and modify sensitive information in the underlying database potentially leading to the exposure and corruption of sensitive data controlled by the EdgeConnect SD-WAN Orchestrator host. | |||||
| CVE-2023-37435 | 1 Arubanetworks | 1 Edgeconnect Sd-wan Orchestrator | 2023-08-29 | N/A | 6.5 MEDIUM |
| Multiple vulnerabilities in the web-based management interface of EdgeConnect SD-WAN Orchestrator could allow an authenticated remote attacker to conduct SQL injection attacks against the EdgeConnect SD-WAN Orchestrator instance. An attacker could exploit these vulnerabilities to obtain and modify sensitive information in the underlying database potentially leading to the exposure and corruption of sensitive data controlled by the EdgeConnect SD-WAN Orchestrator host. | |||||
| CVE-2023-33852 | 1 Ibm | 1 Security Guardium | 2023-08-29 | N/A | 5.4 MEDIUM |
| IBM Security Guardium 11.4 is vulnerable to SQL injection. A remote attacker could send specially crafted SQL statements, which could allow the attacker to view, add, modify or delete information in the back-end database. IBM X-Force ID: 257614. | |||||
| CVE-2023-23563 | 1 Geomatika | 1 Isigeo Web | 2023-08-24 | N/A | 6.5 MEDIUM |
| An issue was discovered in Geomatika IsiGeo Web 6.0. It allows remote authenticated users to obtain sensitive database content via SQL Injection. | |||||