Search
Total
8599 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-24397 | 1 Activemedia | 1 Microcopy | 2021-09-29 | 6.5 MEDIUM | 7.2 HIGH |
| The edit functionality in the MicroCopy WordPress plugin through 1.1.0 makes a get request to fetch the related option. The id parameter used is not sanitised, escaped or validated before inserting to a SQL statement, leading to SQL injection. | |||||
| CVE-2021-24404 | 1 Wp-board Project | 1 Wp-board | 2021-09-28 | 6.5 MEDIUM | 8.8 HIGH |
| The options.php file of the WP-Board WordPress plugin through 1.1 beta accepts a postid parameter which is not sanitised, escaped or validated before inserting to a SQL statement, leading to SQL injection. This is a time based SQLI and in the same function vulnerable parameter is passed twice so if we pass time as 5 seconds it takes 10 seconds to return since the query ran twice. | |||||
| CVE-2021-24399 | 1 Ombu | 1 The Sorter | 2021-09-28 | 6.5 MEDIUM | 7.2 HIGH |
| The check_order function of The Sorter WordPress plugin through 1.0 uses an `area_id` parameter which is not sanitised, escaped or validated before inserting to a SQL statement, leading to SQL injection. | |||||
| CVE-2021-40674 | 1 Wuzhicms | 1 Wuzhicms | 2021-09-28 | 7.5 HIGH | 9.8 CRITICAL |
| An SQL injection vulnerability exists in Wuzhi CMS v4.1.0 via the KeyValue parameter in coreframe/app/order/admin/index.php. | |||||
| CVE-2021-24396 | 1 Bestiaweb | 1 Gseor | 2021-09-28 | 6.5 MEDIUM | 7.2 HIGH |
| A pageid GET parameter of the GSEOR – WordPress SEO Plugin WordPress plugin through 1.3 is not sanitised, escaped or validated before inserting to a SQL statement, leading to SQL injection. | |||||
| CVE-2020-21121 | 1 Kliqqi | 1 Kliqqi Cms | 2021-09-28 | 7.5 HIGH | 9.8 CRITICAL |
| Pligg CMS 2.0.2 contains a time-based SQL injection vulnerability via the $recordIDValue parameter in the admin_update_module_widgets.php file. | |||||
| CVE-2021-40670 | 1 Wuzhicms | 1 Wuzhicms | 2021-09-27 | 7.5 HIGH | 9.8 CRITICAL |
| SQL Injection vulnerability exists in Wuzhi CMS 4.1.0 via the keywords iparameter under the /coreframe/app/order/admin/card.php file. | |||||
| CVE-2021-40669 | 1 Wuzhicms | 1 Wuzhicms | 2021-09-27 | 7.5 HIGH | 9.8 CRITICAL |
| SQL Injection vulnerability exists in Wuzhi CMS 4.1.0 via the keywords parameter under the coreframe/app/promote/admin/index.php file. | |||||
| CVE-2021-23040 | 1 F5 | 1 Big-ip Advanced Firewall Manager | 2021-09-24 | 6.5 MEDIUM | 8.8 HIGH |
| On BIG-IP AFM version 16.0.x before 16.0.1.2, 15.1.x before 15.1.3, 14.1.x before 14.1.4.2, 13.1.x before 13.1.4.1, and all versions of 12.1.x, a SQL injection vulnerability exists in an undisclosed page of the BIG-IP Configuration utility. This issue is exposed only when BIG-IP AFM is provisioned. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. | |||||
| CVE-2020-21127 | 1 Metinfo | 1 Metinfo | 2021-09-23 | 7.5 HIGH | 9.8 CRITICAL |
| MetInfo 7.0.0 contains a SQL injection vulnerability via admin/?n=logs&c=index&a=dodel. | |||||
| CVE-2021-33688 | 1 Sap | 1 Business One | 2021-09-23 | 4.0 MEDIUM | 4.3 MEDIUM |
| SAP Business One allows an attacker with business privileges to execute crafted database queries, exposing the back-end database. Due to framework restrictions, only some information can be obtained. | |||||
| CVE-2021-24726 | 1 Wpsimplebookingcalendar | 1 Wp Simple Booking Calendar | 2021-09-23 | 6.5 MEDIUM | 8.8 HIGH |
| The WP Simple Booking Calendar WordPress plugin before 2.0.6 did not escape, validate or sanitise the orderby parameter in its Search Calendars action, before using it in a SQL statement, leading to an authenticated SQL injection issue | |||||
| CVE-2021-24727 | 1 Stopbadbots | 1 Block And Stop Bad Bots | 2021-09-23 | 6.5 MEDIUM | 8.8 HIGH |
| The StopBadBots WordPress plugin before 6.60 did not validate or escape the order and orderby GET parameter in some of its admin dashboard pages, leading to Authenticated SQL Injections | |||||
| CVE-2021-38324 | 1 Smartypantsplugins | 1 Sp Rental Manager | 2021-09-22 | 5.0 MEDIUM | 7.5 HIGH |
| The SP Rental Manager WordPress plugin is vulnerable to SQL Injection via the orderby parameter found in the ~/user/shortcodes.php file which allows attackers to retrieve information contained in a site's database, in versions up to and including 1.5.3. | |||||
| CVE-2021-37593 | 1 Peel | 1 Peel Shopping | 2021-09-21 | 6.4 MEDIUM | 9.1 CRITICAL |
| PEEL Shopping version 9.4.0 allows remote SQL injection. A public user/guest (unauthenticated) can inject a malicious SQL query in order to affect the execution of predefined SQL commands. Upon a successful SQL injection attack, an attacker can read sensitive data from the database and possibly modify database data. | |||||
| CVE-2021-27890 | 1 Mybb | 1 Mybb | 2021-09-21 | 6.8 MEDIUM | 8.8 HIGH |
| SQL Injection vulnerablity in MyBB before 1.8.26 via theme properties included in theme XML files. | |||||
| CVE-2021-35042 | 2 Djangoproject, Fedoraproject | 2 Django, Fedora | 2021-09-21 | 7.5 HIGH | 9.8 CRITICAL |
| Django 3.1.x before 3.1.13 and 3.2.x before 3.2.5 allows QuerySet.order_by SQL injection if order_by is untrusted input from a client of a web application. | |||||
| CVE-2020-35427 | 1 Employee Record Management System Project | 1 Employee Record Management System | 2021-09-21 | 7.5 HIGH | 9.8 CRITICAL |
| SQL injection vulnerability in PHPGurukul Employee Record Management System 1.1 allows remote attackers to execute arbitrary SQL commands and bypass authentication. | |||||
| CVE-2021-38723 | 1 Thedaylightstudio | 1 Fuel Cms | 2021-09-20 | 6.5 MEDIUM | 8.8 HIGH |
| FUEL CMS 1.5.0 allows SQL Injection via parameter 'col' in /fuel/index.php/fuel/pages/items | |||||
| CVE-2021-37422 | 1 Zohocorp | 1 Manageengine Adselfservice Plus | 2021-09-17 | 7.5 HIGH | 9.8 CRITICAL |
| Zoho ManageEngine ADSelfService Plus 6111 and prior is vulnerable to SQL Injection while linking the databases. | |||||
| CVE-2021-39378 | 1 Os4ed | 1 Opensis | 2021-09-16 | 7.5 HIGH | 9.8 CRITICAL |
| A SQL Injection vulnerability exists in openSIS 8.0 when MySQL (MariaDB) is being used as the application database. A malicious attacker can issue SQL commands to the MySQL (MariaDB) database through the NamesList.php str parameter. | |||||
| CVE-2021-40814 | 1 Mypresta | 1 Customer Photo Gallery | 2021-09-15 | 7.5 HIGH | 9.8 CRITICAL |
| The Customer Photo Gallery addon before 2.9.4 for PrestaShop is vulnerable to SQL injection. | |||||
| CVE-2021-35048 | 1 Fidelissecurity | 2 Deception, Network | 2021-09-14 | 7.5 HIGH | 9.8 CRITICAL |
| Vulnerability in Fidelis Network and Deception CommandPost enables unauthenticated SQL injection through the web interface. The vulnerability could lead to exposure of authentication tokens in some versions of Fidelis software. The vulnerability is present in Fidelis Network and Deception versions prior to 9.3.7 and in version 9.4. Patches and updates are available to address this vulnerability. | |||||
| CVE-2021-39375 | 1 Philips | 1 Tasy Electronic Medical Record | 2021-09-14 | 6.5 MEDIUM | 8.8 HIGH |
| Philips Healthcare Tasy Electronic Medical Record (EMR) 3.06 allows SQL injection via the WAdvancedFilter/getDimensionItemsByCode FilterValue parameter. | |||||
| CVE-2019-7481 | 1 Sonicwall | 2 Sma 100, Sma 100 Firmware | 2021-09-14 | 5.0 MEDIUM | 7.5 HIGH |
| Vulnerability in SonicWall SMA100 allow unauthenticated user to gain read-only access to unauthorized resources. This vulnerablity impacted SMA100 version 9.0.0.3 and earlier. | |||||
| CVE-2020-18667 | 1 Webport | 1 Webport | 2021-09-13 | 7.5 HIGH | 9.8 CRITICAL |
| SQL Injection vulnerability in WebPort <=1.19.1 via the new connection, parameter name in type-conn. | |||||
| CVE-2014-5071 | 1 Microsemi | 2 S350i, S350i Firmware | 2021-09-13 | 7.5 HIGH | 9.8 CRITICAL |
| SQL injection vulnerability in the checkPassword function in Symmetricom s350i 2.70.15 allows remote attackers to execute arbitrary SQL commands via vectors involving a username. | |||||
| CVE-2015-6028 | 1 Castlerock | 1 Snmpc | 2021-09-13 | 6.5 MEDIUM | 8.8 HIGH |
| Castle Rock Computing SNMPc before 2015-12-17 has SQL injection via the sc parameter. | |||||
| CVE-2016-3675 | 1 Huawei | 2 Policy Center, Policy Center Firmware | 2021-09-13 | 6.5 MEDIUM | 8.1 HIGH |
| SQL injection vulnerability in Huawei Policy Center with software before V100R003C10SPC020 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors related to system databases. | |||||
| CVE-2021-38706 | 1 Cliniccases | 1 Cliniccases | 2021-09-10 | 6.5 MEDIUM | 8.8 HIGH |
| messages_load.php in ClinicCases 7.3.3 suffers from a blind SQL injection vulnerability, which allows low-privileged attackers to execute arbitrary SQL commands through a vulnerable parameter. | |||||
| CVE-2020-7819 | 2 Microsoft, Ntracker | 2 Windows, Ntracker Usb Enterprise | 2021-09-10 | 5.0 MEDIUM | 7.5 HIGH |
| A SQL-Injection vulnerability in the nTracker USB Enterprise(secure USB management solution) allows a remote unauthenticated attacker to perform SQL query to access username password and other session related information. | |||||
| CVE-2020-19853 | 1 Bluecms Project | 1 Bluecms | 2021-09-10 | 7.5 HIGH | 9.8 CRITICAL |
| BlueCMS v1.6 contains a SQL injection vulnerability via /ad_js.php. | |||||
| CVE-2017-13137 | 1 Formcrafts | 1 Formcraft | 2021-09-10 | 7.5 HIGH | 9.8 CRITICAL |
| The FormCraft Basic plugin 1.0.5 for WordPress has SQL injection in the id parameter to form.php. | |||||
| CVE-2020-20340 | 1 S-cms | 1 S-cms | 2021-09-10 | 5.0 MEDIUM | 7.5 HIGH |
| A SQL injection vulnerability in the 4.edu.php\conn\function.php component of S-CMS v1.0 allows attackers to access sensitive database information. | |||||
| CVE-2021-24303 | 1 Jiangqie | 1 Official Website Mini Program | 2021-09-09 | 6.5 MEDIUM | 8.8 HIGH |
| The JiangQie Official Website Mini Program WordPress plugin before 1.1.1 does not escape or validate the id GET parameter before using it in SQL statements, leading to SQL injection issues | |||||
| CVE-2021-24391 | 1 Cashtomer Project | 1 Cashtomer | 2021-09-09 | 6.5 MEDIUM | 8.8 HIGH |
| An editid GET parameter of the Cashtomer WordPress plugin through 1.0.0 is not properly sanitised, escaped or validated before inserting to a SQL statement, leading to SQL injection. | |||||
| CVE-2021-24392 | 1 Swiftcrm | 1 Club-management-software | 2021-09-09 | 6.5 MEDIUM | 7.2 HIGH |
| An id GET parameter of the WordPress Membership SwiftCloud.io WordPress plugin through 1.0 is not properly sanitised, escaped or validated before inserting to a SQL statement, leading to SQL injection. | |||||
| CVE-2021-24393 | 1 Comment Highlighter Project | 1 Comment Highlighter | 2021-09-09 | 6.5 MEDIUM | 7.2 HIGH |
| A c GET parameter of the Comment Highlighter WordPress plugin through 0.13 is not properly sanitised, escaped or validated before inserting to a SQL statement, leading to SQL injection. | |||||
| CVE-2021-24394 | 1 Easy Testimonial Manager Project | 1 Easy Testimonial Manager | 2021-09-09 | 6.5 MEDIUM | 7.2 HIGH |
| An id GET parameter of the Easy Testimonial Manager WordPress plugin through 1.2.0 is not sanitised, escaped or validated before inserting to a SQL statement, leading to SQL injection | |||||
| CVE-2021-24395 | 1 Geekwebsolution | 1 Embed Youtube Video | 2021-09-09 | 6.5 MEDIUM | 7.2 HIGH |
| The editid GET parameter of the Embed Youtube Video WordPress plugin through 1.0 is not sanitised, escaped or validated before inserting to a SQL statement, leading to SQL injection. | |||||
| CVE-2015-8157 | 1 Broadcom | 5 Symantec Critical System Protection, Symantec Data Center Security Server, Symantec Data Center Security Server And Agents and 2 more | 2021-09-09 | 6.5 MEDIUM | 8.8 HIGH |
| SQL injection vulnerability in the Management Server in Symantec Embedded Security: Critical System Protection (SES:CSP) 1.0.x before 1.0 MP5, Embedded Security: Critical System Protection for Controllers and Devices (SES:CSP) 6.5.0 before MP1, Critical System Protection (SCSP) before 5.2.9 MP6, Data Center Security: Server Advanced Server (DCS:SA) 6.x before 6.5 MP1 and 6.6 before MP1, and Data Center Security: Server Advanced Server and Agents (DCS:SA) through 6.6 MP1 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors. | |||||
| CVE-2016-4351 | 1 Trendmicro | 1 Email Encryption Gateway | 2021-09-09 | 7.5 HIGH | 9.8 CRITICAL |
| SQL injection vulnerability in the authentication functionality in Trend Micro Email Encryption Gateway (TMEEG) 5.5 before build 1107 allows remote attackers to execute arbitrary SQL commands via unspecified vectors. | |||||
| CVE-2017-5151 | 1 Panasonic | 1 Video Insight Web Client | 2021-09-09 | 7.5 HIGH | 7.3 HIGH |
| An issue was discovered in VideoInsight Web Client Version 6.3.5.11 and previous versions. A SQL Injection vulnerability has been identified, which may allow remote code execution. | |||||
| CVE-2021-39377 | 1 Os4ed | 1 Opensis | 2021-09-09 | 7.5 HIGH | 9.8 CRITICAL |
| A SQL Injection vulnerability exists in openSIS 8.0 when MySQL (MariaDB) is being used as the application database. A malicious attacker can issue SQL commands to the MySQL (MariaDB) database through the index.php username parameter. | |||||
| CVE-2021-39379 | 1 Os4ed | 1 Opensis | 2021-09-09 | 7.5 HIGH | 9.8 CRITICAL |
| A SQL Injection vulnerability exists in openSIS 8.0 when MySQL (MariaDB) is being used as the application database. A malicious attacker can issue SQL commands to the MySQL (MariaDB) database through the ResetUserInfo.php password_stn_id parameter. | |||||
| CVE-2021-40353 | 1 Os4ed | 1 Opensis | 2021-09-09 | 7.5 HIGH | 9.8 CRITICAL |
| A SQL injection vulnerability exists in version 8.0 of openSIS when MySQL or MariaDB is used as the application database. An attacker can then issue the SQL command through the index.php USERNAME parameter. NOTE: this issue may exist because of an incomplete fix for CVE-2020-6637. | |||||
| CVE-2021-38145 | 1 Formtools | 1 Core | 2021-09-08 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in Form Tools through 3.0.20. SQL Injection can occur via the export_group_id field when a low-privileged user (client) tries to export a form with data, e.g., manipulation of modules/export_manager/export.php?export_group_id=1&export_group_1_results=all&export_type_id=1. | |||||
| CVE-2021-38390 | 1 Deltaww | 1 Diaenergie | 2021-09-07 | 10.0 HIGH | 9.8 CRITICAL |
| A Blind SQL injection vulnerability exists in the /DataHandler/HandlerEnergyType.ashx endpoint of Delta Electronics DIAEnergie Version 1.7.5 and prior. The application does not properly validate the user-controlled value supplied through the parameter egyid before using it as part of an SQL query. A remote, unauthenticated attacker can exploit this issue to execute arbitrary code in the context of NT SERVICE\MSSQLSERVER. | |||||
| CVE-2021-38393 | 1 Deltaww | 1 Diaenergie | 2021-09-07 | 10.0 HIGH | 9.8 CRITICAL |
| A Blind SQL injection vulnerability exists in the /DataHandler/HandlerAlarmGroup.ashx endpoint of Delta Electronics DIAEnergie Version 1.7.5 and prior. The application does not properly validate the user-controlled value supplied through the parameter agid before using it as part of an SQL query. A remote, unauthenticated attacker can exploit this issue to execute arbitrary code in the context of NT SERVICE\MSSQLSERVER. | |||||
| CVE-2021-38391 | 1 Deltaww | 1 Diaenergie | 2021-09-07 | 10.0 HIGH | 9.8 CRITICAL |
| A Blind SQL injection vulnerability exists in the /DataHandler/AM/AM_Handler.ashx endpoint of Delta Electronics DIAEnergie Version 1.7.5 and prior. The application does not properly validate the user-controlled value supplied through the parameter type before using it as part of an SQL query. A remote, unauthenticated attacker can exploit this issue to execute arbitrary code in the context of NT SERVICE\MSSQLSERVER. | |||||