Search
Total
8599 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-36033 | 1 Water Billing System Project | 1 Water Billing System | 2021-07-30 | 7.5 HIGH | 9.8 CRITICAL |
| SQL injection vulnerability in SourceCodester Water Billing System 1.0 via the id parameter to edituser.php. | |||||
| CVE-2021-26232 | 1 Simple College Website Project | 1 Simple College Website | 2021-07-30 | 7.5 HIGH | 9.8 CRITICAL |
| SQL injection vulnerability in SourceCodester Simple College Website v 1.0 allows remote attackers to execute arbitrary SQL statements via the id parameter to news.php. | |||||
| CVE-2021-26231 | 1 Fantastic Blog Cms Project | 1 Fantastic Blog Cms | 2021-07-30 | 7.5 HIGH | 9.8 CRITICAL |
| SQL injection vulnerability in SourceCodester Fantastic Blog CMS v 1.0 allows remote attackers to execute arbitrary SQL statements, via the id parameter to category.php. | |||||
| CVE-2021-26229 | 1 Casap Automated Enrollment System Project | 1 Casap Automated Enrollment System | 2021-07-30 | 7.5 HIGH | 9.8 CRITICAL |
| SQL injection vulnerability in SourceCodester CASAP Automated Enrollment System v 1.0 allows remote attackers to execute arbitrary SQL statements, via the id parameter to edit_stud.php. | |||||
| CVE-2021-26228 | 1 Casap Automated Enrollment System Project | 1 Casap Automated Enrollment System | 2021-07-30 | 7.5 HIGH | 9.8 CRITICAL |
| SQL injection vulnerability in SourceCodester CASAP Automated Enrollment System v 1.0 allows remote attackers to execute arbitrary SQL statements, via the id parameter to edit_class1.php. | |||||
| CVE-2020-23282 | 1 Mv | 1 Mconnect | 2021-07-30 | 5.0 MEDIUM | 7.5 HIGH |
| SQL injection in Logon Page in MV's mConnect application, v02.001.00, allows an attacker to use a non existing user with a generic password to connect to the application and get access to unauthorized information. | |||||
| CVE-2020-5320 | 1 Dell | 2 Emc Openmanage Enterprise, Emc Openmanage Enterprise-modular | 2021-07-29 | 6.5 MEDIUM | 7.2 HIGH |
| Dell EMC OpenManage Enterprise (OME) versions prior to 3.2 and OpenManage Enterprise-Modular (OME-M) versions prior to 1.10.00 contain a SQL injection vulnerability. A remote authenticated malicious user with high privileges could potentially exploit this vulnerability to execute SQL commands to perform unauthorized actions. | |||||
| CVE-2020-18155 | 1 Intelliants | 1 Subrion | 2021-07-29 | 7.5 HIGH | 9.8 CRITICAL |
| SQL Injection vulnerability in Subrion CMS v4.2.1 in the search page if a website uses a PDO connection. | |||||
| CVE-2021-25201 | 1 Learning Management System Project | 1 Learning Management System | 2021-07-29 | 5.0 MEDIUM | 7.5 HIGH |
| SQL injection vulnerability in Learning Management System v 1.0 allows remote attackers to execute arbitrary SQL statements through the id parameter to obtain sensitive database information. | |||||
| CVE-2021-25213 | 1 Travel Management System Project | 1 Travel Management System | 2021-07-29 | 7.5 HIGH | 9.8 CRITICAL |
| SQL injection vulnerability in SourceCodester Travel Management System v 1.0 allows remote attackers to execute arbitrary SQL statements, via the catid parameter to subcat.php. | |||||
| CVE-2021-25209 | 1 Theme Park Ticketing System Project | 1 Theme Park Ticketing System | 2021-07-29 | 7.5 HIGH | 9.8 CRITICAL |
| SQL injection vulnerability in SourceCodester Theme Park Ticketing System v 1.0 allows remote attackers to execute arbitrary SQL statements, via the id parameter to view_user.php . | |||||
| CVE-2021-25205 | 1 E-commerce Website Project | 1 E-commerce Website | 2021-07-29 | 7.5 HIGH | 9.8 CRITICAL |
| SQL injection vulnerability in SourceCodester E-Commerce Website V 1.0 allows remote attackers to execute arbitrary SQL statements, via the update parameter to empViewUpdate.php . | |||||
| CVE-2021-37475 | 1 Naviwebs | 1 Navigatecms | 2021-07-28 | 7.5 HIGH | 9.8 CRITICAL |
| In NavigateCMS version 2.9.4 and below, function in `templates.php` is vulnerable to sql injection on parameter `template-properties-order`, which results in arbitrary sql query execution in the backend database. | |||||
| CVE-2021-37477 | 1 Naviwebs | 1 Navigatecms | 2021-07-28 | 7.5 HIGH | 9.8 CRITICAL |
| In NavigateCMS version 2.9.4 and below, function in `structure.php` is vulnerable to sql injection on parameter `children_order`, which results in arbitrary sql query execution in the backend database. | |||||
| CVE-2021-37476 | 1 Naviwebs | 1 Navigatecms | 2021-07-28 | 7.5 HIGH | 9.8 CRITICAL |
| In NavigateCMS version 2.9.4 and below, function in `product.php` is vulnerable to sql injection on parameter `id` through a post request, which results in arbitrary sql query execution in the backend database. | |||||
| CVE-2021-37473 | 1 Naviwebs | 1 Navigatecms | 2021-07-28 | 7.5 HIGH | 9.8 CRITICAL |
| In NavigateCMS version 2.9.4 and below, function in `product.php` is vulnerable to sql injection on parameter `products-order` through a post request, which results in arbitrary sql query execution in the backend database. | |||||
| CVE-2020-18144 | 1 Ectouch | 1 Ectouch | 2021-07-22 | 7.5 HIGH | 9.8 CRITICAL |
| SQL Injection Vulnerability in ECTouch v2 via the integral_min parameter in index.php. | |||||
| CVE-2021-23405 | 1 Pimcore | 1 Pimcore | 2021-07-21 | 6.5 MEDIUM | 8.8 HIGH |
| This affects the package pimcore/pimcore before 10.0.7. This issue exists due to the absence of check on the storeId parameter in the method collectionsActionGet and groupsActionGet method within the ClassificationstoreController class. | |||||
| CVE-2020-9006 | 1 Sygnoos | 1 Popup Builder | 2021-07-21 | 7.5 HIGH | 9.8 CRITICAL |
| The Popup Builder plugin 2.2.8 through 2.6.7.6 for WordPress is vulnerable to SQL injection (in the sgImportPopups function in sg_popup_ajax.php) via PHP Deserialization on attacker-controlled data with the attachmentUrl POST variable. This allows creation of an arbitrary WordPress Administrator account, leading to possible Remote Code Execution because Administrators can run PHP code on Wordpress instances. (This issue has been fixed in the 3.x branch of popup-builder.) | |||||
| CVE-2020-25608 | 1 Mitel | 1 Micollab | 2021-07-21 | 6.5 MEDIUM | 7.2 HIGH |
| The SAS portal of Mitel MiCollab before 9.2 could allow an attacker to access user credentials due to improper input validation, aka SQL Injection. | |||||
| CVE-2020-24593 | 1 Mitel | 1 Micloud Management Portal | 2021-07-21 | 6.5 MEDIUM | 7.2 HIGH |
| Mitel MiCloud Management Portal before 6.1 SP5 could allow a remote attacker to conduct a SQL Injection attack and access user credentials due to improper input validation. | |||||
| CVE-2021-24451 | 1 Export Users With Meta Project | 1 Export Users With Meta | 2021-07-09 | 6.5 MEDIUM | 7.2 HIGH |
| The Export Users With Meta WordPress plugin before 0.6.5 did not escape the list of roles to export before using them in a SQL statement in the export functionality, available to admins, leading to an authenticated SQL Injection. | |||||
| CVE-2021-32704 | 1 Dhis2 | 1 Dhis 2 | 2021-07-08 | 6.5 MEDIUM | 8.8 HIGH |
| DHIS 2 is an information system for data capture, management, validation, analytics and visualization. A SQL injection security vulnerability has been found in specific versions of DHIS2. This vulnerability affects the /api/trackedEntityInstances API endpoint in DHIS2 versions 2.34.4, 2.35.2, 2.35.3, 2.35.4, and 2.36.0. Earlier versions, such as 2.34.3 and 2.35.1 and all versions 2.33 and older are unaffected. The system is vulnerable to attack only from users that are logged in to DHIS2, and there is no known way of exploiting the vulnerability without first being logged in as a DHIS2 user. A successful exploit of this vulnerability could allow the malicious user to read, edit and delete data in the DHIS2 instance. There are no known exploits of the security vulnerabilities addressed by these patch releases. However, we strongly recommend that all DHIS2 implementations using versions 2.34, 2.35 and 2.36 install these patches as soon as possible. There is no straightforward known workaround for DHIS2 instances using the Tracker functionality other than upgrading the affected DHIS2 server to one of the patches in which this vulnerability has been fixed. For implementations which do NOT use Tracker functionality, it may be possible to block all network access to POST to the /api/trackedEntityInstance endpoint as a temporary workaround while waiting to upgrade. | |||||
| CVE-2020-4902 | 2 Ibm, Microsoft | 2 Datacap Navigator, Windows | 2021-07-07 | 6.5 MEDIUM | 8.8 HIGH |
| IBM Datacap Taskmaster Capture (IBM Datacap Navigator 9.1.7) is vulnerable to SQL injection. A remote attacker could send specially crafted SQL statements, which could allow the attacker to view, add, modify or delete information in the back-end database. IBM X-Force ID: 191045. | |||||
| CVE-2021-27950 | 1 Sitasoftware | 1 Azurcms | 2021-07-06 | 6.5 MEDIUM | 8.8 HIGH |
| A SQL injection vulnerability in azurWebEngine in Sita AzurCMS through 1.2.3.12 allows an authenticated attacker to execute arbitrary SQL commands via the id parameter to mesdocs.ajax.php in azurWebEngine/eShop. By default, the query is executed as DBA. | |||||
| CVE-2021-28993 | 1 Plixer | 1 Scrutinizer | 2021-07-06 | 5.0 MEDIUM | 7.5 HIGH |
| Plixer Scrutinizer 19.0.2 is affected by: SQL Injection. The impact is: obtain sensitive information (remote). | |||||
| CVE-2020-21394 | 1 Crmeb | 1 Crmeb | 2021-07-02 | 6.5 MEDIUM | 8.8 HIGH |
| SQL Injection vulnerability in Zhong Bang Technology Co., Ltd CRMEB mall system V2.60 and V3.1 via the tablename parameter in SystemDatabackup.php. | |||||
| CVE-2021-35456 | 1 Online Pet Shop Web Application Project | 1 Online Pet Shop Web Application | 2021-07-01 | 7.5 HIGH | 9.8 CRITICAL |
| Online Pet Shop We App 1.0 is vulnerable to remote SQL injection and shell upload | |||||
| CVE-2021-34187 | 1 Chamilo | 1 Chamilo | 2021-07-01 | 7.5 HIGH | 9.8 CRITICAL |
| main/inc/ajax/model.ajax.php in Chamilo through 1.11.14 allows SQL Injection via the searchField, filters, or filters2 parameter. | |||||
| CVE-2020-23711 | 1 Naviwebs | 1 Navigate Cms | 2021-07-01 | 7.5 HIGH | 9.8 CRITICAL |
| SQL Injection vulnerability in NavigateCMS 2.9 via the URL encoded GET input category in navigate.php. | |||||
| CVE-2017-7351 | 1 Vanderbilt | 1 Redcap | 2021-07-01 | 4.0 MEDIUM | 8.8 HIGH |
| A SQL injection issue exists in a file upload handler in REDCap 7.x before 7.0.11 via a trailing substring to SendITController:upload. | |||||
| CVE-2020-26712 | 1 Vanderbilt | 1 Redcap | 2021-07-01 | 10.0 HIGH | 9.8 CRITICAL |
| REDCap 10.3.4 contains a SQL injection vulnerability in the ToDoList function via sort parameter. The application uses the addition of a string of information from the submitted user that is not validated well in the database query, resulting in an SQL injection vulnerability where an attacker can exploit and compromise all databases. | |||||
| CVE-2013-4948 | 1 Machform | 1 Machform | 2021-07-01 | 7.5 HIGH | N/A |
| SQL injection vulnerability in view.php in Machform 2 allows remote attackers to execute arbitrary SQL commands via the element_2 parameter. | |||||
| CVE-2020-18662 | 1 Gnuboard | 1 Gnuboard5 | 2021-06-28 | 7.5 HIGH | 9.8 CRITICAL |
| SQL Injection vulnerability in gnuboard5 <=v5.3.2.8 via the table_prefix parameter in install_db.php. | |||||
| CVE-2020-20392 | 1 Txjia | 1 Imcat | 2021-06-25 | 7.5 HIGH | 9.8 CRITICAL |
| SQL Injection vulnerability in imcat v5.2 via the fm[auser] parameters in coms/add_coms.php. | |||||
| CVE-2021-31586 | 1 Accellion | 1 Kiteworks | 2021-06-25 | 6.5 MEDIUM | 8.8 HIGH |
| Accellion Kiteworks before 7.4.0 allows an authenticated user to perform SQL Injection via LDAPGroup Search. | |||||
| CVE-2021-3604 | 1 Primion-digitek | 1 Secure 8 | 2021-06-24 | 7.5 HIGH | 9.8 CRITICAL |
| Secure 8 (Evalos) does not validate user input data correctly, allowing a remote attacker to perform a Blind SQL Injection. An attacker could exploit this vulnerability in order to extract information of users and administrator accounts stored in the database. | |||||
| CVE-2021-24361 | 1 Ayecode | 1 Location Manager | 2021-06-24 | 7.5 HIGH | 9.8 CRITICAL |
| In the Location Manager WordPress plugin before 2.1.0.10, the AJAX action gd_popular_location_list did not properly sanitise or validate some of its POST parameters, which are then used in a SQL statement, leading to unauthenticated SQL Injection issues. | |||||
| CVE-2015-7791 | 1 Collne | 1 Welcart | 2021-06-24 | 6.5 MEDIUM | 6.3 MEDIUM |
| Multiple SQL injection vulnerabilities in admin.php in the Collne Welcart plugin before 1.5.3 for WordPress allow remote authenticated users to execute arbitrary SQL commands via the (1) search[column] or (2) switch parameter. | |||||
| CVE-2020-20469 | 1 White Shark Systems Project | 1 White Shark Systems | 2021-06-23 | 5.0 MEDIUM | 7.5 HIGH |
| White Shark System (WSS) 1.3.2 has a SQL injection vulnerability. The vulnerability stems from the log_edit.php files failing to filter the csa_to_user parameter, remote attackers can exploit the vulnerability to obtain database sensitive information. | |||||
| CVE-2020-20473 | 1 White Shark Systems Project | 1 White Shark Systems | 2021-06-23 | 5.0 MEDIUM | 7.5 HIGH |
| White Shark System (WSS) 1.3.2 has a SQL injection vulnerability. The vulnerability stems from the control_task.php, control_project.php, default_user.php files failing to filter the sort parameter. Remote attackers can exploit the vulnerability to obtain database sensitive information. | |||||
| CVE-2020-20474 | 1 White Shark Systems Project | 1 White Shark Systems | 2021-06-23 | 5.0 MEDIUM | 7.5 HIGH |
| White Shark System (WSS) 1.3.2 has a SQL injection vulnerability. The vulnerability stems from the default_task_edituser.php files failing to filter the csa_to_user parameter. Remote attackers can exploit the vulnerability to obtain database sensitive information. | |||||
| CVE-2021-24341 | 1 Xllentech | 1 English Islamic Calendar | 2021-06-23 | 6.5 MEDIUM | 8.8 HIGH |
| When deleting a date in the Xllentech English Islamic Calendar WordPress plugin before 2.6.8, the year_number and month_number POST parameters are not sanitised, escaped or validated before being used in a SQL statement, leading to SQL injection. | |||||
| CVE-2021-23230 | 1 Gallagher | 1 Command Centre | 2021-06-22 | 3.5 LOW | 4.3 MEDIUM |
| A SQL Injection vulnerability in the OPCUA interface of Gallagher Command Centre allows a remote unprivileged Command Centre Operator to modify Command Centre databases undetected. This issue affects: Gallagher Command Centre 8.40 versions prior to 8.40.1888 (MR3); 8.30 versions prior to 8.30.1359 (MR3); 8.20 versions prior to 8.20.1259 (MR5); 8.10 versions prior to 8.10.1284 (MR7); version 8.00 and prior versions. | |||||
| CVE-2021-32582 | 1 Connectwise | 1 Connectwise Automate | 2021-06-22 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered in ConnectWise Automate before 2021.5. A blind SQL injection vulnerability exists in core agent inventory communication that can enable an attacker to extract database information or administrative credentials from an instance via crafted monitor status responses. | |||||
| CVE-2021-33894 | 1 Progress | 1 Moveit Transfer | 2021-06-22 | 6.5 MEDIUM | 8.8 HIGH |
| In Progress MOVEit Transfer before 2019.0.6 (11.0.6), 2019.1.x before 2019.1.5 (11.1.5), 2019.2.x before 2019.2.2 (11.2.2), 2020.x before 2020.0.5 (12.0.5), 2020.1.x before 2020.1.4 (12.1.4), and 2021.x before 2021.0.1 (13.0.1), a SQL injection vulnerability exists in SILUtility.vb in MOVEit.DMZ.WebApp in the MOVEit Transfer web app. This could allow an authenticated attacker to gain unauthorized access to the database. Depending on the database engine being used (MySQL, Microsoft SQL Server, or Azure SQL), an attacker may be able to infer information about the structure and contents of the database and/or execute SQL statements that alter or delete database elements. | |||||
| CVE-2020-29214 | 1 Alumni Management System Project | 1 Alumni Management System | 2021-06-22 | 7.5 HIGH | 9.8 CRITICAL |
| SQL injection vulnerability in SourceCodester Alumni Management System 1.0 allows the user to inject SQL payload to bypass the authentication via admin/login.php. | |||||
| CVE-2021-32932 | 1 Advantech | 1 Iview | 2021-06-21 | 5.0 MEDIUM | 7.5 HIGH |
| The affected product is vulnerable to a SQL injection, which may allow an unauthorized attacker to disclose information on the iView (versions prior to v5.7.03.6182). | |||||
| CVE-2020-22203 | 1 Phpcms | 1 Phpcms | 2021-06-21 | 7.5 HIGH | 9.8 CRITICAL |
| SQL Injection in phpCMS 2008 sp4 via the genre parameter to yp/job.php. | |||||
| CVE-2021-24348 | 1 Wow-estore | 1 Side Menu | 2021-06-21 | 6.5 MEDIUM | 7.2 HIGH |
| The menu delete functionality of the Side Menu – add fixed side buttons WordPress plugin before 3.1.5, available to Administrator users takes the did GET parameter and uses it into an SQL statement without proper sanitisation, validation or escaping, therefore leading to a SQL Injection issue | |||||