Search
Total
8599 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-24345 | 1 Sendit Project | 1 Sendit | 2021-06-21 | 6.0 MEDIUM | 6.6 MEDIUM |
| The page lists-management feature of the Sendit WP Newsletter WordPress plugin through 2.5.1, available to Administrator users does not sanitise, validate or escape the id_lista POST parameter before using it in SQL statement, therefore leading to Blind SQL Injection. | |||||
| CVE-2020-22198 | 1 Dedecms | 1 Dedecms | 2021-06-21 | 7.5 HIGH | 9.8 CRITICAL |
| SQL Injection vulnerability in DedeCMS 5.7 via mdescription parameter to member/ajax_membergroup.php. | |||||
| CVE-2020-22206 | 1 Shopex | 1 Ecshop | 2021-06-21 | 7.5 HIGH | 9.8 CRITICAL |
| SQL Injection in ECShop 3.0 via the aid parameter to admin/affiliate_ck.php. | |||||
| CVE-2020-22204 | 1 Shopex | 1 Ecshop | 2021-06-21 | 7.5 HIGH | 9.8 CRITICAL |
| SQL Injection in ECShop 2.7.6 via the goods_number parameter to flow.php. . | |||||
| CVE-2020-22205 | 1 Shopex | 1 Ecshop | 2021-06-21 | 7.5 HIGH | 9.8 CRITICAL |
| SQL Injection in ECShop 3.0 via the id parameter to admin/shophelp.php. | |||||
| CVE-2020-22208 | 1 74cms | 1 74cms | 2021-06-21 | 7.5 HIGH | 9.8 CRITICAL |
| SQL Injection in 74cms 3.2.0 via the x parameter to plus/ajax_street.php. | |||||
| CVE-2020-22209 | 1 74cms | 1 74cms | 2021-06-21 | 7.5 HIGH | 9.8 CRITICAL |
| SQL Injection in 74cms 3.2.0 via the query parameter to plus/ajax_common.php. | |||||
| CVE-2020-22211 | 1 74cms | 1 74cms | 2021-06-21 | 7.5 HIGH | 9.8 CRITICAL |
| SQL Injection in 74cms 3.2.0 via the key parameter to plus/ajax_street.php. | |||||
| CVE-2020-22210 | 1 74cms | 1 74cms | 2021-06-21 | 7.5 HIGH | 9.8 CRITICAL |
| SQL Injection in 74cms 3.2.0 via the x parameter to ajax_officebuilding.php. | |||||
| CVE-2020-22212 | 1 74cms | 1 74cms | 2021-06-21 | 7.5 HIGH | 9.8 CRITICAL |
| SQL Injection in 74cms 3.2.0 via the id parameter to wap/wap-company-show.php. | |||||
| CVE-2020-22199 | 1 Phpcms | 1 Phpcms | 2021-06-21 | 7.5 HIGH | 9.8 CRITICAL |
| SQL Injection vulnerability in phpCMS 2007 SP6 build 0805 via the digg_mod parameter to digg_add.php. | |||||
| CVE-2021-24360 | 1 Kohsei-works | 1 Yes\/no Chart | 2021-06-17 | 4.0 MEDIUM | 6.5 MEDIUM |
| The Yes/No Chart WordPress plugin before 1.0.12 did not sanitise its sid shortcode parameter before using it in a SQL statement, allowing medium privilege users (contributor+) to perform Blind SQL Injection attacks | |||||
| CVE-2013-4422 | 3 Postgresql, Qt, Quassel-irc | 3 Postgresql, Qt, Quassel Irc | 2021-06-16 | 6.8 MEDIUM | N/A |
| SQL injection vulnerability in Quassel IRC before 0.9.1, when Qt 4.8.5 or later and PostgreSQL 8.2 or later are used, allows remote attackers to execute arbitrary SQL commands via a \ (backslash) in a message. | |||||
| CVE-2021-24337 | 1 Video Embed Project | 1 Video Embed | 2021-06-14 | 6.5 MEDIUM | 8.8 HIGH |
| The id GET parameter of one of the Video Embed WordPress plugin through 1.0's page (available via forced browsing) is not sanitised, validated or escaped before being used in a SQL statement, allowing low privilege users, such as subscribers, to perform SQL injection. | |||||
| CVE-2021-24336 | 1 Zavedil | 1 Flightlog | 2021-06-14 | 6.5 MEDIUM | 7.2 HIGH |
| The FlightLog WordPress plugin through 3.0.2 does not sanitise, validate or escape various POST parameters before using them a SQL statement, leading to SQL injections exploitable by editor and administrator users | |||||
| CVE-2021-24340 | 1 Veronalabs | 1 Wp Statistics | 2021-06-14 | 5.0 MEDIUM | 7.5 HIGH |
| The WP Statistics WordPress plugin before 13.0.8 relied on using the WordPress esc_sql() function on a field not delimited by quotes and did not first prepare the query. Additionally, the page, which should have been accessible to administrator only, was also available to any visitor, including unauthenticated ones. | |||||
| CVE-2020-24667 | 1 Tracefinanacial | 1 Crestbridge | 2021-06-11 | 6.5 MEDIUM | 8.8 HIGH |
| Trace Financial CRESTBridge <6.3.0.02 contains an authenticated SQL injection vulnerability, which was fixed in 6.3.0.03. | |||||
| CVE-2020-24671 | 1 Tracefinanacial | 1 Crestbridge | 2021-06-11 | 6.5 MEDIUM | 8.8 HIGH |
| Trace Financial CRESTBridge <6.3.0.02 contains an authenticated SQL injection vulnerability, which was fixed in 6.3.0.03. | |||||
| CVE-2021-29089 | 1 Synology | 1 Photo Station | 2021-06-10 | 10.0 HIGH | 9.8 CRITICAL |
| Improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability in thumbnail component in Synology Photo Station before 6.8.14-3500 allows remote attackers users to execute arbitrary SQL commands via unspecified vectors. | |||||
| CVE-2021-29090 | 1 Synology | 1 Photo Station | 2021-06-10 | 9.0 HIGH | 7.2 HIGH |
| Improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability in PHP component in Synology Photo Station before 6.8.14-3500 allows remote authenticated users to execute arbitrary SQL command via unspecified vectors. | |||||
| CVE-2020-35441 | 1 Fangfa | 1 Fdcms | 2021-06-10 | 7.5 HIGH | 9.8 CRITICAL |
| FDCMS (aka Fangfa Content Management System) 4.0 contains a front-end SQL injection via Admin/Lib/Action/FloginAction.class.php. | |||||
| CVE-2020-25362 | 1 Online Shopping Alphaware Project | 1 Online Shopping Alphaware | 2021-06-09 | 5.0 MEDIUM | 7.5 HIGH |
| The id paramater in Online Shopping Alphaware 1.0 has been discovered to be vulnerable to an Error-Based blind SQL injection in the /alphaware/details.php path. This allows an attacker to retrieve all databases. | |||||
| CVE-2021-27828 | 1 In4velocity | 1 In4suite Erp | 2021-06-09 | 6.4 MEDIUM | 9.1 CRITICAL |
| SQL injection in In4Suite ERP 3.2.74.1370 allows attackers to modify or delete data, causing persistent changes to the application's content or behavior by using malicious SQL queries. | |||||
| CVE-2020-24862 | 1 Pharmacy Medical Store And Sale Point Project | 1 Pharmacy Medical Store And Sale Point | 2021-06-09 | 5.0 MEDIUM | 7.5 HIGH |
| The catID parameter in Pharmacy Medical Store and Sale Point v1.0 has been found to be vulnerable to a Time-Based blind SQL injection via the /medical/inventories.php path which allows attackers to retrieve all databases. | |||||
| CVE-2020-26668 | 1 Bigtreecms | 1 Bigtree Cms | 2021-06-09 | 6.5 MEDIUM | 8.8 HIGH |
| A SQL injection vulnerability was discovered in /core/feeds/custom.php in BigTree CMS 4.4.10 and earlier which allows an authenticated attacker to inject a malicious SQL query to the applications via the 'Create New Feed' function. | |||||
| CVE-2021-33180 | 1 Synology | 1 Media Server | 2021-06-09 | 7.5 HIGH | 9.8 CRITICAL |
| Improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability in cgi component in Synology Media Server before 1.8.1-2876 allows remote attackers to execute arbitrary SQL commands via unspecified vectors. | |||||
| CVE-2020-36004 | 1 Appcms | 1 Appcms | 2021-06-08 | 4.0 MEDIUM | 6.5 MEDIUM |
| AppCMS 2.0.101 in /admin/download_frame.php has a SQL injection vulnerability which allows attackers to obtain sensitive database information. | |||||
| CVE-2013-7262 | 2 Osgeo, Umn | 2 Mapserver, Mapserver | 2021-06-07 | 6.8 MEDIUM | N/A |
| SQL injection vulnerability in the msPostGISLayerSetTimeFilter function in mappostgis.c in MapServer before 6.4.1, when a WMS-Time service is used, allows remote attackers to execute arbitrary SQL commands via a crafted string in a PostGIS TIME filter. | |||||
| CVE-2011-2703 | 2 Osgeo, Umn | 2 Mapserver, Mapserver | 2021-06-07 | 7.5 HIGH | N/A |
| Multiple SQL injection vulnerabilities in MapServer before 4.10.7, 5.x before 5.6.7, and 6.x before 6.0.1 allow remote attackers to execute arbitrary SQL commands via vectors related to (1) OGC filter encoding or (2) WMS time support. | |||||
| CVE-2019-25019 | 1 Limesurvey | 1 Limesurvey | 2021-06-04 | 7.5 HIGH | 9.8 CRITICAL |
| LimeSurvey before 4.0.0-RC4 allows SQL injection via the participant model. | |||||
| CVE-2020-14295 | 2 Cacti, Fedoraproject | 2 Cacti, Fedora | 2021-06-02 | 6.5 MEDIUM | 7.2 HIGH |
| A SQL injection issue in color.php in Cacti 1.2.12 allows an admin to inject SQL via the filter parameter. This can lead to remote command execution because the product accepts stacked queries. | |||||
| CVE-2020-26677 | 1 Vfairs | 1 Vfairs | 2021-06-01 | 6.5 MEDIUM | 8.8 HIGH |
| Any user logged in to a vFairs 3.3 virtual conference or event can perform SQL injection with a malicious query to the API. | |||||
| CVE-2021-30081 | 1 Emlog | 1 Emlog | 2021-05-27 | 6.5 MEDIUM | 8.8 HIGH |
| An issue was discovered in emlog 6.0.0stable. There is a SQL Injection vulnerability that can execute any SQL statement and query server sensitive data via admin/navbar.php?action=add_page. | |||||
| CVE-2019-12348 | 1 Zzcms | 1 Zzcms | 2021-05-27 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in zzcms 2019. SQL Injection exists in user/ztconfig.php via the daohang or img POST parameter. | |||||
| CVE-2020-25409 | 1 College Management System Project | 1 College Management System | 2021-05-27 | 7.5 HIGH | 9.8 CRITICAL |
| Projectsworlds College Management System Php 1.0 is vulnerable to SQL injection issues over multiple parameters. | |||||
| CVE-2021-20720 | 1 Kujirahand | 1 Konawiki | 2021-05-25 | 7.5 HIGH | 9.8 CRITICAL |
| SQL injection vulnerability in the KonaWiki2 versions prior to 2.2.4 allows remote attackers to execute arbitrary SQL commands and to obtain/alter the information stored in the database via unspecified vectors. | |||||
| CVE-2021-31827 | 1 Progress | 1 Moveit Transfer | 2021-05-25 | 6.5 MEDIUM | 8.8 HIGH |
| In Progress MOVEit Transfer before 2021.0 (13.0), a SQL injection vulnerability has been found in the MOVEit Transfer web app that could allow an authenticated attacker to gain unauthorized access to MOVEit Transfer's database. Depending on the database engine being used (MySQL, Microsoft SQL Server, or Azure SQL), an attacker may be able to infer information about the structure and contents of the database in addition to executing SQL statements that alter or destroy database elements. This is in MOVEit.DMZ.WebApp in SILHuman.vb. | |||||
| CVE-2020-4990 | 1 Ibm | 1 Security Guardium | 2021-05-25 | 6.5 MEDIUM | 8.8 HIGH |
| IBM Security Guardium 11.2 is vulnerable to SQL injection. A remote attacker could send specially crafted SQL statements, which could allow the attacker to view, add, modify or delete information in the back-end database. IBM X-Force ID: 192710. | |||||
| CVE-2021-29053 | 1 Liferay | 2 Dxp, Liferay Portal | 2021-05-24 | 6.5 MEDIUM | 8.8 HIGH |
| Multiple SQL injection vulnerabilities in Liferay Portal 7.3.5 and Liferay DXP 7.3 before fix pack 1 allow remote authenticated users to execute arbitrary SQL commands via the classPKField parameter to (1) CommerceChannelRelFinder.countByC_C, or (2) CommerceChannelRelFinder.findByC_C. | |||||
| CVE-2021-31316 | 1 Centos-webpanel | 1 Centos Web Panel | 2021-05-24 | 10.0 HIGH | 9.8 CRITICAL |
| The unprivileged user portal part of CentOS Web Panel is affected by a SQL Injection via the 'idsession' HTTP POST parameter. | |||||
| CVE-2021-24295 | 1 Cleantalk | 1 Spam Protection\, Antispam\, Firewall | 2021-05-24 | 5.0 MEDIUM | 7.5 HIGH |
| It was possible to exploit an Unauthenticated Time-Based Blind SQL Injection vulnerability in the Spam protection, AntiSpam, FireWall by CleanTalk WordPress Plugin before 5.153.4. The update_log function in lib/Cleantalk/ApbctWP/Firewall/SFW.php included a vulnerable query that could be injected via the User-Agent Header by manipulating the cookies set by the Spam protection, AntiSpam, FireWall by CleanTalk WordPress plugin before 5.153.4, sending an initial request to obtain a ct_sfw_pass_key cookie and then manually setting a separate ct_sfw_passed cookie and disallowing it from being reset. | |||||
| CVE-2021-24314 | 1 Boostifythemes | 1 Goto | 2021-05-24 | 7.5 HIGH | 9.8 CRITICAL |
| The Goto WordPress theme before 2.1 did not sanitise, validate of escape the keywords GET parameter from its listing page before using it in a SQL statement, leading to an Unauthenticated SQL injection issue | |||||
| CVE-2021-24285 | 1 Cars-seller-auto-classifieds-script Project | 1 Cars-seller-auto-classifieds-script | 2021-05-21 | 7.5 HIGH | 9.8 CRITICAL |
| The request_list_request AJAX call of the Car Seller - Auto Classifieds Script WordPress plugin through 2.1.0, available to both authenticated and unauthenticated users, does not sanitise, validate or escape the order_id POST parameter before using it in a SQL statement, leading to a SQL Injection issue. | |||||
| CVE-2021-32615 | 1 Piwigo | 1 Piwigo | 2021-05-21 | 7.5 HIGH | 9.8 CRITICAL |
| Piwigo 11.4.0 allows admin/user_list_backend.php order[0][dir] SQL Injection. | |||||
| CVE-2020-35701 | 2 Cacti, Fedoraproject | 2 Cacti, Fedora | 2021-05-21 | 6.5 MEDIUM | 8.8 HIGH |
| An issue was discovered in Cacti 1.2.x through 1.2.16. A SQL injection vulnerability in data_debug.php allows remote authenticated attackers to execute arbitrary SQL commands via the site_id parameter. This can lead to remote code execution. | |||||
| CVE-2021-32051 | 1 Hexagon | 1 Intergraph G\!nius | 2021-05-21 | 5.0 MEDIUM | 7.5 HIGH |
| Hexagon G!nius Auskunftsportal before 5.0.0.0 allows SQL injection via the GiPWorkflow/Service/DownloadPublicFile id parameter. | |||||
| CVE-2019-19026 | 2 Linuxfoundation, Pivotal | 2 Harbor, Vmware Harbor Registry | 2021-05-21 | 4.0 MEDIUM | 4.9 MEDIUM |
| Cloud Native Computing Foundation Harbor prior to 1.8.6 and 1.9.3 allows SQL Injection via project quotas in the VMware Harbor Container Registry for the Pivotal Platform. | |||||
| CVE-2019-19029 | 2 Linuxfoundation, Pivotal | 2 Harbor, Vmware Harbor Registry | 2021-05-21 | 6.5 MEDIUM | 7.2 HIGH |
| Cloud Native Computing Foundation Harbor prior to 1.8.6 and 1.9.3 allows SQL Injection via user-groups in the VMware Harbor Container Registry for the Pivotal Platform. | |||||
| CVE-2020-13873 | 1 Codologic | 1 Codoforum | 2021-05-20 | 10.0 HIGH | 9.8 CRITICAL |
| A SQL Injection vulnerability in get_topic_info() in sys/CODOF/Forum/Topic.php in Codoforum before 4.9 allows remote attackers (pre-authentication) to bypass the admin page via a leaked password-reset token of the admin. (As an admin, an attacker can upload a PHP shell and execute remote code on the operating system.) | |||||
| CVE-2020-22807 | 1 Vtiger | 1 Vtiger Crm | 2021-05-19 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was dicovered in vtiger crm 7.2. Union sql injection in the calendar exportdata feature. | |||||