Search
Total
8599 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2013-5957 | 1 Civicrm | 1 Civicrm | 2021-04-16 | 7.5 HIGH | N/A |
| Multiple SQL injection vulnerabilities in CRM/Core/Page/AJAX/Location.php in CiviCRM before 4.2.12, 4.3.x before 4.3.7, and 4.4.x before 4.4.beta4 allow remote attackers to execute arbitrary SQL commands via the _value parameter to (1) ajax/jqState or (2) ajax/jqcounty. | |||||
| CVE-2008-3223 | 2 Drupal, Fedoraproject | 2 Drupal, Fedora | 2021-04-15 | 7.5 HIGH | N/A |
| SQL injection vulnerability in the Schema API in Drupal 6.x before 6.3 allows remote attackers to execute arbitrary SQL commands via vectors related to "an inappropriate placeholder for 'numeric' fields." | |||||
| CVE-2021-30175 | 1 Zerof | 1 Web Server | 2021-04-14 | 7.5 HIGH | 9.8 CRITICAL |
| ZEROF Web Server 1.0 (April 2021) allows SQL Injection via the /HandleEvent endpoint for the login page. | |||||
| CVE-2021-30176 | 1 Zerof | 1 Expert | 2021-04-14 | 7.5 HIGH | 9.8 CRITICAL |
| The ZEROF Expert pro/2.0 application for mobile devices allows SQL Injection via the Authorization header to the /v2/devices/add endpoint. | |||||
| CVE-2021-30177 | 1 Phpnuke | 1 Php-nuke | 2021-04-13 | 7.5 HIGH | 9.8 CRITICAL |
| There is a SQL Injection vulnerability in PHP-Nuke 8.3.3 in the User Registration section, leading to remote code execution. This occurs because the U.S. state is not validated to be two letters, and the OrderBy field is not validated to be one of LASTNAME, CITY, or STATE. | |||||
| CVE-2021-24200 | 1 Tms-outsource | 1 Wpdatatables | 2021-04-13 | 4.0 MEDIUM | 6.5 MEDIUM |
| The wpDataTables – Tables & Table Charts premium WordPress plugin before 3.4.2 allows a low privilege authenticated user to perform Boolean-based blind SQL Injection in the table list page on the endpoint /wp-admin/admin-ajax.php?action=get_wdtable&table_id=1, on the 'length' HTTP POST parameter. This allows an attacker to access all the data in the database and obtain access to the WordPress application. | |||||
| CVE-2021-24199 | 1 Tms-outsource | 1 Wpdatatables | 2021-04-13 | 4.0 MEDIUM | 6.5 MEDIUM |
| The wpDataTables – Tables & Table Charts premium WordPress plugin before 3.4.2 allows a low privilege authenticated user to perform Boolean-based blind SQL Injection in the table list page on the endpoint /wp-admin/admin-ajax.php?action=get_wdtable&table_id=1, on the 'start' HTTP POST parameter. This allows an attacker to access all the data in the database and obtain access to the WordPress application. | |||||
| CVE-2021-28925 | 1 Nagios | 1 Network Analyzer | 2021-04-13 | 7.5 HIGH | 9.8 CRITICAL |
| SQL injection vulnerability in Nagios Network Analyzer before 2.4.3 via the o[col] parameter to api/checks/read/. | |||||
| CVE-2020-23763 | 1 Online Book Store Project | 1 Online Book Store | 2021-04-13 | 7.5 HIGH | 9.8 CRITICAL |
| SQL injection in admin.php in Online Book Store 1.0 allows remote attackers to execute arbitrary SQL commands and bypass authentication. | |||||
| CVE-2011-1653 | 1 Broadcom | 1 Total Defense | 2021-04-12 | 10.0 HIGH | N/A |
| Multiple SQL injection vulnerabilities in the Unified Network Control (UNC) Server in CA Total Defense (TD) r12 before SE2 allow remote attackers to execute arbitrary SQL commands via vectors involving the (1) UnAssignFunctionalRoles, (2) UnassignAdminRoles, (3) DeleteFilter, (4) NonAssignedUserList, (5) DeleteReportLayout, (6) DeleteReports, and (7) RegenerateReport stored procedures. | |||||
| CVE-2014-8248 | 1 Broadcom | 1 Release Automation | 2021-04-12 | 6.5 MEDIUM | N/A |
| SQL injection vulnerability in CA Release Automation (formerly iTKO LISA Release Automation) before 4.7.1 b448 allows remote authenticated users to execute arbitrary SQL commands via a crafted query. | |||||
| CVE-2018-13824 | 2 Broadcom, Ca | 2 Project Portfolio Management, Project Portfolio Management | 2021-04-12 | 7.5 HIGH | 9.8 CRITICAL |
| Insufficient input sanitization of two parameters in CA PPM 14.3 and below, 14.4, 15.1, 15.2 CP5 and below, and 15.3 CP2 and below, allows remote attackers to execute SQL injection attacks. | |||||
| CVE-2018-9029 | 1 Broadcom | 1 Privileged Access Manager | 2021-04-12 | 7.5 HIGH | 9.8 CRITICAL |
| An improper input validation vulnerability in CA Privileged Access Manager 2.x allows remote attackers to conduct SQL injection attacks. | |||||
| CVE-2021-24186 | 1 Themeum | 1 Tutor Lms | 2021-04-09 | 4.0 MEDIUM | 6.5 MEDIUM |
| The tutor_answering_quiz_question/get_answer_by_id function pair from the Tutor LMS – eLearning and online course solution WordPress plugin before 1.8.3 was vulnerable to UNION based SQL injection that could be exploited by students. | |||||
| CVE-2021-24181 | 1 Themeum | 1 Tutor Lms | 2021-04-09 | 4.0 MEDIUM | 6.5 MEDIUM |
| The tutor_mark_answer_as_correct AJAX action from the Tutor LMS – eLearning and online course solution WordPress plugin before 1.7.7 was vulnerable to blind and time based SQL injections that could be exploited by students. | |||||
| CVE-2021-24182 | 1 Themeum | 1 Tutor Lms | 2021-04-09 | 4.0 MEDIUM | 6.5 MEDIUM |
| The tutor_quiz_builder_get_answers_by_question AJAX action from the Tutor LMS – eLearning and online course solution WordPress plugin before 1.8.3 was vulnerable to UNION based SQL injection that could be exploited by students. | |||||
| CVE-2021-24183 | 1 Themeum | 1 Tutor Lms | 2021-04-09 | 4.0 MEDIUM | 6.5 MEDIUM |
| The tutor_quiz_builder_get_question_form AJAX action from the Tutor LMS – eLearning and online course solution WordPress plugin before 1.8.3 was vulnerable to UNION based SQL injection that could be exploited by students. | |||||
| CVE-2021-24185 | 1 Themeum | 1 Tutor Lms | 2021-04-09 | 4.0 MEDIUM | 6.5 MEDIUM |
| The tutor_place_rating AJAX action from the Tutor LMS – eLearning and online course solution WordPress plugin before 1.7.7 was vulnerable to blind and time based SQL injections that could be exploited by students. | |||||
| CVE-2021-30055 | 1 Eng | 1 Knowage | 2021-04-08 | 6.5 MEDIUM | 8.8 HIGH |
| A SQL injection vulnerability in Knowage Suite version 7.1 exists in the documentexecution/url analytics driver component via the 'par_year' parameter when running a report. | |||||
| CVE-2007-2230 | 1 Broadcom | 1 Cleverpath Portal | 2021-04-07 | 6.5 MEDIUM | N/A |
| SQL injection vulnerability in CA Clever Path Portal allows remote authenticated users to execute limited SQL commands and retrieve arbitrary database contents via (1) the ofinterest parameter in a light search query, (2) description parameter in the advanced search query, and possibly other vectors. | |||||
| CVE-2007-5084 | 1 Broadcom | 1 Brightstor Hierarchical Storage Manager | 2021-04-07 | 6.8 MEDIUM | N/A |
| Multiple SQL injection vulnerabilities in Computer Associates (CA) BrightStor Hierarchical Storage Manager (HSM) before r11.6 allow remote attackers to execute arbitrary SQL commands via CsAgent service commands with opcodes (1) 0x07, (2) 0x08, (3) 0x09, (4) 0x1E, (5) 0x32, (6) 0x36, (7) 0x40, and possibly others. | |||||
| CVE-2021-28969 | 1 Fireeye | 2 Email Malware Protection System, Ex 3500 | 2021-04-07 | 4.0 MEDIUM | 6.5 MEDIUM |
| eMPS 9.0.1.923211 on FireEye EX 3500 devices allows remote authenticated users to conduct SQL injection attacks via the sort_by parameter to the email search feature. According to the vendor, the issue is fixed in 9.0.3. NOTE: this is different from CVE-2020-25034 and affects newer versions of the software. | |||||
| CVE-2021-30000 | 1 Latrix Project | 1 Latrix | 2021-04-07 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in LATRIX 0.6.0. SQL injection in the txtaccesscode parameter of inandout.php leads to information disclosure and code execution. | |||||
| CVE-2021-28970 | 1 Fireeye | 2 Email Malware Protection System, Ex 3500 | 2021-04-07 | 4.0 MEDIUM | 6.5 MEDIUM |
| eMPS 9.0.1.923211 on the Central Management of FireEye EX 3500 devices allows remote authenticated users to conduct SQL injection attacks via the job_id parameter to the email search feature. According to the vendor, the issue is fixed in 9.0.3. | |||||
| CVE-2012-1255 | 1 Segue Project | 1 Segue | 2021-04-06 | 7.5 HIGH | N/A |
| SQL injection vulnerability in Segue 2.2.10.2 and earlier allows remote attackers to execute arbitrary SQL commands via unspecified vectors. | |||||
| CVE-2021-29343 | 1 Ovidentia | 1 Ovidentia | 2021-04-05 | 5.5 MEDIUM | 5.4 MEDIUM |
| Ovidentia CMS 6.x contains a SQL injection vulnerability in the "id" parameter of index.php. The "checkbox" property into "text" data can be extracted and displayed in the text region or in source code. | |||||
| CVE-2021-28245 | 1 Pbootcms | 1 Pbootcms | 2021-04-05 | 5.0 MEDIUM | 7.5 HIGH |
| PbootCMS 3.0.4 contains a SQL injection vulnerability through index.php via the search parameter that can reveal sensitive information through adding an admin account. | |||||
| CVE-2020-28172 | 1 Simple College Project | 1 Simple College | 2021-04-02 | 7.5 HIGH | 9.8 CRITICAL |
| A SQL injection vulnerability in Simple College Website 1.0 allows remote unauthenticated attackers to bypass the admin authentication mechanism in college_website/admin/ajax.php?action=login, thus gaining access to the website administrative panel. | |||||
| CVE-2020-36002 | 1 Seat-reservation-system Project | 1 Seat-reservation-system | 2021-04-01 | 5.0 MEDIUM | 7.5 HIGH |
| Seat-Reservation-System 1.0 has a SQL injection vulnerability in index.php in the id parameter where attackers can obtain sensitive database information. | |||||
| CVE-2021-28668 | 1 Xerox | 20 Altalink B8045, Altalink B8045 Firmware, Altalink B8055 and 17 more | 2021-04-01 | 7.5 HIGH | 9.8 CRITICAL |
| Xerox AltaLink B80xx before 103.008.020.23120, C8030/C8035 before 103.001.020.23120, C8045/C8055 before 103.002.020.23120 and C8070 before 103.003.020.23120 has several SQL injection vulnerabilities. | |||||
| CVE-2015-7299 | 1 Nintex | 3 K2 Blackpearl, K2 For Sharepoint, K2 Smartforms | 2021-03-31 | 7.5 HIGH | N/A |
| SQL injection vulnerability in Runtime/Runtime/AjaxCall.ashx in K2 blackpearl, smartforms, and K2 for SharePoint 4.6.7 allows remote attackers to execute arbitrary SQL commands via the xml parameter. | |||||
| CVE-2020-26935 | 4 Debian, Fedoraproject, Opensuse and 1 more | 5 Debian Linux, Fedora, Backports Sle and 2 more | 2021-03-30 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in SearchController in phpMyAdmin before 4.9.6 and 5.x before 5.0.3. A SQL injection vulnerability was discovered in how phpMyAdmin processes SQL statements in the search feature. An attacker could use this flaw to inject malicious SQL in to a query. | |||||
| CVE-2019-15562 | 1 Gorm | 1 Gorm | 2021-03-30 | 7.5 HIGH | 9.8 CRITICAL |
| ** DISPUTED ** GORM before 1.9.10 allows SQL injection via incomplete parentheses. NOTE: Misusing Gorm by passing untrusted user input where Gorm expects trusted SQL fragments is a vulnerability in the application, not in Gorm. | |||||
| CVE-2011-4710 | 2 Getpixie, Lucidcrew | 2 Pixie, Pixie | 2021-03-29 | 7.5 HIGH | N/A |
| Multiple SQL injection vulnerabilities in Pixie CMS 1.01 through 1.04 allow remote attackers to execute arbitrary SQL commands via the (1) pixie_user parameter and (2) Referer HTTP header in a request to the default URI. | |||||
| CVE-2020-10582 | 1 Invigo | 1 Automatic Device Management | 2021-03-27 | 7.5 HIGH | 9.8 CRITICAL |
| A SQL injection on the /admin/display_errors.php script of Invigo Automatic Device Management (ADM) through 5.0 allows remote attackers to execute arbitrary SQL requests (including data reading and modification) on the database. | |||||
| CVE-2020-27869 | 1 Solarwinds | 1 Network Performance Monitor | 2021-03-26 | 9.0 HIGH | 8.8 HIGH |
| This vulnerability allows remote attackers to escalate privileges on affected installations of SolarWinds Network Performance Monitor 2020 HF1, NPM: 2020.2. Authentication is required to exploit this vulnerability. The specific flaw exists within the WriteToFile method. The issue results from the lack of proper validation of a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to escalate privileges and reset the password for the Admin user. Was ZDI-CAN-11804. | |||||
| CVE-2021-26578 | 1 Hpe | 1 Network Orchestrator | 2021-03-25 | 5.0 MEDIUM | 7.5 HIGH |
| A potential security vulnerability has been identified in HPE Network Orchestrator (NetO) version(s): Prior to 2.5. The vulnerability could be remotely exploited with SQL injection. | |||||
| CVE-2010-4400 | 1 Dynpg | 1 Dynpg | 2021-03-25 | 7.5 HIGH | N/A |
| SQL injection vulnerability in _rights.php in DynPG CMS 4.2.0 allows remote attackers to execute arbitrary SQL commands via the giveRights_UserId parameter. | |||||
| CVE-2020-6577 | 1 It-recht-kanzlei | 1 It-recht-kanzlei | 2021-03-25 | 7.5 HIGH | 9.8 CRITICAL |
| The IT-Recht Kanzlei plugin in Zen Cart 1.5.6c (German edition) allows itrk-api.php rechtstext_language SQL Injection. | |||||
| CVE-2020-35337 | 1 Thinksaas | 1 Thinksaas | 2021-03-24 | 7.5 HIGH | 9.8 CRITICAL |
| ThinkSAAS before 3.38 contains a SQL injection vulnerability through app/topic/action/admin/topic.php via the title parameter, which allows remote attackers to execute arbitrary SQL commands. | |||||
| CVE-2021-24130 | 1 Flippercode | 1 Wp Google Map | 2021-03-24 | 6.5 MEDIUM | 7.2 HIGH |
| Unvalidated input in the WP Google Map Plugin WordPress plugin, versions before 4.1.5, in the Manage Locations page within the plugin settings was vulnerable to SQL Injection through a high privileged user (admin+). | |||||
| CVE-2021-24131 | 1 Cleantalk | 1 Anti-spam | 2021-03-24 | 6.5 MEDIUM | 7.2 HIGH |
| Unvalidated input in the Anti-Spam by CleanTalk WordPress plugin, versions before 5.149, lead to multiple authenticated SQL injection vulnerabilities, however, it requires high privilege user (admin+). | |||||
| CVE-2021-24132 | 1 10web | 1 Slider | 2021-03-24 | 6.5 MEDIUM | 8.8 HIGH |
| The Slider by 10Web WordPress plugin, versions before 1.2.36, in the bulk_action, export_full and save_slider_db functionalities of the plugin were vulnerable, allowing a high privileged user (Admin), or medium one such as Contributor+ (if "Role Options" is turn on for other users) to perform a SQL Injection attacks. | |||||
| CVE-2021-27320 | 1 Doctor Appointment System Project | 1 Doctor Appointment System | 2021-03-24 | 5.0 MEDIUM | 7.5 HIGH |
| Blind SQL injection in contactus.php in Doctor Appointment System 1.0 allows an unauthenticated attacker to insert malicious SQL queries via firstname parameter. | |||||
| CVE-2021-27319 | 1 Doctor Appointment System Project | 1 Doctor Appointment System | 2021-03-24 | 5.0 MEDIUM | 7.5 HIGH |
| Blind SQL injection in contactus.php in Doctor Appointment System 1.0 allows an unauthenticated attacker to insert malicious SQL queries via email parameter. | |||||
| CVE-2021-27316 | 1 Doctor Appointment System Project | 1 Doctor Appointment System | 2021-03-24 | 5.0 MEDIUM | 7.5 HIGH |
| Blind SQL injection in contactus.php in doctor appointment system 1.0 allows an unauthenticated attacker to insert malicious SQL queries via lastname parameter. | |||||
| CVE-2021-27315 | 1 Doctor Appointment System Project | 1 Doctor Appointment System | 2021-03-24 | 5.0 MEDIUM | 7.5 HIGH |
| Blind SQL injection in contactus.php in Doctor Appointment System 1.0 allows an unauthenticated attacker to insert malicious SQL queries via the comment parameter. | |||||
| CVE-2021-21380 | 1 Xwiki | 1 Xwiki | 2021-03-24 | 6.5 MEDIUM | 8.8 HIGH |
| XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In affected versions of XWiki Platform (and only those with the Ratings API installed), the Rating Script Service expose an API to perform SQL requests without escaping the from and where search arguments. This might lead to an SQL script injection quite easily for any user having Script rights on XWiki. The problem has been patched in XWiki 12.9RC1. The only workaround besides upgrading XWiki would be to uninstall the Ratings API in XWiki from the Extension Manager. | |||||
| CVE-2021-26935 | 1 Wowonder | 1 Wowonder | 2021-03-24 | 5.0 MEDIUM | 7.5 HIGH |
| In WoWonder < 3.1, remote attackers can gain access to the database by exploiting a requests.php?f=search-my-followers SQL Injection vulnerability via the event_id parameter. | |||||
| CVE-2021-24138 | 1 Ajdg | 1 Adrotate | 2021-03-24 | 5.5 MEDIUM | 5.5 MEDIUM |
| Unvalidated input in the AdRotate WordPress plugin, versions before 5.8.4, leads to Authenticated SQL injection via param "id". This requires an admin privileged user. | |||||