Search
Total
8599 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-24841 | 1 Sdg | 1 Pnpscada | 2021-02-19 | 7.5 HIGH | 9.8 CRITICAL |
| PNPSCADA 2.200816204020 allows SQL injection via parameter 'interf' in /browse.jsp. Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. | |||||
| CVE-2020-29142 | 1 Open-emr | 1 Openemr | 2021-02-18 | 6.5 MEDIUM | 7.2 HIGH |
| A SQL injection vulnerability in interface/usergroup/usergroup_admin.php in OpenEMR before 5.0.2.5 allows a remote authenticated attacker to execute arbitrary SQL commands via the schedule_facility parameter when restrict_user_facility=on is in global settings. | |||||
| CVE-2020-36003 | 1 Online Book Store Project | 1 Online Book Store | 2021-02-18 | 5.0 MEDIUM | 7.5 HIGH |
| The id parameter in detail.php of Online Book Store v1.0 is vulnerable to union-based blind SQL injection, which leads to the ability to retrieve all databases. | |||||
| CVE-2020-35765 | 1 Zohocorp | 1 Manageengine Applications Manager | 2021-02-17 | 6.5 MEDIUM | 8.8 HIGH |
| doFilter in com.adventnet.appmanager.filter.UriCollector in Zoho ManageEngine Applications Manager through 14930 allows an authenticated SQL Injection via the resourceid parameter to showresource.do. | |||||
| CVE-2021-21024 | 1 Magento | 1 Magento | 2021-02-16 | 6.5 MEDIUM | 9.1 CRITICAL |
| Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) are affected by a blind SQL injection vulnerability in the Search module. Successful exploitation could lead to unauthorized access to restricted resources by an unauthenticated attacker. Access to the admin console is required for successful exploitation. | |||||
| CVE-2021-26751 | 1 Nedi | 1 Nedi | 2021-02-14 | 4.0 MEDIUM | 8.8 HIGH |
| NeDi 1.9C allows an authenticated user to perform a SQL Injection in the Monitoring History function on the endpoint /Monitoring-History.php via the det HTTP GET parameter. This allows an attacker to access all the data in the database and obtain access to the NeDi application. | |||||
| CVE-2020-18215 | 1 Phpshe | 1 Phpshe | 2021-02-12 | 6.5 MEDIUM | 8.8 HIGH |
| Multiple SQL Injection vulnerabilities in PHPSHE 1.7 in phpshe/admin.php via the (1) ad_id, (2) menu_id, and (3) cashout_id parameters, which could let a remote malicious user execute arbitrary code. | |||||
| CVE-2021-22658 | 1 Advantech | 1 Iview | 2021-02-12 | 7.5 HIGH | 9.8 CRITICAL |
| Advantech iView versions prior to v5.7.03.6112 are vulnerable to a SQL injection, which may allow an attacker to escalate privileges to 'Administrator'. | |||||
| CVE-2021-22654 | 1 Advantech | 1 Iview | 2021-02-12 | 5.0 MEDIUM | 7.5 HIGH |
| Advantech iView versions prior to v5.7.03.6112 are vulnerable to a SQL injection, which may allow an unauthorized attacker to disclose information. | |||||
| CVE-2020-26051 | 1 College Management System Project | 1 College Management System | 2021-02-10 | 7.5 HIGH | 9.8 CRITICAL |
| College Management System Php 1.0 suffers from SQL injection vulnerabilities in the index.php page from POST parameters 'unametxt' and 'pwdtxt', which are not filtered before passing a SQL query. | |||||
| CVE-2020-16629 | 1 Phpok | 1 Phpok | 2021-02-10 | 7.5 HIGH | 9.8 CRITICAL |
| PhpOK 5.4.137 contains a SQL injection vulnerability that can inject an attachment data through SQL, and then call the attachment replacement function through api.php to write a PHP file to the target path. | |||||
| CVE-2020-35700 | 1 Librenms | 1 Librenms | 2021-02-09 | 6.5 MEDIUM | 8.8 HIGH |
| A second-order SQL injection issue in Widgets/TopDevicesController.php (aka the Top Devices dashboard widget) of LibreNMS before 21.1.0 allows remote authenticated attackers to execute arbitrary SQL commands via the sort_order parameter against the /ajax/form/widget-settings endpoint. | |||||
| CVE-2021-26754 | 1 Wpdatatables | 1 Wpdatatables | 2021-02-09 | 10.0 HIGH | 9.8 CRITICAL |
| wpDataTables before 3.4.1 mishandles order direction for server-side tables, aka admin-ajax.php?action=get_wdtable order[0][dir] SQL injection. | |||||
| CVE-2020-18717 | 1 Zzzcms | 1 Zzzphp | 2021-02-08 | 7.5 HIGH | 9.8 CRITICAL |
| SQL Injection in ZZZCMS zzzphp 1.7.1 allows remote attackers to execute arbitrary code due to a lack of parameter filtering in inc/zzz_template.php. | |||||
| CVE-2021-20016 | 1 Sonicwall | 11 Sma 100, Sma 100 Firmware, Sma 200 and 8 more | 2021-02-08 | 7.5 HIGH | 9.8 CRITICAL |
| A SQL-Injection vulnerability in the SonicWall SSLVPN SMA100 product allows a remote unauthenticated attacker to perform SQL query to access username password and other session related information. This vulnerability impacts SMA100 build version 10.x. | |||||
| CVE-2020-18716 | 1 Rockoa | 1 Rockoa | 2021-02-05 | 7.5 HIGH | 9.8 CRITICAL |
| SQL Injection in Rockoa v1.8.7 allows remote attackers to gain privileges due to loose filtering of parameters in wordAction.php. | |||||
| CVE-2020-18714 | 1 Rockoa | 1 Rockoa | 2021-02-05 | 7.5 HIGH | 9.8 CRITICAL |
| SQL Injection in Rockoa v1.8.7 allows remote attackers to gain privileges due to loose filtering of parameters in wordModel.php's getdata function. | |||||
| CVE-2020-18713 | 1 Rockoa | 1 Rockoa | 2021-02-05 | 7.5 HIGH | 9.8 CRITICAL |
| SQL Injection in Rockoa v1.8.7 allows remote attackers to gain privileges due to loose filtering of parameters in customerAction.php | |||||
| CVE-2020-29163 | 1 Rainbowfishsoftware | 1 Pacsone Server | 2021-02-04 | 6.5 MEDIUM | 8.8 HIGH |
| PacsOne Server (PACS Server In One Box) below 7.1.1 is affected by SQL injection. | |||||
| CVE-2020-5427 | 1 Vmware | 1 Spring Cloud Data Flow | 2021-02-04 | 6.5 MEDIUM | 7.2 HIGH |
| In Spring Cloud Data Flow, versions 2.6.x prior to 2.6.5, versions 2.5.x prior 2.5.4, an application is vulnerable to SQL injection when requesting task execution. | |||||
| CVE-2020-20289 | 1 Yccms | 1 Yccms | 2021-02-03 | 7.5 HIGH | 9.8 CRITICAL |
| Sql injection vulnerability in the yccms 3.3 project. The no_top function's improper judgment of the request parameters, triggers a sql injection vulnerability. | |||||
| CVE-2020-21176 | 1 Thinkjs | 1 Thinkjs | 2021-02-03 | 7.5 HIGH | 9.8 CRITICAL |
| SQL injection vulnerability in the model.increment and model.decrement function in ThinkJS 3.2.10 allows remote attackers to execute arbitrary SQL commands via the step parameter. | |||||
| CVE-2020-5428 | 1 Vmware | 1 Spring Cloud Task | 2021-02-03 | 6.5 MEDIUM | 6.0 MEDIUM |
| In applications using Spring Cloud Task 2.2.4.RELEASE and below, may be vulnerable to SQL injection when exercising certain lookup queries in the TaskExplorer. | |||||
| CVE-2020-35263 | 1 Egavilanmedia | 1 User Registration And Login System With Admin Panel | 2021-02-02 | 7.5 HIGH | 9.8 CRITICAL |
| EgavilanMedia User Registration & Login System 1.0 is affected by SQL injection to the admin panel, which may allow arbitrary code execution. | |||||
| CVE-2020-20296 | 1 Cmswing | 1 Cmswing | 2021-02-02 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was found in CMSWing project version 1.3.8, Because the rechargeAction function does not check the balance parameter, malicious parameters can execute arbitrary SQL commands. | |||||
| CVE-2020-20295 | 1 Cmswing | 1 Cmswing | 2021-02-02 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was found in CMSWing project version 1.3.8. Because the updateAction function does not check the detail parameter, malicious parameters can execute arbitrary SQL commands. | |||||
| CVE-2020-21180 | 1 Koa2-blog Project | 1 Koa2-blog | 2021-02-02 | 7.5 HIGH | 9.8 CRITICAL |
| Sql injection vulnerability in koa2-blog 1.0.0 allows remote attackers to Injecting a malicious SQL statement via the name parameter to the signup page. | |||||
| CVE-2020-20294 | 1 Cmswing | 1 Cmswing | 2021-02-02 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was found in CMSWing project version 1.3.8. Because the log function does not check the log parameter, malicious parameters can execute arbitrary commands. | |||||
| CVE-2020-21179 | 1 Koa2-blog Project | 1 Koa2-blog | 2021-02-02 | 7.5 HIGH | 9.8 CRITICAL |
| Sql injection vulnerability in koa2-blog 1.0.0 allows remote attackers to Injecting a malicious SQL statement via the name parameter to the signin page. | |||||
| CVE-2020-35270 | 1 Student Result Management System Project | 1 Student Result Management System | 2021-02-01 | 6.4 MEDIUM | 9.1 CRITICAL |
| Student Result Management System In PHP With Source Code is affected by SQL injection. An attacker can able to access of Admin Panel and manage every account of Result. | |||||
| CVE-2018-7318 | 2 Belitsoft, Oracle | 2 Checklist, Data Integrator | 2021-01-30 | 7.5 HIGH | 9.8 CRITICAL |
| SQL Injection exists in the CheckList 1.1.1 component for Joomla! via the title_search, tag_search, name_search, description_search, or filter_order parameter. | |||||
| CVE-2017-5611 | 3 Debian, Oracle, Wordpress | 3 Debian Linux, Data Integrator, Wordpress | 2021-01-30 | 7.5 HIGH | 9.8 CRITICAL |
| SQL injection vulnerability in wp-includes/class-wp-query.php in WP_Query in WordPress before 4.7.2 allows remote attackers to execute arbitrary SQL commands by leveraging the presence of an affected plugin or theme that mishandles a crafted post type name. | |||||
| CVE-2018-9019 | 2 Dolibarr, Oracle | 2 Dolibarr, Data Integrator | 2021-01-30 | 7.5 HIGH | 9.8 CRITICAL |
| SQL Injection vulnerability in Dolibarr before version 7.0.2 allows remote attackers to execute arbitrary SQL commands via the sortfield parameter to /accountancy/admin/accountmodel.php, /accountancy/admin/categories_list.php, /accountancy/admin/journals_list.php, /admin/dict.php, /admin/mails_templates.php, or /admin/website.php. | |||||
| CVE-2021-3286 | 1 Spotweb Project | 1 Spotweb | 2021-01-30 | 7.5 HIGH | 9.8 CRITICAL |
| SQL injection exists in Spotweb 1.4.9 because the notAllowedCommands protection mechanism is inadequate, e.g., a variation of the payload may be used. NOTE: this issue exists because of an incomplete fix for CVE-2020-35545. | |||||
| CVE-2020-23262 | 1 Mingsoft | 1 Mcms | 2021-01-30 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in ming-soft MCMS v5.0, where a malicious user can exploit SQL injection without logging in through /mcms/view.do. | |||||
| CVE-2021-1355 | 1 Cisco | 2 Unified Communications Manager, Unified Communications Manager Im And Presence Service | 2021-01-29 | 4.0 MEDIUM | 6.5 MEDIUM |
| Multiple vulnerabilities in Cisco Unified Communications Manager IM & Presence Service (Unified CM IM&P) could allow an attacker to conduct path traversal attacks and SQL injection attacks on an affected system. One of the SQL injection vulnerabilities that affects Unified CM IM&P also affects Cisco Unified Communications Manager (Unified CM) and Cisco Unified Communications Manager Session Management Edition (Unified CM SME) and could allow an attacker to conduct SQL injection attacks on an affected system. For more information about these vulnerabilities, see the Details section of this advisory. | |||||
| CVE-2021-1364 | 1 Cisco | 2 Unified Communications Manager, Unified Communications Manager Im And Presence Service | 2021-01-29 | 4.0 MEDIUM | 4.9 MEDIUM |
| Multiple vulnerabilities in Cisco Unified Communications Manager IM & Presence Service (Unified CM IM&P) could allow an attacker to conduct path traversal attacks and SQL injection attacks on an affected system. One of the SQL injection vulnerabilities that affects Unified CM IM&P also affects Cisco Unified Communications Manager (Unified CM) and Cisco Unified Communications Manager Session Management Edition (Unified CM SME) and could allow an attacker to conduct SQL injection attacks on an affected system. For more information about these vulnerabilities, see the Details section of this advisory. | |||||
| CVE-2021-22847 | 1 Hyweb | 1 Hycms-j1 | 2021-01-28 | 6.5 MEDIUM | 8.8 HIGH |
| Hyweb HyCMS-J1's API fail to filter POST request parameters. Remote attackers can inject SQL syntax and execute commands without privilege. | |||||
| CVE-2021-1222 | 1 Cisco | 1 Smart Software Manager On-prem | 2021-01-28 | 5.5 MEDIUM | 8.1 HIGH |
| A vulnerability in the web-based management interface of Cisco Smart Software Manager Satellite could allow an authenticated, remote attacker to conduct SQL injection attacks on an affected system. The vulnerability exists because the web-based management interface improperly validates values within SQL queries. An attacker could exploit this vulnerability by authenticating to the application and sending malicious SQL queries to an affected system. A successful exploit could allow the attacker to modify values on or return values from the underlying database or the operating system. | |||||
| CVE-2021-1225 | 1 Cisco | 1 Sd-wan Vmanage | 2021-01-27 | 6.4 MEDIUM | 9.1 CRITICAL |
| Multiple vulnerabilities in the web-based management interface of Cisco SD-WAN vManage Software could allow an unauthenticated, remote attacker to conduct SQL injection attacks on an affected system. These vulnerabilities exist because the web-based management interface improperly validates values in SQL queries. An attacker could exploit these vulnerabilities by authenticating to the application and sending malicious SQL queries to an affected system. A successful exploit could allow the attacker to modify values on or return values from the underlying database or the operating system. | |||||
| CVE-2021-1248 | 1 Cisco | 1 Data Center Network Manager | 2021-01-27 | 6.5 MEDIUM | 7.2 HIGH |
| Multiple vulnerabilities in certain REST API endpoints of Cisco Data Center Network Manager (DCNM) could allow an authenticated, remote attacker to execute arbitrary SQL commands on an affected device. For more information about these vulnerabilities, see the Details section of this advisory. | |||||
| CVE-2021-1247 | 1 Cisco | 1 Data Center Network Manager | 2021-01-27 | 6.5 MEDIUM | 8.8 HIGH |
| Multiple vulnerabilities in certain REST API endpoints of Cisco Data Center Network Manager (DCNM) could allow an authenticated, remote attacker to execute arbitrary SQL commands on an affected device. For more information about these vulnerabilities, see the Details section of this advisory. | |||||
| CVE-2020-27733 | 1 Zohocorp | 1 Manageengine Applications Manager | 2021-01-26 | 6.5 MEDIUM | 8.8 HIGH |
| Zoho ManageEngine Applications Manager before 14 build 14880 allows an authenticated SQL Injection via a crafted Alarmview request. | |||||
| CVE-2021-3110 | 1 Prestashop | 1 Prestashop | 2021-01-22 | 7.5 HIGH | 9.8 CRITICAL |
| The store system in PrestaShop 1.7.7.0 allows time-based boolean SQL injection via the module=productcomments controller=CommentGrade id_products[] parameter. | |||||
| CVE-2020-4921 | 2 Ibm, Linux | 2 Security Guardium, Linux Kernel | 2021-01-22 | 6.5 MEDIUM | 8.8 HIGH |
| IBM Security Guardium 10.6 and 11.2 is vulnerable to SQL injection. A remote attacker could send specially crafted SQL statements, which could allow the attacker to view, add, modify or delete information in the back-end database. IBM X-Force ID: 191398. | |||||
| CVE-2021-22852 | 1 Hgiga | 1 Oaklouds Openid | 2021-01-22 | 6.5 MEDIUM | 8.8 HIGH |
| HGiga EIP product contains SQL Injection vulnerability. Attackers can inject SQL commands into specific URL parameter (online registration) to obtain database schema and data. | |||||
| CVE-2021-22851 | 1 Hgiga | 1 Oaklouds Openid | 2021-01-22 | 7.5 HIGH | 9.8 CRITICAL |
| HGiga EIP product contains SQL Injection vulnerability. Attackers can inject SQL commands into specific URL parameter (document management page) to obtain database schema and data. | |||||
| CVE-2021-23837 | 1 Flatcore | 1 Flatcore | 2021-01-22 | 4.0 MEDIUM | 6.5 MEDIUM |
| An issue was discovered in flatCore before 2.0.0 build 139. A time-based blind SQL injection was identified in the selected_folder HTTP request body parameter for the acp interface. The affected parameter (which retrieves the file contents of the specified folder) was found to be accepting malicious user input without proper sanitization, thus leading to SQL injection. Database related information can be successfully retrieved. | |||||
| CVE-2020-29493 | 1 Dell | 2 Emc Avamar Server, Emc Integrated Data Protection Appliance | 2021-01-21 | 7.5 HIGH | 9.8 CRITICAL |
| DELL EMC Avamar Server, versions 19.1, 19.2, 19.3, contain a SQL Injection Vulnerability in Fitness Analyzer. A remote unauthenticated attacker could potentially exploit this vulnerability, leading to the execution of certain SQL commands on the application's backend database, causing unauthorized read and write access to application data. Exploitation may lead to leakage or deletion of sensitive backup data; hence the severity is Critical. Dell EMC recommends customers to upgrade at the earliest opportunity. | |||||
| CVE-2020-29015 | 1 Fortinet | 1 Fortiweb | 2021-01-20 | 7.5 HIGH | 9.8 CRITICAL |
| A blind SQL injection in the user interface of FortiWeb 6.3.0 through 6.3.7 and version before 6.2.4 may allow an unauthenticated, remote attacker to execute arbitrary SQL queries or commands by sending a request with a crafted Authorization header containing a malicious SQL statement. | |||||