Search
Total
8599 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-25727 | 1 Flexsolution | 1 Reset Password | 2021-01-20 | 5.0 MEDIUM | 7.5 HIGH |
| The Reset Password add-on before 1.2.0 for Alfresco suffers from CMIS-SQL Injection, which allows a malicious user to inject a query within the email input field. | |||||
| CVE-2021-3025 | 1 Invisioncommunity | 1 Ips Community Suite | 2021-01-15 | 6.5 MEDIUM | 8.8 HIGH |
| Invision Community IPS Community Suite before 4.5.4.2 allows SQL Injection via the Downloads REST API (the sortDir parameter in a sortBy=popular action to the GETindex() method in applications/downloads/api/files.php). | |||||
| CVE-2021-3118 | 1 Medicalexpo | 1 Ecs Imaging | 2021-01-14 | 7.5 HIGH | 9.8 CRITICAL |
| ** UNSUPPORTED WHEN ASSIGNED ** EVOLUCARE ECSIMAGING (aka ECS Imaging) through 6.21.5 has multiple SQL Injection issues in the login form and the password-forgotten form (such as /req_password_user.php?email=). This allows an attacker to steal data in the database and obtain access to the application. (The database component runs as root.) NOTE: This vulnerability only affects products that are no longer supported by the maintainer. | |||||
| CVE-2020-23630 | 1 Zzcms | 1 Zzcms | 2021-01-14 | 6.5 MEDIUM | 8.8 HIGH |
| A blind SQL injection vulnerability exists in zzcms ver201910 based on time (cookie injection). | |||||
| CVE-2020-26773 | 1 Restaurant Reservation System Project | 1 Restaurant Reservation System | 2021-01-14 | 6.5 MEDIUM | 8.8 HIGH |
| Restaurant Reservation System 1.0 suffers from an authenticated SQL injection vulnerability, which allows a remote, authenticated attacker to execute arbitrary SQL commands via the date parameter in includes/reservation.inc.php. | |||||
| CVE-2014-1608 | 2 Debian, Mantisbt | 2 Debian Linux, Mantisbt | 2021-01-12 | 7.5 HIGH | N/A |
| SQL injection vulnerability in the mci_file_get function in api/soap/mc_file_api.php in MantisBT before 1.2.16 allows remote attackers to execute arbitrary SQL commands via a crafted envelope tag in a mc_issue_attachment_get SOAP request. | |||||
| CVE-2014-8554 | 1 Mantisbt | 1 Mantisbt | 2021-01-12 | 7.5 HIGH | N/A |
| SQL injection vulnerability in the mc_project_get_attachments function in api/soap/mc_project_api.php in MantisBT before 1.2.18 allows remote attackers to execute arbitrary SQL commands via the project_id parameter. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-1609. | |||||
| CVE-2014-1609 | 2 Debian, Mantisbt | 2 Debian Linux, Mantisbt | 2021-01-12 | 7.5 HIGH | N/A |
| Multiple SQL injection vulnerabilities in MantisBT before 1.2.16 allow remote attackers to execute arbitrary SQL commands via unspecified parameters to the (1) mc_project_get_attachments function in api/soap/mc_project_api.php; the (2) news_get_limited_rows function in core/news_api.php; the (3) summary_print_by_enum, (4) summary_print_by_age, (5) summary_print_by_developer, (6) summary_print_by_reporter, or (7) summary_print_by_category function in core/summary_api.php; the (8) create_bug_enum_summary or (9) enum_bug_group function in plugins/MantisGraph/core/graph_api.php; (10) bug_graph_bycategory.php or (11) bug_graph_bystatus.php in plugins/MantisGraph/pages/; or (12) proj_doc_page.php, related to use of the db_query function, a different vulnerability than CVE-2014-1608. | |||||
| CVE-2020-26045 | 1 Thedaylightstudio | 1 Fuel Cms | 2021-01-08 | 7.5 HIGH | 9.8 CRITICAL |
| FUEL CMS 1.4.11 allows SQL Injection via parameter 'name' in /fuel/permissions/create/. Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. | |||||
| CVE-2020-35742 | 1 Hgiga | 4 Msr45 Isherlock-antispam, Msr45 Isherlock-user, Ssr45 Isherlock-antispam and 1 more | 2021-01-07 | 6.5 MEDIUM | 7.6 HIGH |
| HGiga MailSherlock contains a vulnerability of SQL Injection. Attackers can inject and launch SQL commands in a URL parameter. | |||||
| CVE-2020-35743 | 1 Hgiga | 4 Msr45 Isherlock-antispam, Msr45 Isherlock-user, Ssr45 Isherlock-antispam and 1 more | 2021-01-07 | 6.5 MEDIUM | 7.6 HIGH |
| HGiga MailSherlock contains a SQL injection flaw. Attackers can inject and launch SQL commands in a URL parameter of specific cgi pages. | |||||
| CVE-2020-36112 | 1 Cse Bookstore Project | 1 Cse Bookstore | 2021-01-07 | 7.5 HIGH | 9.8 CRITICAL |
| CSE Bookstore version 1.0 is vulnerable to time-based blind, boolean-based blind and OR error-based SQL injection in pubid parameter in bookPerPub.php and in cart.php. A successful exploitation of this vulnerability will lead to an attacker dumping the entire database on which the web application is running. | |||||
| CVE-2021-3018 | 1 Ipeak | 1 Ipeakcms | 2021-01-07 | 7.5 HIGH | 9.8 CRITICAL |
| ipeak Infosystems ibexwebCMS (aka IPeakCMS) 3.5 is vulnerable to an unauthenticated Boolean-based SQL injection via the id parameter on the /cms/print.php page. | |||||
| CVE-2021-3021 | 1 Ispconfig | 1 Ispconfig | 2021-01-07 | 7.5 HIGH | 9.8 CRITICAL |
| ISPConfig before 3.2.2 allows SQL injection. | |||||
| CVE-2020-29437 | 1 Orangehrm | 1 Orangehrm | 2021-01-07 | 5.5 MEDIUM | 8.1 HIGH |
| SQL injection in the Buzz module of OrangeHRM through 4.6 allows remote authenticated attackers to execute arbitrary SQL commands via the orangehrmBuzzPlugin/lib/dao/BuzzDao.php loadMorePostsForm[profileUserId] parameter to the buzz/loadMoreProfile endpoint. | |||||
| CVE-2020-28413 | 1 Mantisbt | 1 Mantisbt | 2021-01-05 | 4.0 MEDIUM | 6.5 MEDIUM |
| In MantisBT 2.24.3, SQL Injection can occur in the parameter "access" of the mc_project_get_users function through the API SOAP. | |||||
| CVE-2019-7726 | 1 Nukeviet | 1 Nukeviet | 2021-01-05 | 7.5 HIGH | 9.8 CRITICAL |
| modules/banners/funcs/click.php in NukeViet before 4.3.04 has a SQL INSERT statement with raw header data from an HTTP request (e.g., Referer and User-Agent). | |||||
| CVE-2020-29228 | 1 Egavilanmedia | 1 User Registration And Login System With Admin Panel | 2021-01-04 | 5.0 MEDIUM | 7.5 HIGH |
| EGavilanMedia User Registration and Login System With Admin Panel 1.0 is affected by SQL injection in the User Login Page. | |||||
| CVE-2020-27848 | 1 Dotcms | 1 Dotcms | 2021-01-04 | 6.5 MEDIUM | 8.8 HIGH |
| dotCMS before 20.10.1 allows SQL injection, as demonstrated by the /api/v1/containers orderby parameter. The PaginatorOrdered classes that are used to paginate results of a REST endpoints do not sanitize the orderBy parameter and in some cases it is vulnerable to SQL injection attacks. A user must be an authenticated manager in the dotCMS system to exploit this vulnerability. | |||||
| CVE-2020-35613 | 1 Joomla | 1 Joomla\! | 2020-12-30 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in Joomla! 3.0.0 through 3.9.22. Improper filter blacklist configuration leads to a SQL injection vulnerability in the backend user list. | |||||
| CVE-2020-35242 | 1 Flamingo Project | 1 Flamingo | 2020-12-29 | 7.5 HIGH | 9.8 CRITICAL |
| Flamingo (aka FlamingoIM) through 2020-09-29 has a SQL injection vulnerability in UserManager::updateUserTeamInfoInDbAndMemory. | |||||
| CVE-2020-35243 | 1 Flamingo Project | 1 Flamingo | 2020-12-29 | 7.5 HIGH | 9.8 CRITICAL |
| Flamingo (aka FlamingoIM) through 2020-09-29 has a SQL injection vulnerability in UserManager::updateUserInfoInDb. | |||||
| CVE-2020-35244 | 1 Flamingo Project | 1 Flamingo | 2020-12-29 | 7.5 HIGH | 9.8 CRITICAL |
| Flamingo (aka FlamingoIM) through 2020-09-29 has a SQL injection vulnerability in UserManager::addGroup. | |||||
| CVE-2020-35245 | 1 Flamingo Project | 1 Flamingo | 2020-12-29 | 7.5 HIGH | 9.8 CRITICAL |
| Flamingo (aka FlamingoIM) through 2020-09-29 has a SQL injection vulnerability in UserManager::addUser. | |||||
| CVE-2020-35708 | 1 Phplist | 1 Phplist | 2020-12-28 | 6.5 MEDIUM | 7.2 HIGH |
| phpList 3.5.9 allows SQL injection by admins who provide a crafted fourth line of a file to the "Config - Import Administrators" page. | |||||
| CVE-2008-4080 | 1 Stash | 1 Stash | 2020-12-28 | 6.8 MEDIUM | N/A |
| SQL injection vulnerability in Stash 1.0.3, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the (1) username parameter to admin/library/authenticate.php and the (2) download parameter to downloadmp3.php. NOTE: some of these details are obtained from third party information. | |||||
| CVE-2020-35666 | 1 Steedos | 1 Steedos | 2020-12-23 | 6.5 MEDIUM | 8.8 HIGH |
| Steedos Platform through 1.21.24 allows NoSQL injection because the /api/collection/findone implementation in server/packages/steedos_base.js mishandles req.body validation, as demonstrated by MongoDB operator attacks such as an X-User-Id[$ne]=1 value. | |||||
| CVE-2020-35276 | 1 Egavilanmedia | 1 Ecm Address Book | 2020-12-23 | 7.5 HIGH | 9.8 CRITICAL |
| EgavilanMedia ECM Address Book 1.0 is affected by SQL injection. An attacker can bypass the Admin Login panel through SQLi and get Admin access and add or remove any user. | |||||
| CVE-2020-28070 | 1 Alumni Management System Project | 1 Alumni Management System | 2020-12-23 | 7.5 HIGH | 9.8 CRITICAL |
| SourceCodester Alumni Management System 1.0 is affected by SQL injection causing arbitrary remote code execution from GET input in view_event.php via the 'id' parameter. | |||||
| CVE-2020-28073 | 1 Library Management System Project | 1 Library Management System | 2020-12-23 | 7.5 HIGH | 9.8 CRITICAL |
| SourceCodester Library Management System 1.0 is affected by SQL Injection allowing an attacker to bypass the user authentication and impersonate any user on the system. | |||||
| CVE-2020-28074 | 1 Online Health Care System Project | 1 Online Health Care System | 2020-12-23 | 7.5 HIGH | 9.8 CRITICAL |
| SourceCodester Online Health Care System 1.0 is affected by SQL Injection which allows a potential attacker to bypass the authentication system and become an admin. | |||||
| CVE-2020-13968 | 1 Crk | 1 Business Platform | 2020-12-23 | 7.5 HIGH | 9.8 CRITICAL |
| CRK Business Platform <= 2019.1 allows can inject SQL statements against the DB on any path using the 'strSessao' parameter. | |||||
| CVE-2020-27660 | 1 Synology | 1 Safeaccess | 2020-12-22 | 10.0 HIGH | 9.8 CRITICAL |
| SQL injection vulnerability in request.cgi in Synology SafeAccess before 1.2.3-0234 allows remote attackers to execute arbitrary SQL commands via the domain parameter. | |||||
| CVE-2020-11717 | 1 Bilanc | 1 Bilanc | 2020-12-22 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in Programi 014 31.01.2020. It has multiple SQL injection vulnerabilities. | |||||
| CVE-2020-21377 | 1 Yunyecms | 1 Yunyecms | 2020-12-22 | 7.5 HIGH | 9.8 CRITICAL |
| SQL injection vulnerability in yunyecms V2.0.1 via the selcart parameter. | |||||
| CVE-2020-21378 | 1 Seacms | 1 Seacms | 2020-12-22 | 7.5 HIGH | 9.8 CRITICAL |
| SQL injection vulnerability in SeaCMS 10.1 (2020.02.08) via the id parameter in an edit action to admin_members_group.php. | |||||
| CVE-2020-20300 | 1 Weiphp | 1 Weiphp | 2020-12-22 | 7.5 HIGH | 9.8 CRITICAL |
| SQL injection vulnerability in the wp_where function in WeiPHP 5.0. | |||||
| CVE-2020-35545 | 1 Spotweb Project | 1 Spotweb | 2020-12-21 | 7.5 HIGH | 9.8 CRITICAL |
| Time-based SQL injection exists in Spotweb 1.4.9 via the query string. | |||||
| CVE-2020-35122 | 1 Keysight | 1 Keysight Database Connector | 2020-12-17 | 4.0 MEDIUM | 7.5 HIGH |
| An issue was discovered in the Keysight Database Connector plugin before 1.5.0 for Confluence. A malicious user could bypass the access controls for using a saved database connection profile to submit arbitrary SQL against a saved database connection. | |||||
| CVE-2020-16104 | 1 Gallagher | 1 Command Centre | 2020-12-16 | 6.5 MEDIUM | 7.2 HIGH |
| SQL Injection vulnerability in Enterprise Data Interface of Gallagher Command Centre allows a remote attacker with 'Edit Enterprise Data Interfaces' privilege to execute arbitrary SQL against a third party database if EDI is configured to import data from this database. This issue affects: Gallagher Command Centre 8.30 versions prior to 8.30.1236(MR1); 8.20 versions prior to 8.20.1166(MR3); 8.10 versions prior to 8.10.1211(MR5); 8.00 versions prior to 8.00.1228(MR6); version 7.90 and prior versions. | |||||
| CVE-2018-12636 | 1 Ithemes | 1 Security | 2020-12-16 | 6.5 MEDIUM | 7.2 HIGH |
| The iThemes Security (better-wp-security) plugin before 7.0.3 for WordPress allows SQL Injection (by attackers with Admin privileges) via the logs page. | |||||
| CVE-2020-25889 | 1 Online Bus Booking System Project | 1 Online Bus Booking System | 2020-12-15 | 7.5 HIGH | 9.8 CRITICAL |
| Online Bus Booking System Project Using PHP/MySQL version 1.0 has SQL injection via the login page. By placing SQL injection payload on the login page attackers can bypass the authentication and can gain the admin privilege. | |||||
| CVE-2020-28860 | 1 Openasset | 1 Digital Asset Management | 2020-12-15 | 6.5 MEDIUM | 8.8 HIGH |
| OpenAssetDigital Asset Management (DAM) through 12.0.19 does not correctly sanitize user supplied input, incorporating it into its SQL queries, allowing for authenticated blind SQL injection. | |||||
| CVE-2020-20189 | 1 Newpk Project | 1 Newpk | 2020-12-15 | 7.5 HIGH | 9.8 CRITICAL |
| SQL Injection vulnerability in NewPK 1.1 via the title parameter to admin\newpost.php. | |||||
| CVE-2019-19286 | 1 Siemens | 1 Xhq | 2020-12-15 | 6.5 MEDIUM | 7.2 HIGH |
| A vulnerability has been identified in XHQ (All Versions < 6.1). The web interface could allow SQL injection attacks if an attacker is able to modify content of particular web pages. | |||||
| CVE-2020-35382 | 1 Classroombookings | 1 Classroombookings | 2020-12-14 | 6.5 MEDIUM | 7.2 HIGH |
| SQL Injection in Classbooking before 2.4.1 via the username field of a CSV file when adding a new user. | |||||
| CVE-2020-35378 | 1 Online Bus Ticket Reservation Project | 1 Online Bus Ticket Reservation | 2020-12-14 | 7.5 HIGH | 9.8 CRITICAL |
| SQL Injection in the login page in Online Bus Ticket Reservation 1.0 allows attackers to execute arbitrary SQL commands and bypass authentication via the username and password fields. | |||||
| CVE-2020-29574 | 1 Sophos | 1 Cyberoamos | 2020-12-14 | 7.5 HIGH | 9.8 CRITICAL |
| An SQL injection vulnerability in the WebAdmin of Cyberoam OS through 2020-12-04 allows unauthenticated attackers to execute arbitrary SQL statements remotely. | |||||
| CVE-2020-19165 | 1 Phpshe | 1 Phpshe | 2020-12-14 | 7.5 HIGH | 9.8 CRITICAL |
| PHPSHE 1.7 has SQL injection via the admin.php?mod=user&userlevel_id=1 userlevel_id[] parameter. | |||||
| CVE-2020-14207 | 1 Divebook Project | 1 Divebook | 2020-12-10 | 5.0 MEDIUM | 5.3 MEDIUM |
| The DiveBook plugin 1.1.4 for WordPress was prone to a SQL injection within divelog.php, allowing unauthenticated users to retrieve data from the database via the divelog.php filter_diver parameter. | |||||