Search
Total
8599 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-3984 | 1 Vmware | 1 Sd-wan Orchestrator | 2020-12-07 | 4.0 MEDIUM | 6.5 MEDIUM |
| The SD-WAN Orchestrator 3.3.2 prior to 3.3.2 P3 and 3.4.x prior to 3.4.4 does not apply correct input validation which allows for SQL-injection. An authenticated SD-WAN Orchestrator user may exploit a vulnerable API call using specially crafted SQL queries which may lead to unauthorized data access. | |||||
| CVE-2020-4003 | 1 Vmware | 1 Sd-wan Orchestrator | 2020-12-07 | 4.0 MEDIUM | 6.5 MEDIUM |
| VMware SD-WAN Orchestrator 3.3.2 prior to 3.3.2 P3, 3.4.x prior to 3.4.4, and 4.0.x prior to 4.0.1 was found to be vulnerable to SQL-injection attacks allowing for potential information disclosure. An authenticated SD-WAN Orchestrator user may inject code into SQL queries which may lead to information disclosure. | |||||
| CVE-2020-25695 | 1 Postgresql | 1 Postgresql | 2020-12-07 | 6.5 MEDIUM | 8.8 HIGH |
| A flaw was found in PostgreSQL versions before 13.1, before 12.5, before 11.10, before 10.15, before 9.6.20 and before 9.5.24. An attacker having permission to create non-temporary objects in at least one schema can execute arbitrary SQL functions under the identity of a superuser. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. | |||||
| CVE-2020-6880 | 1 Zte | 2 Zxv10 W908, Zxv10 W908 Firmware | 2020-12-04 | 7.5 HIGH | 9.8 CRITICAL |
| A ZXELINK wireless controller has a SQL injection vulnerability. A remote attacker does not need to log in. By sending malicious SQL statements, because the device does not properly filter parameters, successful use can obtain management rights. This affects: ZXV10 W908 all versions before MIPS_A_1022IPV6R3T6P7Y20. | |||||
| CVE-2020-29283 | 1 Online Doctor Appointment Booking System Php And Mysql Project | 1 Online Doctor Appointment Booking System Php And Mysql | 2020-12-04 | 7.5 HIGH | 9.8 CRITICAL |
| An SQL injection vulnerability was discovered in Online Doctor Appointment Booking System PHP and Mysql via the q parameter to getuser.php. | |||||
| CVE-2020-29284 | 1 Multi Restaurant Table Reservation System Project | 1 Multi Restaurant Table Reservation System | 2020-12-04 | 7.5 HIGH | 9.8 CRITICAL |
| The file view-chair-list.php in Multi Restaurant Table Reservation System 1.0 does not perform input validation on the table_id parameter which allows unauthenticated SQL Injection. An attacker can send malicious input in the GET request to /dashboard/view-chair-list.php?table_id= to trigger the vulnerability. | |||||
| CVE-2020-29285 | 1 Point Of Sales In Php\/pdo Project | 1 Point Of Sales In Php\/pdo | 2020-12-04 | 7.5 HIGH | 9.8 CRITICAL |
| SQL injection vulnerability was discovered in Point of Sales in PHP/PDO 1.0, which can be exploited via the id parameter to edit_category.php. | |||||
| CVE-2020-29282 | 1 Bloodx Project | 1 Bloodx | 2020-12-04 | 7.5 HIGH | 9.8 CRITICAL |
| SQL injection vulnerability in BloodX 1.0 allows attackers to bypass authentication. | |||||
| CVE-2020-25700 | 2 Fedoraproject, Moodle | 2 Fedora, Moodle | 2020-12-03 | 4.0 MEDIUM | 6.5 MEDIUM |
| In moodle, some database module web services allowed students to add entries within groups they did not belong to. Versions affected: 3.9 to 3.9.2, 3.8 to 3.8.5, 3.7 to 3.7.8, 3.5 to 3.5.14 and earlier unsupported versions. This is fixed in moodle 3.8.6, 3.7.9, 3.5.15, and 3.10. | |||||
| CVE-2020-25839 | 1 Microfocus | 1 Identity Manager | 2020-12-03 | 7.5 HIGH | 9.8 CRITICAL |
| NetIQ Identity Manager 4.8 prior to version 4.8 SP2 HF1 are affected by an injection vulnerability. This vulnerability is fixed in NetIQ IdM 4.8 SP2 HF1. | |||||
| CVE-2020-29280 | 1 Victor Cms Project | 1 Victor Cms | 2020-12-03 | 7.5 HIGH | 9.8 CRITICAL |
| The Victor CMS v1.0 application is vulnerable to SQL injection via the 'search' parameter on the search.php page. | |||||
| CVE-2020-29288 | 1 Gym Management System Project | 1 Gym Management System | 2020-12-03 | 7.5 HIGH | 9.8 CRITICAL |
| An SQL injection vulnerability was discovered in Gym Management System In manage_user.php file, GET parameter 'id' is vulnerable. | |||||
| CVE-2020-29287 | 1 Car Rental Management System Project | 1 Car Rental Management System | 2020-12-03 | 7.5 HIGH | 9.8 CRITICAL |
| An SQL injection vulnerability was discovered in Car Rental Management System v1.0 can be exploited via the id parameter in view_car.php or the car_id parameter in booking.php. | |||||
| CVE-2020-28091 | 1 Cxuu | 1 Cxuucms | 2020-12-01 | 5.0 MEDIUM | 7.5 HIGH |
| cxuucms v3 has a SQL injection vulnerability, which can lead to the leakage of all database data via the keywords parameter via search.php. | |||||
| CVE-2020-21667 | 1 Fastadmin-tp6 Project | 1 Fastadmin-tp6 | 2020-12-01 | 6.5 MEDIUM | 7.2 HIGH |
| In fastadmin-tp6 v1.0, in the file app/admin/controller/Ajax.php the 'table' parameter passed is not filtered so a malicious parameter can be passed for SQL injection. | |||||
| CVE-2020-28133 | 1 Simple Grocery Store Sales And Inventory Sales Project | 1 Simple Grocery Store Sales And Inventory System | 2020-12-01 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in SourceCodester Simple Grocery Store Sales And Inventory System 1.0. There was authentication bypass in web login functionality allows an attacker to gain client privileges via SQL injection in sales_inventory/login.php. | |||||
| CVE-2020-28183 | 1 Water Billing System Project | 1 Water Billing System | 2020-12-01 | 10.0 HIGH | 9.8 CRITICAL |
| SQL injection vulnerability in SourceCodester Water Billing System 1.0 via the username and password parameters to process.php. | |||||
| CVE-2013-4313 | 1 Moodle | 1 Moodle | 2020-12-01 | 7.5 HIGH | N/A |
| Moodle through 2.2.11, 2.3.x before 2.3.9, 2.4.x before 2.4.6, and 2.5.x before 2.5.2 does not prevent use of '\0' characters in query strings, which might allow remote attackers to conduct SQL injection attacks against Microsoft SQL Server via a crafted string. | |||||
| CVE-2012-3395 | 1 Moodle | 1 Moodle | 2020-12-01 | 6.5 MEDIUM | N/A |
| SQL injection vulnerability in mod/feedback/complete.php in Moodle 2.0.x before 2.0.10, 2.1.x before 2.1.7, and 2.2.x before 2.2.4 allows remote authenticated users to execute arbitrary SQL commands via crafted form data. | |||||
| CVE-2010-1615 | 1 Moodle | 1 Moodle | 2020-12-01 | 7.5 HIGH | N/A |
| Multiple SQL injection vulnerabilities in Moodle 1.8.x before 1.8.12 and 1.9.x before 1.9.8 allow remote attackers to execute arbitrary SQL commands via vectors related to (1) the add_to_log function in mod/wiki/view.php in the wiki module, or (2) "data validation in some forms elements" related to lib/form/selectgroups.php. | |||||
| CVE-2012-2363 | 1 Moodle | 1 Moodle | 2020-12-01 | 6.5 MEDIUM | N/A |
| SQL injection vulnerability in calendar/event.php in the calendar implementation in Moodle 1.9.x before 1.9.18 allows remote authenticated users to execute arbitrary SQL commands via a crafted calendar event. | |||||
| CVE-2009-4305 | 1 Moodle | 1 Moodle | 2020-12-01 | 6.5 MEDIUM | N/A |
| SQL injection vulnerability in the SCORM module in Moodle 1.8 before 1.8.11 and 1.9 before 1.9.7 allows remote authenticated users to execute arbitrary SQL commands via vectors related to an "escaping issue when processing AICC CRS file (Course_Title)." | |||||
| CVE-2011-4292 | 1 Moodle | 1 Moodle | 2020-12-01 | 4.0 MEDIUM | N/A |
| Moodle 2.0.x before 2.0.3 allows remote authenticated users to cause a denial of service (invalid database records) via a series of crafted comments operations. | |||||
| CVE-2020-21665 | 1 Fastadmin | 1 Fastadmin | 2020-11-30 | 6.5 MEDIUM | 7.2 HIGH |
| In fastadmin V1.0.0.20191212_beta, when a user with administrator rights has logged in, a malicious parameter can be passed for SQL injection in URL /admin/ajax/weigh. | |||||
| CVE-2019-19876 | 1 Br-automation | 1 Industrial Automation Aprol | 2020-11-30 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in B&R Industrial Automation APROL before R4.2 V7.08. An EnMon PHP script was vulnerable to SQL injection, a different vulnerability than CVE-2019-10006. | |||||
| CVE-2020-28994 | 1 Karenderia Multiple Restaurant System Project | 1 Karenderia Multiple Restaurant System | 2020-11-30 | 7.5 HIGH | 9.8 CRITICAL |
| A SQL injection vulnerability was discovered in Karenderia Multiple Restaurant System, affecting versions 5.4.2 and below. The vulnerability allows for an unauthenticated attacker to perform various tasks such as modifying and leaking all contents of the database. | |||||
| CVE-2014-9519 | 1 Infinitewp | 1 Infinitewp | 2020-11-30 | 7.5 HIGH | N/A |
| SQL injection vulnerability in login.php in InfiniteWP Admin Panel before 2.4.3 allows remote attackers to execute arbitrary SQL commands via the email parameter. | |||||
| CVE-2014-9520 | 1 Infinitewp | 1 Infinitewp | 2020-11-30 | 7.5 HIGH | N/A |
| SQL injection vulnerability in execute.php in InfiniteWP Admin Panel before 2.4.4 allows remote attackers to execute arbitrary SQL commands via the historyID parameter. | |||||
| CVE-2020-25475 | 1 Newsscriptphp | 1 News Script Php Pro | 2020-11-27 | 7.5 HIGH | 9.8 CRITICAL |
| SimplePHPscripts News Script PHP Pro 2.3 is affected by a SQL Injection via the id parameter in an editNews action. | |||||
| CVE-2020-26075 | 1 Cisco | 1 Iot Field Network Director | 2020-11-25 | 9.0 HIGH | 8.8 HIGH |
| A vulnerability in the REST API of Cisco IoT Field Network Director (FND) could allow an authenticated, remote attacker to gain access to the back-end database of an affected device. The vulnerability is due to insufficient input validation of REST API requests that are made to an affected device. An attacker could exploit this vulnerability by crafting malicious API requests to the affected device. A successful exploit could allow the attacker to gain access to the back-end database of the affected device. | |||||
| CVE-2020-13877 | 1 Resourcexpress | 1 Meeting Monitor | 2020-11-24 | 7.5 HIGH | 9.8 CRITICAL |
| SQL Injection issues in various ASPX pages of ResourceXpress Meeting Monitor 4.9 could lead to remote code execution and information disclosure. | |||||
| CVE-2020-27481 | 1 Goodlayers | 1 Good Learning Management System | 2020-11-23 | 7.5 HIGH | 9.8 CRITICAL |
| An unauthenticated SQL Injection vulnerability in Good Layers LMS Plugin <= 2.1.4 exists due to the usage of "wp_ajax_nopriv" call in WordPress, which allows any unauthenticated user to get access to the function "gdlr_lms_cancel_booking" where POST Parameter "id" was sent straight into SQL query without sanitization. | |||||
| CVE-2020-4647 | 1 Ibm | 1 Sterling File Gateway | 2020-11-23 | 6.5 MEDIUM | 8.8 HIGH |
| IBM Sterling File Gateway 2.2.0.0 through 2.2.6.5 and 6.0.0.0 through 6.0.3.2 is vulnerable to SQL injection. A remote attacker could send specially crafted SQL statements, which could allow the attacker to view, add, modify or delete information in the back-end database. | |||||
| CVE-2020-4655 | 1 Ibm | 1 Sterling B2b Integrator | 2020-11-23 | 6.5 MEDIUM | 8.8 HIGH |
| IBM Sterling B2B Integrator Standard Edition 6.0.0.0 through 6.0.3.2 and 5.2.0.0 through 5.2.6.5 is vulnerable to SQL injection. A remote attacker could send specially crafted SQL statements, which could allow the attacker to view, add, modify or delete information in the back-end database. IBM X-Force ID: 186091. | |||||
| CVE-2020-28138 | 1 Online Clothing Store Project | 1 Online Clothing Store | 2020-11-23 | 7.5 HIGH | 9.8 CRITICAL |
| SourceCodester Online Clothing Store 1.0 is affected by a SQL Injection via the txtUserName parameter to login.php. | |||||
| CVE-2020-13769 | 1 Ivanti | 1 Endpoint Manager | 2020-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| LDMS/alert_log.aspx in Ivanti Endpoint Manager through 2020.1 allows SQL Injection via a /remotecontrolauth/api/device request. | |||||
| CVE-2020-5659 | 1 Riken | 1 Xoonips | 2020-11-20 | 6.5 MEDIUM | 8.8 HIGH |
| SQL injection vulnerability in the XooNIps 3.49 and earlier allows remote authenticated attackers to execute arbitrary SQL commands via unspecified vectors. | |||||
| CVE-2020-26805 | 1 Sapplica | 1 Sentrifugo | 2020-11-17 | 6.5 MEDIUM | 7.2 HIGH |
| In Sentrifugo 3.2, admin can edit employee's informations via this endpoint --> /sentrifugo/index.php/empadditionaldetails/edit/userid/2. In this POST request, "employeeNumId" parameter is affected by SQLi vulnerability. Attacker can inject SQL commands into query, read data from database or write data into the database. | |||||
| CVE-2011-2688 | 3 Apache, Debian, Mod Authnz External Project | 3 Http Server, Debian Linux, Mod Authnz External | 2020-11-16 | 7.5 HIGH | N/A |
| SQL injection vulnerability in mysql/mysql-auth.pl in the mod_authnz_external module 3.2.5 and earlier for the Apache HTTP Server allows remote attackers to execute arbitrary SQL commands via the user field. | |||||
| CVE-2020-24400 | 1 Magento | 1 Magento | 2020-11-12 | 5.5 MEDIUM | 7.1 HIGH |
| Magento versions 2.4.0 and 2.3.5 (and earlier) are affected by an SQL Injection vulnerability that could lead to sensitive information disclosure. This vulnerability could be exploited by an authenticated user with permissions to the product listing page to read data from the database. | |||||
| CVE-2020-5504 | 3 Debian, Phpmyadmin, Suse | 3 Debian Linux, Phpmyadmin, Suse Linux Enterprise Server | 2020-11-10 | 6.5 MEDIUM | 8.8 HIGH |
| In phpMyAdmin 4 before 4.9.4 and 5 before 5.0.1, SQL injection exists in the user accounts page. A malicious user could inject custom SQL in place of their own username when creating queries to this page. An attacker must have a valid MySQL account to access the server. | |||||
| CVE-2019-11057 | 1 Vtiger | 1 Vtiger Crm | 2020-11-10 | 6.5 MEDIUM | 8.8 HIGH |
| SQL injection vulnerability in Vtiger CRM before 7.1.0 hotfix3 allows authenticated users to execute arbitrary SQL commands. | |||||
| CVE-2020-28115 | 1 Web-audimex | 1 Audimexee | 2020-11-10 | 6.5 MEDIUM | 8.8 HIGH |
| SQL Injection vulnerability in "Documents component" found in AudimexEE version 14.1.0 allows an attacker to execute arbitrary SQL commands via the object_path parameter. | |||||
| CVE-2018-19952 | 1 Qnap | 2 Music Station, Qts | 2020-11-04 | 5.0 MEDIUM | 7.5 HIGH |
| If exploited, this SQL injection vulnerability could allow remote attackers to obtain application information. This issue affects: QNAP Systems Inc. Music Station versions prior to 5.1.13; versions prior to 5.2.9; versions prior to 5.3.11. | |||||
| CVE-2020-27886 | 1 Eyesofnetwork | 1 Eyesofnetwork | 2020-11-04 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in EyesOfNetwork eonweb 5.3-7 through 5.3-8. The eonweb web interface is prone to a SQL injection, allowing an unauthenticated attacker to exploit the username_available function of the includes/functions.php file (which is called by login.php). | |||||
| CVE-2020-7759 | 1 Pimcore | 1 Pimcore | 2020-11-03 | 6.5 MEDIUM | 7.2 HIGH |
| The package pimcore/pimcore from 6.7.2 and before 6.8.3 are vulnerable to SQL Injection in data classification functionality in ClassificationstoreController. This can be exploited by sending a specifically-crafted input in the relationIds parameter as demonstrated by the following request: http://vulnerable.pimcore.example/admin/classificationstore/relations?relationIds=[{"keyId"%3a"''","groupId"%3a"'asd'))+or+1%3d1+union+(select+1,2,3,4,5,6,name,8,password,'',11,12,'',14+from+users)+--+"}] | |||||
| CVE-2020-27995 | 1 Zohocorp | 1 Manageengine Applications Manager | 2020-11-03 | 7.5 HIGH | 9.8 CRITICAL |
| SQL Injection in Zoho ManageEngine Applications Manager 14 before 14560 allows an attacker to execute commands on the server via the MyPage.do template_resid parameter. | |||||
| CVE-2020-10803 | 2 Debian, Phpmyadmin | 2 Debian Linux, Phpmyadmin | 2020-11-02 | 3.5 LOW | 5.4 MEDIUM |
| In phpMyAdmin 4.x before 4.9.5 and 5.x before 5.0.2, a SQL injection vulnerability was discovered where malicious code could be used to trigger an XSS attack through retrieving and displaying results (in tbl_get_field.php and libraries/classes/Display/Results.php). The attacker must be able to insert crafted data into certain database tables, which when retrieved (for instance, through the Browse tab) can trigger the XSS attack. | |||||
| CVE-2020-10802 | 2 Debian, Phpmyadmin | 2 Debian Linux, Phpmyadmin | 2020-11-02 | 6.0 MEDIUM | 8.0 HIGH |
| In phpMyAdmin 4.x before 4.9.5 and 5.x before 5.0.2, a SQL injection vulnerability has been discovered where certain parameters are not properly escaped when generating certain queries for search actions in libraries/classes/Controllers/Table/TableSearchController.php. An attacker can generate a crafted database or table name. The attack can be performed if a user attempts certain search operations on the malicious database or table. | |||||
| CVE-2020-10804 | 1 Phpmyadmin | 1 Phpmyadmin | 2020-11-02 | 6.0 MEDIUM | 8.0 HIGH |
| In phpMyAdmin 4.x before 4.9.5 and 5.x before 5.0.2, a SQL injection vulnerability was found in retrieval of the current username (in libraries/classes/Server/Privileges.php and libraries/classes/UserPassword.php). A malicious user with access to the server could create a crafted username, and then trick the victim into performing specific actions with that user account (such as editing its privileges). | |||||