Search
Total
8599 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-25034 | 1 Fireeye | 2 Email Malware Protection System, Ex 3500 | 2020-10-30 | 4.0 MEDIUM | 6.5 MEDIUM |
| eMPS prior to eMPS 9.0 FireEye EX 3500 devices allows remote authenticated users to conduct SQL injection attacks via the sort, sort_by, search{URL], or search[attachment] parameter to the email search feature. | |||||
| CVE-2020-9417 | 1 Tibco | 3 Foresight Archive And Retrieval System, Foresight Operational Monitor, Foresight Transaction Insight | 2020-10-30 | 6.5 MEDIUM | 8.8 HIGH |
| The Transaction Insight reporting component of TIBCO Software Inc.'s TIBCO Foresight Archive and Retrieval System, TIBCO Foresight Archive and Retrieval System Healthcare Edition, TIBCO Foresight Operational Monitor, TIBCO Foresight Operational Monitor Healthcare Edition, TIBCO Foresight Transaction Insight, and TIBCO Foresight Transaction Insight Healthcare Edition contains a vulnerability that theoretically allows an authenticated attacker to perform SQL injection. Affected releases are TIBCO Software Inc.'s TIBCO Foresight Archive and Retrieval System: versions 5.1.0 and below, version 5.2.0, TIBCO Foresight Archive and Retrieval System Healthcare Edition: versions 5.1.0 and below, version 5.2.0, TIBCO Foresight Operational Monitor: versions 5.1.0 and below, version 5.2.0, TIBCO Foresight Operational Monitor Healthcare Edition: versions 5.1.0 and below, version 5.2.0, TIBCO Foresight Transaction Insight: versions 5.1.0 and below, version 5.2.0, and TIBCO Foresight Transaction Insight Healthcare Edition: versions 5.1.0 and below, version 5.2.0. | |||||
| CVE-2020-17373 | 1 Sugarcrm | 1 Sugarcrm | 2020-10-28 | 3.5 LOW | 5.3 MEDIUM |
| SugarCRM before 10.1.0 (Q3 2020) allows SQL Injection. | |||||
| CVE-2020-5651 | 1 Tipsandtricks-hq | 1 Simple Download Monitor | 2020-10-27 | 6.8 MEDIUM | 8.8 HIGH |
| SQL injection vulnerability in Simple Download Monitor 3.8.8 and earlier allows remote attackers to execute arbitrary SQL commands via a specially crafted URL. | |||||
| CVE-2020-23945 | 1 Victor Cms Project | 1 Victor Cms | 2020-10-27 | 5.0 MEDIUM | 7.5 HIGH |
| A SQL injection vulnerability exists in Victor CMS V1.0 in the cat_id parameter of the category.php file. This parameter can be used by sqlmap to obtain data information in the database. | |||||
| CVE-2020-26546 | 1 Evolutionscript | 1 Helpdeskz | 2020-10-27 | 5.0 MEDIUM | 7.5 HIGH |
| ** UNSUPPORTED WHEN ASSIGNED ** An issue was discovered in HelpDeskZ 1.0.2. The feature to auto-login a user, via the RememberMe functionality, is prone to SQL injection. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. | |||||
| CVE-2016-3046 | 1 Ibm | 5 Security Access Manager 9.0 Firmware, Security Access Manager For Mobile, Security Access Manager For Mobile Appliance and 2 more | 2020-10-27 | 4.0 MEDIUM | 2.7 LOW |
| IBM Security Access Manager for Web is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements which could allow the attacker to view information in the back-end database. | |||||
| CVE-2020-26944 | 2 Aptean, Microsoft | 2 Product Configurator, Windows | 2020-10-26 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in Aptean Product Configurator 4.61.0000 on Windows. A Time based SQL injection affects the nameTxt parameter on the main login page (aka cse?cmd=LOGIN). This can be exploited directly, and remotely. | |||||
| CVE-2020-27615 | 1 Loginizer | 1 Loginizer | 2020-10-23 | 7.5 HIGH | 9.8 CRITICAL |
| The Loginizer plugin before 1.6.4 for WordPress allows SQL injection (with resultant XSS), related to loginizer_login_failed and lz_valid_ip. | |||||
| CVE-2020-25157 | 1 Advantech | 1 R-seenet | 2020-10-22 | 5.0 MEDIUM | 7.5 HIGH |
| The R-SeeNet webpage (1.5.1 through 2.4.10) suffers from SQL injection, which allows a remote attacker to invoke queries on the database and retrieve sensitive information. | |||||
| CVE-2019-4680 | 1 Ibm | 1 Sterling B2b Integrator | 2020-10-20 | 6.5 MEDIUM | 8.8 HIGH |
| IBM Sterling B2B Integrator Standard Edition 5.2.0.0 through 6.0.2.2 is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements, which could allow the attacker to view, add, modify or delete information in the back-end database. IBM X-Force ID: 171733. | |||||
| CVE-2020-7383 | 1 Rapid7 | 1 Nexpose | 2020-10-19 | 5.5 MEDIUM | 8.1 HIGH |
| A SQL Injection issue in Rapid7 Nexpose version prior to 6.6.49 that may have allowed an authenticated user with a low permission level to access resources & make changes they should not have been able to access. | |||||
| CVE-2018-6373 | 1 Fastballproductions | 1 Fastball | 2020-10-19 | 7.5 HIGH | 9.8 CRITICAL |
| SQL Injection exists in the Fastball 2.5 component for Joomla! via the season parameter in a view=player action. | |||||
| CVE-2020-15176 | 1 Glpi-project | 1 Glpi | 2020-10-16 | 5.0 MEDIUM | 8.6 HIGH |
| In GLPI before version 9.5.2, when supplying a back tick in input that gets put into a SQL query,the application does not escape or sanitize allowing for SQL Injection to occur. Leveraging this vulnerability an attacker is able to exfiltrate sensitive information like passwords, reset tokens, personal details, and more. The issue is patched in version 9.5.2 | |||||
| CVE-2020-15849 | 1 Re-desk | 1 Re\ | 2020-10-16 | 6.5 MEDIUM | 7.2 HIGH |
| Re:Desk 2.3 has a blind authenticated SQL injection vulnerability in the SettingsController class, in the actionEmailTemplates() method. A malicious actor with access to an administrative account could abuse this vulnerability to recover sensitive data from the application's database, allowing for authorization bypass and taking over additional accounts by means of modifying password-reset tokens stored in the database. Remote command execution is also possible by leveraging this to abuse the Yii framework's bizRule functionality, allowing for arbitrary PHP code to be executed by the application. Remote command execution is also possible by using this together with a separate insecure file upload vulnerability (CVE-2020-15488). | |||||
| CVE-2020-24568 | 1 Mbconnectline | 2 Mbconnect24, Mymbconnect24 | 2020-10-15 | 4.0 MEDIUM | 6.5 MEDIUM |
| An issue was discovered in MB CONNECT LINE mymbCONNECT24 and mbCONNECT24 through 2.6.1. There is a blind SQL injection in the lancompenent component, allowing logged-in attackers to discover arbitrary information. | |||||
| CVE-2020-15226 | 1 Glpi-project | 1 Glpi | 2020-10-14 | 5.0 MEDIUM | 4.3 MEDIUM |
| In GLPI before version 9.5.2, there is a SQL Injection in the API's search function. Not only is it possible to break the SQL syntax, but it is also possible to utilise a UNION SELECT query to reflect sensitive information such as the current database version, or database user. The most likely scenario for this vulnerability is with someone who has an API account to the system. The issue is patched in version 9.5.2. A proof-of-concept with technical details is available in the linked advisory. | |||||
| CVE-2020-15927 | 1 Zohocorp | 1 Manageengine Applications Manager | 2020-10-14 | 6.5 MEDIUM | 8.8 HIGH |
| Zoho ManageEngine Applications Manager version 14740 and prior allows an authenticated SQL Injection via a crafted jsp request in the SAP module. | |||||
| CVE-2020-16267 | 1 Zohocorp | 1 Manageengine Applications Manager | 2020-10-14 | 6.5 MEDIUM | 8.8 HIGH |
| Zoho ManageEngine Applications Manager version 14740 and prior allows an authenticated SQL Injection via a crafted jsp request in the RCA module. | |||||
| CVE-2020-15533 | 1 Zohocorp | 1 Manageengine Applications Manager | 2020-10-13 | 7.5 HIGH | 9.8 CRITICAL |
| In Zoho ManageEngine Application Manager 14.7 Build 14730 (before 14684, and between 14689 and 14750), the AlarmEscalation module is vulnerable to unauthenticated SQL Injection attack. | |||||
| CVE-2020-26518 | 1 Artica | 1 Pandora Fms | 2020-10-09 | 7.5 HIGH | 9.8 CRITICAL |
| Artica Pandora FMS before 743 allows unauthenticated attackers to conduct SQL injection attacks via the pandora_console/include/chart_generator.php session_id parameter. | |||||
| CVE-2020-15487 | 1 Re-desk | 1 Re\ | 2020-10-09 | 7.5 HIGH | 9.8 CRITICAL |
| Re:Desk 2.3 contains a blind unauthenticated SQL injection vulnerability in the getBaseCriteria() function in the protected/models/Ticket.php file. By modifying the folder GET parameter, it is possible to execute arbitrary SQL statements via a crafted URL. Unauthenticated remote command execution is possible by using this SQL injection to update certain database values, which are then executed by a bizRule eval() function in the yii/framework/web/auth/CAuthManager.php file. Resultant authorization bypass is also possible, by recovering or modifying password hashes and password reset tokens, allowing for administrative privileges to be obtained. | |||||
| CVE-2020-24569 | 1 Mbconnectline | 2 Mbconnect24, Mymbconnect24 | 2020-10-09 | 4.0 MEDIUM | 4.3 MEDIUM |
| An issue was discovered in MB CONNECT LINE mymbCONNECT24 and mbCONNECT24 through 2.6.1. There is a blind SQL injection in the knximport component via an advanced attack vector, allowing logged in attackers to discover arbitrary information. | |||||
| CVE-2020-25762 | 1 Seat Reservation System Project | 1 Seat Reservation System | 2020-10-08 | 6.4 MEDIUM | 9.1 CRITICAL |
| An issue was discovered in SourceCodester Seat Reservation System 1.0. The file admin_class.php does not perform input validation on the username and password parameters. An attacker can send malicious input in the post request to /admin/ajax.php?action=login and bypass authentication, extract sensitive information etc. | |||||
| CVE-2019-7316 | 1 Css-tricks | 1 Chat2 | 2020-10-07 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in CSS-TRICKS Chat2 through 2015-05-05. The userid parameter in jumpin.php has a SQL injection vulnerability. | |||||
| CVE-2020-26525 | 1 Damstratechnology | 1 Smart Asset | 2020-10-06 | 6.4 MEDIUM | 9.1 CRITICAL |
| Damstra Smart Asset 2020.7 has SQL injection via the API/api/Asset originator parameter. This allows forcing the database and server to initiate remote connections to third party DNS servers. | |||||
| CVE-2020-25990 | 1 Websitebaker | 1 Websitebaker | 2020-10-05 | 7.5 HIGH | 9.8 CRITICAL |
| WebsiteBaker 2.12.2 allows SQL Injection via parameter 'display_name' in /websitebaker/admin/preferences/save.php. Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. | |||||
| CVE-2020-10381 | 1 Mbconnectline | 2 Mbconnect24, Mymbconnect24 | 2020-10-02 | 5.0 MEDIUM | 5.3 MEDIUM |
| An issue was discovered in the MB CONNECT LINE mymbCONNECT24 and mbCONNECT24 software in all versions through 2.5.0. There is an unauthenticated SQL injection in DATA24, allowing attackers to discover database and table names. | |||||
| CVE-2020-20800 | 1 Metinfo | 1 Metinfo | 2020-10-02 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in MetInfo v7.0.0 beta. There is SQL Injection via the install/index.php?action=adminsetup&cndata=yes&endata=yes&showdata=yes URI. | |||||
| CVE-2020-26042 | 1 Hoosk | 1 Hoosk | 2020-10-02 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in Hoosk CMS v1.8.0. There is a SQL injection vulnerability in install/index.php | |||||
| CVE-2020-12870 | 1 Rainbowfishsoftware | 1 Pacsone Server | 2020-10-02 | 7.5 HIGH | 9.8 CRITICAL |
| RainbowFish PacsOne Server 6.8.4 allows SQL injection on the username parameter in the signup page. | |||||
| CVE-2020-8887 | 1 Telestream | 2 Medius, Sentry | 2020-09-30 | 5.0 MEDIUM | 7.5 HIGH |
| Telestream Tektronix Medius before 10.7.5 and Sentry before 10.7.5 have a SQL injection vulnerability allowing an unauthenticated attacker to dump database contents via the page parameter in a page=login request to index.php (aka the server login page). | |||||
| CVE-2020-15394 | 1 Zohocorp | 1 Manageengine Applications Manager | 2020-09-30 | 7.5 HIGH | 9.8 CRITICAL |
| The REST API in Zoho ManageEngine Applications Manager before build 14740 allows an unauthenticated SQL Injection via a crafted request, leading to Remote Code Execution. | |||||
| CVE-2020-24623 | 1 Hpe | 1 Universal Api Framework | 2020-09-30 | 3.3 LOW | 6.5 MEDIUM |
| A potential security vulnerability has been identified in Hewlett Packard Enterprise Universal API Framework. The vulnerability could be remotely exploited to allow SQL injection in HPE Universal API Framework for VMware Esxi v2.5.2 and HPE Universal API Framework for Microsoft Hyper-V (VHD). | |||||
| CVE-2017-17110 | 1 Techno - Portfolio Management Panel Project | 1 Techno - Portfolio Management Panel | 2020-09-30 | 7.5 HIGH | 9.8 CRITICAL |
| Techno Portfolio Management Panel 1.0 allows an attacker to inject SQL commands via a single.php?id= request. | |||||
| CVE-2020-25147 | 1 Observium | 1 Observium | 2020-09-30 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in Observium Professional, Enterprise & Community 20.8.10631. It is vulnerable to SQL Injection due to the fact that it is possible to inject malicious SQL statements in malformed parameter types. This can occur via username[0] to the default URI, because of includes/authenticate.inc.php. | |||||
| CVE-2020-25143 | 1 Observium | 1 Observium | 2020-09-30 | 6.5 MEDIUM | 8.8 HIGH |
| An issue was discovered in Observium Professional, Enterprise & Community 20.8.10631. It is vulnerable to SQL Injection due to the fact that it is possible to inject malicious SQL statements in malformed parameter types. This can occur via /ajax/device_entities.php?entity_type=netscalervsvr&device_id[]= because of /ajax/device_entities.php. | |||||
| CVE-2020-25132 | 1 Observium | 1 Observium | 2020-09-30 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in Observium Professional, Enterprise & Community 20.8.10631. It is vulnerable to SQL Injection due to the fact that it is possible to inject malicious SQL statements in malformed parameter types. Sending the improper variable type Array allows a bypass of core SQL Injection sanitization. Users are able to inject malicious statements in multiple functions. This vulnerability leads to full authentication bypass: any unauthorized user with access to the application is able to exploit this vulnerability. This can occur via the Cookie header to the default URI, within includes/authenticate.inc.php. | |||||
| CVE-2020-25130 | 1 Observium | 1 Observium | 2020-09-30 | 4.0 MEDIUM | 6.5 MEDIUM |
| An issue was discovered in Observium Professional, Enterprise & Community 20.8.10631. It is vulnerable to SQL Injection due to the fact that it is possible to inject malicious SQL statements in malformed parameter types. Sending an improper variable type of Array allows a bypass of core SQL Injection sanitization. Authenticated users are able to inject malicious SQL queries. This vulnerability leads to full database leak including ckeys that can be used in the authentication process without knowing the username and cleartext password. This can occur via the ajax/actions.php group_id field. | |||||
| CVE-2020-8158 | 1 Typeorm | 1 Typeorm | 2020-09-29 | 7.5 HIGH | 9.8 CRITICAL |
| Prototype pollution vulnerability in the TypeORM package < 0.2.25 may allow attackers to add or modify Object properties leading to further denial of service or SQL injection attacks. | |||||
| CVE-2017-17589 | 1 Thumbtack Clone Project | 1 Thumbtack Clone | 2020-09-29 | 7.5 HIGH | 9.8 CRITICAL |
| FS Thumbtack Clone 1.0 has SQL Injection via the browse-category.php cat parameter or the browse-scategory.php sc parameter. | |||||
| CVE-2017-17643 | 1 Lynda Clone Project | 1 Lynda Clone | 2020-09-29 | 7.5 HIGH | 9.8 CRITICAL |
| FS Lynda Clone 1.0 has SQL Injection via the keywords parameter to tutorial/. | |||||
| CVE-2017-17588 | 1 Imdb Clone Project | 1 Imdb Clone | 2020-09-29 | 7.5 HIGH | 9.8 CRITICAL |
| FS IMDB Clone 1.0 has SQL Injection via the movie.php f parameter, tvshow.php s parameter, or show_misc_video.php id parameter. | |||||
| CVE-2017-17587 | 1 Indiamart Clone Project | 1 Indiamart Clone | 2020-09-29 | 7.5 HIGH | 9.8 CRITICAL |
| FS Indiamart Clone 1.0 has SQL Injection via the catcompany.php token parameter, buyleads-details.php id parameter, or company/index.php c parameter. | |||||
| CVE-2017-17586 | 1 Olx Clone Project | 1 Olx Clone | 2020-09-29 | 7.5 HIGH | 9.8 CRITICAL |
| FS Olx Clone 1.0 has SQL Injection via the subpage.php scat parameter or the message.php pid parameter. | |||||
| CVE-2017-17584 | 1 Makemytrip Clone Project | 1 Makemytrip Clone | 2020-09-29 | 7.5 HIGH | 9.8 CRITICAL |
| FS Makemytrip Clone 1.0 has SQL Injection via the show-flight-result.php fl_orig or fl_dest parameter. | |||||
| CVE-2017-17583 | 1 Shutterstock Clone Project | 1 Shutterstock Clone | 2020-09-29 | 7.5 HIGH | 9.8 CRITICAL |
| FS Shutterstock Clone 1.0 has SQL Injection via the /Category keywords parameter. | |||||
| CVE-2017-17585 | 1 Monster Clone Project | 1 Monster Clone | 2020-09-29 | 7.5 HIGH | 9.8 CRITICAL |
| FS Monster Clone 1.0 has SQL Injection via the Employer_Details.php id parameter. | |||||
| CVE-2017-17582 | 1 Grubhub Clone Project | 1 Grubhub Clone | 2020-09-29 | 7.5 HIGH | 9.8 CRITICAL |
| FS Grubhub Clone 1.0 has SQL Injection via the /food keywords parameter. | |||||
| CVE-2017-17579 | 1 Freelancer Clone Project | 1 Freelancer Clone | 2020-09-29 | 7.5 HIGH | 9.8 CRITICAL |
| FS Freelancer Clone 1.0 has SQL Injection via the profile.php u parameter. | |||||