Search
Total
8599 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2018-10738 | 1 Nagios | 1 Nagios Xi | 2018-06-15 | 6.5 MEDIUM | 7.2 HIGH |
| A SQL injection issue was discovered in Nagios XI before 5.4.13 via the admin/menuaccess.php chbKey1 parameter. | |||||
| CVE-2018-1280 | 1 Pivotal Software | 1 Greenplum Command Center | 2018-06-14 | 5.0 MEDIUM | 7.5 HIGH |
| Pivotal Greenplum Command Center versions 2.x prior to 2.5.1 contains a blind SQL injection vulnerability. An unauthenticated user can perform a SQL injection in the command center which results in disclosure of database contents. | |||||
| CVE-2018-10256 | 1 Hrsale Project | 1 Hrsale | 2018-06-13 | 6.5 MEDIUM | 8.8 HIGH |
| A SQL Injection vulnerability was discovered in HRSALE The Ultimate HRM v1.0.2 that allows a user with low level privileges to directly modify the SQL query. | |||||
| CVE-2018-10284 | 1 Adaltech | 1 G-ticket | 2018-06-13 | 7.5 HIGH | 9.8 CRITICAL |
| Adaltech G-Ticket v70 EME104 has SQL Injection via the mobile-loja/mensagem.asp eve_cod parameter. | |||||
| CVE-2018-10283 | 1 Cliquemania | 1 Loja Virtual | 2018-06-13 | 7.5 HIGH | 9.8 CRITICAL |
| CliqueMania loja virtual 14 has SQL Injection via the patch/remote.php id parameter in a recomendar action. | |||||
| CVE-2018-8824 | 2 Prestashop, Responsive Mega Menu Pro Project | 2 Prestashop, Responsive Mega Menu Pro | 2018-06-13 | 7.5 HIGH | 9.8 CRITICAL |
| modules/bamegamenu/ajax_phpcode.php in the Responsive Mega Menu (Horizontal+Vertical+Dropdown) Pro module 1.0.32 for PrestaShop 1.5.5.0 through 1.7.2.5 allows remote attackers to execute a SQL Injection through function calls in the code parameter. | |||||
| CVE-2018-10757 | 1 Csp Mysql User Manager Project | 1 Csp Mysql User Manager | 2018-06-12 | 7.5 HIGH | 9.8 CRITICAL |
| CSP MySQL User Manager 2.3.1 allows SQL injection, and resultant Authentication Bypass, via a crafted username during a login attempt. | |||||
| CVE-2012-3350 | 1 Valarsoft | 1 Webmatic | 2018-05-29 | 6.8 MEDIUM | N/A |
| SQL injection vulnerability in index.php in Webmatic 3.1.1 allows remote attackers to execute arbitrary SQL commands via the Referer HTTP header. | |||||
| CVE-2018-9245 | 1 Ericssonlg | 1 Ipecs Nms | 2018-05-25 | 10.0 HIGH | 9.8 CRITICAL |
| The Ericsson-LG iPECS NMS A.1Ac login portal has a SQL injection vulnerability in the User ID and password fields that allows users to bypass the login page and execute remote code on the operating system. | |||||
| CVE-2018-9102 | 1 Mitel | 2 Mivoice Connect, St 14.2 | 2018-05-25 | 4.3 MEDIUM | 6.5 MEDIUM |
| A vulnerability in the conferencing component of Mitel MiVoice Connect, versions R1707-PREM SP1 (21.84.5535.0) and earlier, and Mitel ST 14.2, versions GA27 (19.49.5200.0) and earlier, could allow an unauthenticated attacker to conduct an SQL injection attack due to insufficient input validation for the signin interface. A successful exploit could allow an attacker to extract sensitive information from the database. | |||||
| CVE-2017-1722 | 1 Ibm | 1 Qradar Security Information And Event Manager | 2018-05-25 | 6.5 MEDIUM | 6.3 MEDIUM |
| IBM Security QRadar SIEM 7.2 and 7.3 is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements, which could allow the attacker to view, add, modify or delete information in the back-end database. IBM X-Force ID: 134811. | |||||
| CVE-2017-17902 | 1 Kliqqi | 1 Kliqqi Cms | 2018-05-24 | 7.5 HIGH | 9.8 CRITICAL |
| SQL Injection exists in Kliqqi CMS 3.5.2 via the randkey parameter of a new story at the pligg/story.php?title= URI. | |||||
| CVE-2018-1292 | 1 Apache | 1 Fineract | 2018-05-22 | 5.5 MEDIUM | 8.1 HIGH |
| Within the 'getReportType' method in Apache Fineract 1.0.0, 0.6.0-incubating, 0.5.0-incubating, 0.4.0-incubating, a hacker could inject SQL to read/update data for which he doesn't have authorization for by way of the 'reportName' parameter. | |||||
| CVE-2018-1291 | 1 Apache | 1 Fineract | 2018-05-22 | 5.5 MEDIUM | 8.1 HIGH |
| Apache Fineract 1.0.0, 0.6.0-incubating, 0.5.0-incubating, 0.4.0-incubating exposes different REST end points to query domain specific entities with a Query Parameter 'orderBy' which are appended directly with SQL statements. A hacker/user can inject/draft the 'orderBy' query parameter by way of the "order" param in such a way to read/update the data for which he doesn't have authorization. | |||||
| CVE-2018-1290 | 1 Apache | 1 Fineract | 2018-05-22 | 7.5 HIGH | 9.8 CRITICAL |
| In Apache Fineract versions 1.0.0, 0.6.0-incubating, 0.5.0-incubating, 0.4.0-incubating, Using a single quotation escape with two continuous SQL parameters can cause a SQL injection. This could be done in Methods like retrieveAuditEntries of AuditsApiResource Class and retrieveCommands of MakercheckersApiResource Class. | |||||
| CVE-2018-1289 | 1 Apache | 1 Fineract | 2018-05-22 | 6.5 MEDIUM | 8.8 HIGH |
| In Apache Fineract versions 1.0.0, 0.6.0-incubating, 0.5.0-incubating, 0.4.0-incubating, the system exposes different REST end points to query domain specific entities with a Query Parameter 'orderBy' and 'sortOrder' which are appended directly with SQL statements. A hacker/user can inject/draft the 'orderBy' and 'sortOrder' query parameter in such a way to read/update the data for which he doesn't have authorization. | |||||
| CVE-2018-8953 | 1 Ca | 1 Workload Automation Ae | 2018-05-17 | 6.5 MEDIUM | 8.8 HIGH |
| CA Workload Automation AE before r11.3.6 SP7 allows remote attackers to a perform SQL injection via a crafted HTTP request. | |||||
| CVE-2018-10225 | 1 Thinkphp | 1 Thinkphp | 2018-05-17 | 7.5 HIGH | 9.8 CRITICAL |
| thinkphp 3.1.3 has SQL Injection via the index.php s parameter. | |||||
| CVE-2018-0530 | 1 Cybozu | 1 Garoon | 2018-05-17 | 6.5 MEDIUM | 8.8 HIGH |
| SQL injection vulnerability in the Cybozu Garoon 3.5.0 to 4.2.6 allows remote authenticated attackers to execute arbitrary SQL commands via unspecified vectors. | |||||
| CVE-2017-9839 | 1 Dolibarr | 1 Dolibarr Erp\/crm | 2018-05-16 | 6.5 MEDIUM | 8.8 HIGH |
| Dolibarr ERP/CRM is affected by SQL injection in versions before 5.0.4 via product/stats/card.php (type parameter). | |||||
| CVE-2017-18260 | 1 Dolibarr | 1 Dolibarr Erp\/crm | 2018-05-16 | 6.5 MEDIUM | 8.8 HIGH |
| Dolibarr ERP/CRM is affected by multiple SQL injection vulnerabilities in versions through 7.0.0 via comm/propal/list.php (viewstatut parameter) or comm/propal/list.php (propal_statut parameter, aka search_statut parameter). | |||||
| CVE-2018-1282 | 1 Apache | 1 Hive | 2018-05-15 | 7.5 HIGH | 9.1 CRITICAL |
| This vulnerability in Apache Hive JDBC driver 0.7.1 to 2.3.2 allows carefully crafted arguments to be used to bypass the argument escaping/cleanup that JDBC driver does in PreparedStatement implementation. | |||||
| CVE-2018-9230 | 1 Openresty | 1 Openresty | 2018-05-15 | 7.5 HIGH | 9.8 CRITICAL |
| ** DISPUTED ** In OpenResty through 1.13.6.1, URI parameters are obtained using the ngx.req.get_uri_args and ngx.req.get_post_args functions that ignore parameters beyond the hundredth one, which might allow remote attackers to bypass intended access restrictions or interfere with certain Web Application Firewall (ngx_lua_waf or X-WAF) products. NOTE: the vendor has reported that 100 parameters is an intentional default setting, but is adjustable within the API. The vendor's position is that a security-relevant misuse of the API by a WAF product is a vulnerability in the WAF product, not a vulnerability in OpenResty. | |||||
| CVE-2018-9247 | 1 Gxlcms | 1 Gxlcms Qy | 2018-05-09 | 7.5 HIGH | 9.8 CRITICAL |
| The upsql function in \Lib\Lib\Action\Admin\DataAction.class.php in Gxlcms QY v1.0.0713 allows remote attackers to execute arbitrary SQL statements via the sql parameter. Consequently, an attacker can execute arbitrary PHP code by placing it after a <?php substring, and then using INTO OUTFILE with a .php filename. | |||||
| CVE-2018-9309 | 1 Zzcms | 1 Zzcms | 2018-05-09 | 5.0 MEDIUM | 9.8 CRITICAL |
| An issue was discovered in zzcms 8.2. It allows SQL injection via the id parameter in a dl/dl_sendsms.php request. | |||||
| CVE-2018-10050 | 1 Iscripts | 1 Eswap | 2018-05-09 | 6.5 MEDIUM | 7.2 HIGH |
| iScripts eSwap v2.4 has SQL injection via the "registration_settings.php" ddlFree parameter in the Admin Panel. | |||||
| CVE-2016-1000118 | 1 Huge-it | 1 Slideshow | 2018-05-02 | 6.5 MEDIUM | 7.2 HIGH |
| XSS & SQLi in HugeIT slideshow v1.0.4 | |||||
| CVE-2016-1000119 | 1 Huge-it | 1 Catalog | 2018-05-02 | 6.5 MEDIUM | 7.2 HIGH |
| SQLi and XSS in Huge IT catalog extension v1.0.4 for Joomla | |||||
| CVE-2014-4959 | 1 Google | 1 Android | 2018-04-23 | 7.5 HIGH | 9.8 CRITICAL |
| **DISPUTED** SQL injection vulnerability in SQLiteDatabase.java in the SQLi Api in Android allows remote attackers to execute arbitrary SQL commands via the delete method. | |||||
| CVE-2018-8820 | 1 Square-9 | 1 Globalforms | 2018-04-23 | 6.0 MEDIUM | 7.5 HIGH |
| An issue was discovered in Square 9 GlobalForms 6.2.x. A Time Based SQL injection vulnerability in the "match" parameter allows remote authenticated attackers to execute arbitrary SQL commands. It is possible to upgrade access to full server compromise via xp_cmdshell. In some cases, the authentication requirement for the attack can be met by sending the default admin credentials. | |||||
| CVE-2014-2652 | 1 Unify | 1 Openscape Deployment Service | 2018-04-20 | 7.5 HIGH | 9.8 CRITICAL |
| SQL injection vulnerability in OpenScape Deployment Service (DLS) before 6.x and 7.x before R1.11.3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors. | |||||
| CVE-2018-7269 | 1 Yiiframework | 1 Yii | 2018-04-20 | 7.5 HIGH | 9.8 CRITICAL |
| The findByCondition function in framework/db/ActiveRecord.php in Yii 2.x before 2.0.15 allows remote attackers to conduct SQL injection attacks via a findOne() or findAll() call, unless a developer recognizes an undocumented need to sanitize array input. | |||||
| CVE-2018-8943 | 1 Phpshe | 1 Phpshe | 2018-04-18 | 7.5 HIGH | 9.8 CRITICAL |
| There is a SQL injection in the PHPSHE 1.6 userbank parameter. | |||||
| CVE-2018-8967 | 1 Zzcms | 1 Zzcms | 2018-04-17 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in zzcms 8.2. It allows SQL injection via the id parameter in an adv2.php?action=modify request. | |||||
| CVE-2018-9924 | 1 Icmsdev | 1 Icms | 2018-04-17 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in idreamsoft iCMS through 7.0.7. SQL injection exists via the pid array parameter in an admincp.php?app=tag&do=save&frame=iPHP request. | |||||
| CVE-2018-1000131 | 1 Wpsupportplus | 1 Wp Support Plus Responsive Ticket System | 2018-04-13 | 7.5 HIGH | 9.8 CRITICAL |
| Pradeep Makone wordpress Support Plus Responsive Ticket System version 9.0.2 and earlier contains a SQL Injection vulnerability in the function to get tickets, the parameter email in cookie was injected that can result in filter the parameter. This attack appear to be exploitable via web site, without login. This vulnerability appears to have been fixed in 9.0.3 and later. | |||||
| CVE-2017-17957 | 1 Php Multivendor Ecommerce Project | 1 Php Multivendor Ecommerce | 2018-04-13 | 7.5 HIGH | 9.8 CRITICAL |
| PHP Scripts Mall PHP Multivendor Ecommerce has SQL Injection via the my_wishlist.php fid parameter. | |||||
| CVE-2017-17959 | 1 Php Multivendor Ecommerce Project | 1 Php Multivendor Ecommerce | 2018-04-13 | 7.5 HIGH | 9.8 CRITICAL |
| PHP Scripts Mall PHP Multivendor Ecommerce has SQL Injection via the seller-view.php usid parameter. | |||||
| CVE-2017-17950 | 1 Cells | 1 Blog | 2018-04-13 | 6.5 MEDIUM | 8.8 HIGH |
| Cells Blog 3.5 has SQL Injection via the pub_readpost.php ptid parameter. | |||||
| CVE-2017-17951 | 1 Php Multivendor Ecommerce Project | 1 Php Multivendor Ecommerce | 2018-04-13 | 7.5 HIGH | 9.8 CRITICAL |
| PHP Scripts Mall PHP Multivendor Ecommerce has SQL Injection via the shopping-cart.php cusid parameter. | |||||
| CVE-2018-6843 | 1 Kentico | 1 Kentico Cms | 2018-04-12 | 6.5 MEDIUM | 7.2 HIGH |
| Kentico 10 before 10.0.50 and 11 before 11.0.3 has SQL injection in the administration interface. | |||||
| CVE-2018-7474 | 1 Textpattern | 1 Textpattern | 2018-04-11 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in Textpattern CMS 4.6.2 and earlier. It is possible to inject SQL code in the variable "qty" on the page index.php. | |||||
| CVE-2018-7538 | 1 Enalean | 1 Tuleap | 2018-04-10 | 7.5 HIGH | 9.8 CRITICAL |
| A SQL injection vulnerability in the tracker functionality of Enalean Tuleap software engineering platform before 9.18 allows attackers to execute arbitrary SQL commands. | |||||
| CVE-2018-8045 | 1 Joomla | 1 Joomla\! | 2018-04-09 | 6.5 MEDIUM | 8.8 HIGH |
| In Joomla! 3.5.0 through 3.8.5, the lack of type casting of a variable in a SQL statement leads to a SQL injection vulnerability in the User Notes list view. | |||||
| CVE-2018-6228 | 1 Trendmicro | 1 Email Encryption Gateway | 2018-04-04 | 10.0 HIGH | 9.8 CRITICAL |
| A SQL injection vulnerability in a Trend Micro Email Encryption Gateway 5.5 policy script could allow an attacker to execute SQL commands to upload and execute arbitrary code that may harm the target system. | |||||
| CVE-2018-6230 | 1 Trendmicro | 1 Email Encryption Gateway | 2018-04-04 | 8.3 HIGH | 6.8 MEDIUM |
| A SQL injection vulnerability in an Trend Micro Email Encryption Gateway 5.5 search configuration script could allow an attacker to execute SQL commands to upload and execute arbitrary code that may harm the target system. | |||||
| CVE-2018-6229 | 1 Trendmicro | 1 Email Encryption Gateway | 2018-04-04 | 10.0 HIGH | 9.8 CRITICAL |
| A SQL injection vulnerability in an Trend Micro Email Encryption Gateway 5.5 edit policy script could allow an attacker to execute SQL commands to upload and execute arbitrary code that may harm the target system. | |||||
| CVE-2018-7666 | 1 Clip-bucket | 1 Clipbucket | 2018-03-27 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in ClipBucket before 4.0.0 Release 4902. SQL injection vulnerabilities exist in the actions/vote_channel.php channelId parameter, the ajax/commonAjax.php email parameter, and the ajax/commonAjax.php username parameter. | |||||
| CVE-2018-7735 | 1 Afian | 1 Filerun | 2018-03-26 | 6.5 MEDIUM | 7.2 HIGH |
| Afian FileRun (before 2018.02.13) suffers from a remote SQL injection vulnerability, when logged in as superuser, via the search parameter in a /?module=metadata§ion=cpanel&page=list_filetypes request. | |||||
| CVE-2018-7734 | 1 Afian | 1 Filerun | 2018-03-26 | 6.5 MEDIUM | 7.2 HIGH |
| Afian FileRun (before 2018.02.13) suffers from a remote SQL injection vulnerability, when logged in as superuser, via the search parameter in a /?module=users§ion=cpanel&page=list request. | |||||