Total
9311 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-44280 | 1 Attendance Management System Project | 1 Attendance Management System | 2021-12-22 | 7.5 HIGH | 9.8 CRITICAL |
| attendance management system 1.0 is affected by a SQL injection vulnerability in admin/incFunctions.php through the makeSafe function. | |||||
| CVE-2021-41262 | 1 Galette | 1 Galette | 2021-12-21 | 6.5 MEDIUM | 8.8 HIGH |
| Galette is a membership management web application built for non profit organizations and released under GPLv3. Versions prior to 0.9.6 are subject to SQL injection attacks by users with "member" privilege. Users are advised to upgrade to version 0.9.6 as soon as possible. There are no known workarounds. | |||||
| CVE-2021-40850 | 1 Tcman | 1 Gim | 2021-12-21 | 7.5 HIGH | 9.8 CRITICAL |
| TCMAN GIM is vulnerable to a SQL injection vulnerability inside several available webservice methods in /PC/WebService.asmx. | |||||
| CVE-2021-43806 | 1 Enalean | 1 Tuleap | 2021-12-21 | 6.5 MEDIUM | 8.8 HIGH |
| Tuleap is a Libre and Open Source tool for end to end traceability of application and system developments. In affected versions Tuleap does not sanitize properly user settings when constructing the SQL query to browse and search commits in the CVS repositories. A authenticated malicious user with read access to a CVS repository could execute arbitrary SQL queries. Tuleap instances without an active CVS repositories are not impacted. The following versions contain the fix: Tuleap Community Edition 13.2.99.155, Tuleap Enterprise Edition 13.1-7, and Tuleap Enterprise Edition 13.2-6. | |||||
| CVE-2021-43830 | 1 Openproject | 1 Openproject | 2021-12-20 | 6.5 MEDIUM | 8.8 HIGH |
| OpenProject is a web-based project management software. OpenProject versions >= 12.0.0 are vulnerable to a SQL injection in the budgets module. For authenticated users with the "Edit budgets" permission, the request to reassign work packages to another budget unsufficiently sanitizes user input in the `reassign_to_id` parameter. The vulnerability has been fixed in version 12.0.4. Versions prior to 12.0.0 are not affected. If you're upgrading from an older version, ensure you are upgrading to at least version 12.0.4. If you are unable to upgrade in a timely fashion, the following patch can be applied: https://github.com/opf/openproject/pull/9983.patch | |||||
| CVE-2021-44350 | 1 Thinkphp | 1 Thinkphp | 2021-12-20 | 7.5 HIGH | 9.8 CRITICAL |
| SQL Injection vulnerability exists in ThinkPHP5 5.0.x <=5.1.22 via the parseOrder function in Builder.php. | |||||
| CVE-2021-43822 | 1 Jackalope Doctrine-dbal Project | 1 Jackalope Doctrine-dbal | 2021-12-17 | 6.8 MEDIUM | 7.5 HIGH |
| Jackalope Doctrine-DBAL is an implementation of the PHP Content Repository API (PHPCR) using a relational database to persist data. In affected versions users can provoke SQL injections if they can specify a node name or query. Upgrade to version 1.7.4 to resolve this issue. If that is not possible, you can escape all places where `$property` is used to filter `sv:name` in the class `Jackalope\Transport\DoctrineDBAL\Query\QOMWalker`: `XPath::escape($property)`. Node names and xpaths can contain `"` or `;` according to the JCR specification. The jackalope component that translates the query object model into doctrine dbal queries does not properly escape the names and paths, so that a accordingly crafted node name can lead to an SQL injection. If queries are never done from user input, or if you validate the user input to not contain `;`, you are not affected. | |||||
| CVE-2021-44966 | 1 Employee Record Management System Project | 1 Employee Record Management System | 2021-12-16 | 10.0 HIGH | 9.8 CRITICAL |
| SQL injection bypass authentication vulnerability in PHPGURUKUL Employee Record Management System 1.2 via index.php. An attacker can log in as an admin account of this system and can destroy, change or manipulate all sensitive information on the system. | |||||
| CVE-2021-24863 | 1 Stopbadbots | 1 Block And Stop Bad Bots | 2021-12-16 | 7.5 HIGH | 9.8 CRITICAL |
| The WP Block and Stop Bad Bots Crawlers and Spiders and Anti Spam Protection Plugin StopBadBots WordPress plugin before 6.67 does not sanitise and escape the User Agent before using it in a SQL statement to save it, leading to a SQL injection | |||||
| CVE-2021-40578 | 1 Online Enrollment Management System Project | 1 Online Enrollment Management System | 2021-12-16 | 6.5 MEDIUM | 7.2 HIGH |
| Authenticated Blind & Error-based SQL injection vulnerability was discovered in Online Enrollment Management System in PHP and PayPal Free Source Code 1.0, that allows attackers to obtain sensitive information and execute arbitrary SQL commands via IDNO parameter. | |||||
| CVE-2021-37808 | 1 News Portal Project | 1 News Portal | 2021-12-16 | 4.3 MEDIUM | 5.9 MEDIUM |
| SQL Injection vulnerabilities exist in https://phpgurukul.com News Portal Project 3.1 via the (1) category, (2) subcategory, (3) sucatdescription, and (4) username parameters, the server response is about (N) seconds delay respectively which mean it is vulnerable to MySQL Blind (Time Based). An attacker can use sqlmap to further the exploitation for extracting sensitive information from the database. | |||||
| CVE-2021-42668 | 1 Engineers Online Portal Project | 1 Engineers Online Portal | 2021-12-16 | 7.5 HIGH | 9.8 CRITICAL |
| A SQL Injection vulnerability exists in Sourcecodester Engineers Online Portal in PHP via the id parameter in the my_classmates.php web page.. As a result, an attacker can extract sensitive data from the web server and in some cases can use this vulnerability in order to get a remote code execution on the remote web server. | |||||
| CVE-2021-42064 | 1 Sap | 1 Commerce | 2021-12-16 | 6.8 MEDIUM | 9.8 CRITICAL |
| If configured to use an Oracle database and if a query is created using the flexible search java api with a parameterized "in" clause, SAP Commerce - versions 1905, 2005, 2105, 2011, allows attacker to execute crafted database queries, exposing backend database. The vulnerability is present if the parameterized "in" clause accepts more than 1000 values. | |||||
| CVE-2021-24861 | 1 Quotes Collection Project | 1 Quotes Collection | 2021-12-16 | 6.5 MEDIUM | 7.2 HIGH |
| The Quotes Collection WordPress plugin through 2.5.2 does not validate and escape the bulkcheck parameter before using it in a SQL statement, leading to a SQL injection | |||||
| CVE-2021-44026 | 3 Debian, Fedoraproject, Roundcube | 3 Debian Linux, Fedora, Webmail | 2021-12-16 | 7.5 HIGH | 9.8 CRITICAL |
| Roundcube before 1.3.17 and 1.4.x before 1.4.12 is prone to a potential SQL injection via search or search_params. | |||||
| CVE-2021-24951 | 1 Thimpress | 1 Learnpress | 2021-12-16 | 7.5 HIGH | 9.8 CRITICAL |
| The LearnPress WordPress plugin before 4.1.4 does not sanitise, validate and escape the id parameter before using it in SQL statements when duplicating course/lesson/quiz/question, leading to SQL Injections issues | |||||
| CVE-2021-42945 | 1 Zzcms | 1 Zzcms | 2021-12-15 | 7.5 HIGH | 9.8 CRITICAL |
| A SQL Injection vulnerability exists in ZZCMS 2021 via the askbigclassid parameter in /admin/ask.php. | |||||
| CVE-2021-45014 | 1 Taogogo | 1 Taocms | 2021-12-15 | 7.5 HIGH | 9.8 CRITICAL |
| There is an upload sql injection vulnerability in the background of taocms 3.0.2 in parameter id:action=cms&ctrl=update&id=26 | |||||
| CVE-2014-7959 | 1 Ait-pro | 1 Bulletproof Security | 2021-12-15 | 6.5 MEDIUM | N/A |
| SQL injection vulnerability in admin/htaccess/bpsunlock.php in the BulletProof Security plugin before .51.1 for WordPress allows remote authenticated users to execute arbitrary SQL commands via the tableprefix parameter. | |||||
| CVE-2021-41492 | 1 Simple Cashiering System Project | 1 Simple Cashiering System | 2021-12-15 | 7.5 HIGH | 9.8 CRITICAL |
| Multiple SQL Injection vulnerabilities exist in Sourcecodester Simple Cashiering System (POS) 1.0 via the (1) Product Code in the pos page in cashiering. (2) id parameter in manage_products and the (3) t paramater in actions.php. | |||||