Total
9311 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-18262 | 1 Ed01-cms Project | 1 Ed01-cms | 2021-11-05 | 7.5 HIGH | 9.8 CRITICAL |
| ED01-CMS v1.0 was discovered to contain a SQL injection in the component cposts.php via the cid parameter. | |||||
| CVE-2020-18263 | 1 Php-cms Project | 1 Php-cms | 2021-11-05 | 5.0 MEDIUM | 7.5 HIGH |
| PHP-CMS v1.0 was discovered to contain a SQL injection vulnerability in the component search.php via the search parameter. This vulnerability allows attackers to access sensitive database information. | |||||
| CVE-2020-24000 | 1 Eyoucms | 1 Eyoucms | 2021-11-04 | 7.5 HIGH | 9.8 CRITICAL |
| SQL Injection vulnerability in eyoucms cms v1.4.7, allows attackers to execute arbitrary code and disclose sensitive information, via the tid parameter to index.php. | |||||
| CVE-2020-12013 | 2 Iconics, Mitsubishielectric | 11 Bizviz, Energy Analytix, Facility Analytix and 8 more | 2021-11-04 | 6.4 MEDIUM | 9.1 CRITICAL |
| A specially crafted WCF client that interfaces to the may allow the execution of certain arbitrary SQL commands remotely. This affects: Mitsubishi Electric MC Works64 Version 4.02C (10.95.208.31) and earlier, all versions; Mitsubishi Electric MC Works32 Version 3.00A (9.50.255.02); ICONICS GenBroker64, Platform Services, Workbench, FrameWorX Server v10.96 and prior; ICONICS GenBroker32 v9.5 and prior. | |||||
| CVE-2021-36184 | 1 Fortinet | 1 Fortiwlm | 2021-11-04 | 4.0 MEDIUM | 6.5 MEDIUM |
| A improper neutralization of Special Elements used in an SQL Command ('SQL Injection') in Fortinet FortiWLM version 8.6.1 and below allows attacker to disclosure device, users and database information via crafted HTTP requests. | |||||
| CVE-2021-31849 | 1 Mcafee | 1 Data Loss Prevention Endpoint | 2021-11-03 | 6.5 MEDIUM | 7.2 HIGH |
| SQL injection vulnerability in McAfee Data Loss Prevention (DLP) ePO extension prior to 11.7.100 allows a remote attacker logged into ePO as an administrator to inject arbitrary SQL into the ePO database through the user management section of the DLP ePO extension. | |||||
| CVE-2021-39179 | 1 Dhis2 | 1 Dhis 2 | 2021-11-02 | 6.5 MEDIUM | 8.8 HIGH |
| DHIS 2 is an information system for data capture, management, validation, analytics and visualization. A SQL Injection vulnerability in the Tracker component in DHIS2 Server allows authenticated remote attackers to execute arbitrary SQL commands via unspecified vectors. This vulnerability affects the `/api/trackedEntityInstances` and `/api/trackedEntityInstances/query` API endpoints in all DHIS2 versions 2.34, 2.35, and 2.36. It also affects versions 2.32 and 2.33 which have reached _end of support_ - exceptional security updates have been added to the latest *end of support* builds for these versions. Versions 2.31 and older are unaffected. The system is vulnerable to attack only from users that are logged in to DHIS2, and there is no known way of exploiting the vulnerability without first being logged in as a DHIS2 user. The vulnerability is not exposed to a non-malicious user - the vulnerability requires a conscious attack to be exploited. A successful exploit of this vulnerability could allow the malicious user to read, edit and delete data in the DHIS2 instance. There are no known exploits of the security vulnerabilities addressed by these patch releases. Security patches are available in DHIS2 versions 2.32-EOS, 2.33-EOS, 2.34.7, 2.35.7, and 2.36.4. There is no straightforward known workaround for DHIS2 instances using the Tracker functionality other than upgrading the affected DHIS2 server to one of the patches in which this vulnerability has been fixed. For implementations which do NOT use Tracker functionality, it may be possible to block all network access to POST to the `/api/trackedEntityInstances`, and `/api/trackedEntityInstances/query` endpoints as a temporary workaround while waiting to upgrade. | |||||
| CVE-2021-37807 | 1 Online Shopping Portal Project | 1 Online Shopping Portal | 2021-11-02 | 5.0 MEDIUM | 7.5 HIGH |
| An SQL Injection vulneraility exists in https://phpgurukul.com Online Shopping Portal 3.1 via the email parameter on the /check_availability.php endpoint that serves as a checker whether a new user's email is already exist within the database. | |||||
| CVE-2021-26739 | 1 Doyocms Project | 1 Doyocms | 2021-11-02 | 7.5 HIGH | 9.8 CRITICAL |
| SQL Injection vulnerability in pay.php in millken doyocms 2.3, allows attackers to execute arbitrary code, via the attribute parameter. | |||||
| CVE-2021-27644 | 1 Apache | 1 Dolphinscheduler | 2021-11-02 | 6.0 MEDIUM | 8.8 HIGH |
| In Apache DolphinScheduler before 1.3.6 versions, authorized users can use SQL injection in the data source center. (Only applicable to MySQL data source with internal login account password) | |||||
| CVE-2021-41187 | 1 Dhis2 | 1 Dhis 2 | 2021-11-02 | 6.5 MEDIUM | 8.8 HIGH |
| DHIS 2 is an information system for data capture, management, validation, analytics and visualization. A SQL injection security vulnerability has been found in specific versions of DHIS2. This vulnerability affects the API endpoints for /api/trackedEntityInstances and api/events in DHIS2. The system is vulnerable to attack only from users that are logged in to DHIS2, and there is no known way of exploiting the vulnerability without first being logged in as a DHIS2 user. A successful exploit of this vulnerability could allow the malicious user to read, edit and delete data in the DHIS2 instance. There are no known exploits of the security vulnerabilities addressed by these patch releases. However, we strongly recommend that all DHIS2 implementations using versions 2.32, 2.33, 2.34, 2.35 and 2.36 install these patches as soon as possible. There is no straightforward known workaround for DHIS2 instances using the Tracker functionality other than upgrading the affected DHIS2 server to one of the patches in which this vulnerability has been fixed. For implementations which do NOT use Tracker functionality, it may be possible to block all network access to POST to the /api/trackedEntityInstance and /api/events endpoints as a temporary workaround while waiting to upgrade. | |||||
| CVE-2021-38754 | 1 Hospital Management System Project | 1 Hospital Management System | 2021-11-02 | 7.5 HIGH | 9.8 CRITICAL |
| SQL Injection vulnerability in Hospital Management System due to lack of input validation in messearch.php. | |||||
| CVE-2021-37803 | 1 Online Covid Vaccination Scheduler System Project | 1 Online Covid Vaccination Scheduler System | 2021-11-02 | 9.3 HIGH | 8.1 HIGH |
| An SQL Injection vulnerability exists in Sourcecodester Online Covid Vaccination Scheduler System 1.0 via the username in lognin.php . | |||||
| CVE-2021-3239 | 1 E-learning System Project | 1 E-learning System | 2021-11-02 | 7.5 HIGH | 9.8 CRITICAL |
| E-Learning System 1.0 suffers from an unauthenticated SQL injection vulnerability, which allows remote attackers to execute arbitrary code on the hosting web server and gain a reverse shell. | |||||
| CVE-2015-9324 | 1 Sandhillsdev | 1 Easy Digital Downloads | 2021-11-02 | 7.5 HIGH | 9.8 CRITICAL |
| The easy-digital-downloads plugin before 2.3.3 for WordPress has SQL injection. | |||||
| CVE-2020-23045 | 1 Macs Cms Project | 1 Macs Cms | 2021-10-29 | 6.5 MEDIUM | 7.2 HIGH |
| Macrob7 Macs Framework Content Management System - 1.14f was discovered to contain a SQL injection vulnerability via the 'roleId' parameter of the `editRole` and `deletUser` modules. | |||||
| CVE-2020-24932 | 1 Sourcecodester | 1 Complaint Management System | 2021-10-28 | 7.5 HIGH | 9.8 CRITICAL |
| An SQL Injection vulnerability exists in Sourcecodester Complaint Management System 1.0 via the cid parameter in complaint-details.php. | |||||
| CVE-2021-42258 | 1 Bqe | 1 Billquick Web Suite | 2021-10-28 | 6.8 MEDIUM | 9.8 CRITICAL |
| BQE BillQuick Web Suite 2018 through 2021 before 22.0.9.1 allows SQL injection for unauthenticated remote code execution, as exploited in the wild in October 2021 for ransomware installation. SQL injection can, for example, use the txtID (aka username) parameter. Successful exploitation can include the ability to execute arbitrary code as MSSQLSERVER$ via xp_cmdshell. | |||||
| CVE-2020-28960 | 1 Cct95 | 1 Chichen Tech Cms | 2021-10-28 | 10.0 HIGH | 9.8 CRITICAL |
| Chichen Tech CMS v1.0 was discovered to contain multiple SQL injection vulnerabilities in the file product_list.php via the id and cid parameters. | |||||
| CVE-2021-37371 | 1 Online Student Admission System Project | 1 Online Student Admission System | 2021-10-28 | 7.5 HIGH | 9.8 CRITICAL |
| Online Student Admission System 1.0 is affected by an unauthenticated SQL injection bypass vulnerability in /admin/login.php. | |||||