Total
9311 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2013-2559 | 1 Getsymphony | 1 Symphony | 2020-08-25 | 6.5 MEDIUM | N/A |
| SQL injection vulnerability in Symphony CMS before 2.3.2 allows remote authenticated users to execute arbitrary SQL commands via the sort parameter to system/authors/. NOTE: this can be leveraged using CSRF to allow remote unauthenticated attackers to execute arbitrary SQL commands. | |||||
| CVE-2019-6707 | 1 Phpshe | 1 Phpshe | 2020-08-24 | 6.5 MEDIUM | 7.2 HIGH |
| PHPSHE 1.7 has SQL injection via the admin.php?mod=product&act=state product_id[] parameter. | |||||
| CVE-2019-6708 | 1 Phpshe | 1 Phpshe | 2020-08-24 | 6.5 MEDIUM | 7.2 HIGH |
| PHPSHE 1.7 has SQL injection via the admin.php?mod=order state parameter. | |||||
| CVE-2018-19462 | 1 Phome | 1 Empirecms | 2020-08-24 | 6.5 MEDIUM | 7.2 HIGH |
| admin\db\DoSql.php in EmpireCMS through 7.5 allows remote attackers to execute arbitrary PHP code via SQL injection that uses a .php filename in a SELECT INTO OUTFILE statement to admin/admin.php. | |||||
| CVE-2018-18251 | 1 Deltek | 1 Vision | 2020-08-24 | 7.5 HIGH | 9.8 CRITICAL |
| Deltek Vision 7.x before 7.6 permits the execution of any attacker supplied SQL statement through a custom RPC over HTTP protocol. The Vision system relies on the client binary to enforce security rules and integrity of SQL statements and other content being sent to the server. Client HTTP calls can be manipulated by one of several means to execute arbitrary SQL statements (similar to SQLi) or possibly have unspecified other impact via this custom protocol. To perform these attacks an authenticated session is first required. In some cases client calls are obfuscated by encryption, which can be bypassed due to hard-coded keys and an insecure key rotation protocol. Impacts may include remote code execution in some deployments; however, the vendor states that this cannot occur when the installation documentation is heeded. | |||||
| CVE-2019-16894 | 1 Inoideas | 1 Inoerp | 2020-08-24 | 7.5 HIGH | 9.8 CRITICAL |
| download.php in inoERP 4.15 allows SQL injection through insecure deserialization. | |||||
| CVE-2019-10913 | 1 Sensiolabs | 1 Symfony | 2020-08-24 | 7.5 HIGH | 9.8 CRITICAL |
| In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, HTTP Methods provided as verbs or using the override header may be treated as trusted input, but they are not validated, possibly causing SQL injection or XSS. This is related to symfony/http-foundation. | |||||
| CVE-2019-11196 | 1 Vpcsbd | 1 Integrated University Management System | 2020-08-24 | 10.0 HIGH | 9.8 CRITICAL |
| An authentication bypass vulnerability in all versions of ValuePLUS Integrated University Management System (IUMS) allows unauthenticated, remote attackers to gain administrator privileges via the Teachers Web Panel (TWP) User ID or Password field. If exploited, the attackers could perform any actions with administrator privileges (e.g., enumerate/delete all the students' personal information or modify various settings). | |||||
| CVE-2019-8600 | 1 Apple | 6 Icloud, Iphone Os, Itunes and 3 more | 2020-08-24 | 7.5 HIGH | 9.8 CRITICAL |
| A memory corruption issue was addressed with improved input validation. This issue is fixed in iOS 12.3, macOS Mojave 10.14.5, tvOS 12.3, watchOS 5.2.1, iTunes for Windows 12.9.5, iCloud for Windows 7.12. A maliciously crafted SQL query may lead to arbitrary code execution. | |||||
| CVE-2020-24208 | 1 Online Shopping Alphaware Project | 1 Online Shopping Alphaware | 2020-08-21 | 7.5 HIGH | 9.8 CRITICAL |
| A SQL injection vulnerability in SourceCodester Online Shopping Alphaware 1.0 allows remote unauthenticated attackers to bypass the authentication process via email and password parameters. | |||||
| CVE-2020-12606 | 1 Dbsoft | 1 Sglac | 2020-08-21 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in DB Soft SGLAC before 20.05.001. The ProcedimientoGenerico method in the SVCManejador.svc webservice of the SGLAC web frontend allows an attacker to run arbitrary SQL commands on the SQL Server. Command execution can be easily achieved by using the xp_cmdshell stored procedure. | |||||
| CVE-2020-8211 | 1 Citrix | 1 Xenmobile Server | 2020-08-20 | 7.5 HIGH | 9.8 CRITICAL |
| Improper input validation in Citrix XenMobile Server 10.12 before RP3, Citrix XenMobile Server 10.11 before RP6, Citrix XenMobile Server 10.10 RP6 and Citrix XenMobile Server before 10.9 RP5 allows SQL Injection. | |||||
| CVE-2020-15925 | 1 Loway | 1 Queuemetrics | 2020-08-19 | 6.5 MEDIUM | 8.8 HIGH |
| A SQL injection vulnerability at a tpf URI in Loway QueueMetrics before 19.10.21 allows remote authenticated attackers to execute arbitrary SQL commands via the TPF_XPAR1 parameter. | |||||
| CVE-2020-15947 | 1 Loway | 1 Queuemetrics | 2020-08-19 | 6.5 MEDIUM | 8.8 HIGH |
| A SQL injection vulnerability in the qm_adm/qm_export_stats_run.do endpoint of Loway QueueMetrics before 19.10.21 allows remote authenticated users to execute arbitrary SQL commands via the exportId parameter. | |||||
| CVE-2017-15982 | 1 Geniusocean | 1 News | 2020-08-19 | 7.5 HIGH | 9.8 CRITICAL |
| Dynamic News Magazine & Blog CMS 1.0 allows SQL Injection via the id parameter to admin/admin_process.php for form editing. | |||||
| CVE-2017-15981 | 1 Geniusocean | 1 Newspaper | 2020-08-19 | 7.5 HIGH | 9.8 CRITICAL |
| Responsive Newspaper Magazine & Blog CMS 1.0 allows SQL Injection via the id parameter to admin/admin_process.php for form editing. | |||||
| CVE-2017-15971 | 1 Softdatepro | 1 Same Date Pro | 2020-08-19 | 7.5 HIGH | 9.8 CRITICAL |
| Same Sex Dating Software Pro 1.0 allows SQL Injection via the viewprofile.php profid parameter, the viewmessage.php sender_id parameter, or the /admin Email field, a related issue to CVE-2017-15972. | |||||
| CVE-2013-2745 | 2 Debian, Minidlna Project | 2 Debian Linux, Minidlna | 2020-08-18 | 7.5 HIGH | 9.8 CRITICAL |
| An SQL Injection vulnerability exists in MiniDLNA prior to 1.1.0 | |||||
| CVE-2019-10208 | 1 Postgresql | 1 Postgresql | 2020-08-17 | 6.5 MEDIUM | 8.8 HIGH |
| A flaw was discovered in postgresql versions 9.4.x before 9.4.24, 9.5.x before 9.5.19, 9.6.x before 9.6.15, 10.x before 10.10 and 11.x before 11.5 where arbitrary SQL statements can be executed given a suitable SECURITY DEFINER function. An attacker, with EXECUTE permission on the function, can execute arbitrary SQL as the owner of the function. | |||||
| CVE-2020-7356 | 1 Cayintech | 1 Xpost | 2020-08-12 | 10.0 HIGH | 9.8 CRITICAL |
| CAYIN xPost suffers from an unauthenticated SQL Injection vulnerability. Input passed via the GET parameter 'wayfinder_seqid' in wayfinder_meeting_input.jsp is not properly sanitized before being returned to the user or used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code and execute SYSTEM commands. | |||||