Total
9311 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-11816 | 1 Rukovoditel | 1 Rukovoditel | 2020-04-22 | 7.5 HIGH | 9.8 CRITICAL |
| Rukovoditel 2.5.2 is affected by a SQL injection vulnerability because of improper handling of the reports_id (POST) parameter. | |||||
| CVE-2020-11537 | 1 Onlyoffice | 1 Document Server | 2020-04-22 | 7.5 HIGH | 9.8 CRITICAL |
| A SQL Injection issue was discovered in ONLYOFFICE Document Server 5.5.0. An attacker can execute arbitrary SQL queries via injection to DocID parameter of Websocket API. | |||||
| CVE-2020-11820 | 1 Rukovoditel | 1 Rukovoditel | 2020-04-20 | 7.5 HIGH | 9.8 CRITICAL |
| Rukovoditel 2.5.2 is affected by a SQL injection vulnerability because of improper handling of the entities_id parameter. | |||||
| CVE-2019-16383 | 1 Ipswitch | 1 Moveit Transfer | 2020-04-14 | 7.5 HIGH | 9.4 CRITICAL |
| MOVEit.DMZ.WebApi.dll in Progress MOVEit Transfer 2018 SP2 before 10.2.4, 2019 before 11.0.2, and 2019.1 before 11.1.1 allows an unauthenticated attacker to gain unauthorized access to the database. Depending on the database engine being used (MySQL, Microsoft SQL Server, or Azure SQL), an attacker may be able to infer information about the structure and contents of the database, or may be able to alter the database via the REST API, aka SQL Injection. | |||||
| CVE-2018-17410 | 1 Horus Cms Project | 1 Horus Cms | 2020-04-14 | 7.5 HIGH | 9.8 CRITICAL |
| Horus CMS allows SQL Injection, as demonstrated by a request to the /busca or /home URI. | |||||
| CVE-2018-17842 | 1 Scriptzee | 1 Hotel Booking Engine | 2020-04-14 | 7.5 HIGH | 9.8 CRITICAL |
| SQL injection exists in Scriptzee Hotel Booking Engine 1.0 via the hotels h_room_type parameter. | |||||
| CVE-2020-10623 | 1 Advantech | 1 Webaccess\/nms | 2020-04-10 | 4.0 MEDIUM | 6.5 MEDIUM |
| Multiple vulnerabilities could allow an attacker with low privileges to perform SQL injection on WebAccess/NMS (versions prior to 3.0.2) to gain access to sensitive information. | |||||
| CVE-2020-10617 | 1 Advantech | 1 Webaccess\/nms | 2020-04-09 | 5.0 MEDIUM | 7.5 HIGH |
| There are multiple ways an unauthenticated attacker could perform SQL injection on WebAccess/NMS (versions prior to 3.0.2) to gain access to sensitive information. | |||||
| CVE-2020-11597 | 1 Cipplanner | 1 Cipace | 2020-04-07 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in CIPPlanner CIPAce 9.1 Build 2019092801. An unauthenticated attacker can make an HTTP POST request and inject SQL statements in the user context of the db owner. | |||||
| CVE-2020-11545 | 1 Projectworlds | 1 Official Car Rental System | 2020-04-06 | 7.5 HIGH | 9.8 CRITICAL |
| Project Worlds Official Car Rental System 1 is vulnerable to multiple SQL injection issues, as demonstrated by the email and parameters (account.php), uname and pass parameters (login.php), and id parameter (book_car.php) This allows an attacker to dump the MySQL database and to bypass the login authentication prompt. | |||||
| CVE-2020-8638 | 1 Testlink | 1 Testlink | 2020-04-06 | 7.5 HIGH | 9.8 CRITICAL |
| A SQL injection vulnerability in TestLink 1.9.20 allows attackers to execute arbitrary SQL commands in planUrgency.php via the urgency parameter. | |||||
| CVE-2020-8637 | 1 Testlink | 1 Testlink | 2020-04-06 | 7.5 HIGH | 9.8 CRITICAL |
| A SQL injection vulnerability in TestLink 1.9.20 allows attackers to execute arbitrary SQL commands in dragdroptreenodes.php via the node_id parameter. | |||||
| CVE-2019-19094 | 1 Abb | 1 Esoms | 2020-04-03 | 6.5 MEDIUM | 7.6 HIGH |
| Lack of input checks for SQL queries in ABB eSOMS versions 3.9 to 6.0.3 might allow an attacker SQL injection attacks against the backend database. | |||||
| CVE-2020-6009 | 1 Learndash | 1 Learndash | 2020-04-02 | 7.5 HIGH | 9.8 CRITICAL |
| LearnDash Wordpress plugin version below 3.1.6 is vulnerable to Unauthenticated SQL Injection. | |||||
| CVE-2019-7755 | 1 Weberp | 1 Weberp | 2020-04-02 | 6.5 MEDIUM | 8.8 HIGH |
| In webERP 4.15, the Import Bank Transactions function fails to sanitize the content of imported MT940 bank statement files, resulting in the execution of arbitrary SQL queries, aka SQL Injection. | |||||
| CVE-2020-5292 | 1 Leantime | 1 Leantime | 2020-04-02 | 6.5 MEDIUM | 8.8 HIGH |
| Leantime before versions 2.0.15 and 2.1-beta3 has a SQL Injection vulnerability. The impact is high. Malicious users/attackers can execute arbitrary SQL queries negatively affecting the confidentiality, integrity, and availability of the site. Attackers can exfiltrate data like the users' and administrators' password hashes, modify data, or drop tables. The unescaped parameter is "searchUsers" when sending a POST request to "/tickets/showKanban" with a valid session. In the code, the parameter is named "users" in class.tickets.php. This issue is fixed in versions 2.0.15 and 2.1.0 beta 3. | |||||
| CVE-2020-10817 | 1 Custom Searchable Data Entry System Project | 1 Custom Searchable Data Entry System | 2020-04-01 | 6.5 MEDIUM | 8.8 HIGH |
| The custom-searchable-data-entry-system (aka Custom Searchable Data Entry System) plugin through 1.7.1 for WordPress allows SQL Injection. NOTE: this product is discontinued. | |||||
| CVE-2020-5725 | 1 Grandstream | 6 Ucm6202, Ucm6202 Firmware, Ucm6204 and 3 more | 2020-03-31 | 4.3 MEDIUM | 5.9 MEDIUM |
| The Grandstream UCM6200 series before 1.0.20.22 is vulnerable to an SQL injection via the HTTP server's websockify endpoint. A remote unauthenticated attacker can invoke the login action with a crafted username and, through the use of timing attacks, can discover user passwords. | |||||
| CVE-2020-5726 | 1 Grandstream | 6 Ucm6202, Ucm6202 Firmware, Ucm6204 and 3 more | 2020-03-31 | 5.0 MEDIUM | 7.5 HIGH |
| The Grandstream UCM6200 series before 1.0.20.22 is vulnerable to an SQL injection via the CTI server on port 8888. A remote unauthenticated attacker can invoke the challenge action with a crafted username and discover user passwords. | |||||
| CVE-2020-3936 | 1 Unisoon | 2 Ultralog Express, Ultralog Express Firmware | 2020-03-31 | 7.5 HIGH | 9.8 CRITICAL |
| UltraLog Express device management interface does not properly filter user inputted string in some specific parameters, attackers can inject arbitrary SQL command. | |||||