Total
11593 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-36293 | 1 Wmanager | 1 Wmanager | 2023-07-18 | N/A | 7.5 HIGH |
| SQL injection vulnerability in wmanager v.1.0.7 and before allows a remote attacker to obtain sensitive information via a crafted script to the company.php component. | |||||
| CVE-2023-3045 | 1 Tise | 1 Parking Web Report | 2023-07-17 | N/A | 9.8 CRITICAL |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Tise Technology Parking Web Report allows SQL Injection.This issue affects Parking Web Report: before 2.1. | |||||
| CVE-2023-33664 | 1 Ai-dev | 1 Declinaisons A La Volee | 2023-07-17 | N/A | 8.8 HIGH |
| ai-dev aicombinationsonfly before v0.3.1 was discovered to contain a SQL injection vulnerability via the component /includes/ajax.php. | |||||
| CVE-2023-36813 | 1 Kanboard | 1 Kanboard | 2023-07-17 | N/A | 8.8 HIGH |
| Kanboard is project management software that focuses on the Kanban methodology. In versions prior to 1.2.31authenticated user is able to perform a SQL Injection, leading to a privilege escalation or loss of confidentiality. It appears that in some insert and update operations, the code improperly uses the PicoDB library to update/insert new information. Version 1.2.31 contains a fix for this issue. | |||||
| CVE-2023-32569 | 1 Veritas | 1 Infoscale Operations Manager | 2023-07-14 | N/A | 9.8 CRITICAL |
| An issue was discovered in Veritas InfoScale Operations Manager (VIOM) before 7.4.2.800 and 8.x before 8.0.410. The InfoScale VIOM web application is vulnerable to SQL Injection in some of the areas of the application. This allows attackers (who must have admin credentials) to submit arbitrary SQL commands on the back-end database to create, read, update, or delete any sensitive data stored in the database. | |||||
| CVE-2023-2046 | 1 Yontemizleme | 1 Vehicle Tracking System | 2023-07-14 | N/A | 9.8 CRITICAL |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Yontem Informatics Vehicle Tracking System allows SQL Injection.This issue affects Vehicle Tracking System: before 8. | |||||
| CVE-2023-2852 | 1 Softmedyazilim | 1 Selfpatron | 2023-07-14 | N/A | 9.8 CRITICAL |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Softmed SelfPatron allows SQL Injection.This issue affects SelfPatron : before 2.0. | |||||
| CVE-2023-37270 | 1 Piwigo | 1 Piwigo | 2023-07-14 | N/A | 8.8 HIGH |
| Piwigo is open source photo gallery software. Prior to version 13.8.0, there is a SQL Injection vulnerability in the login of the administrator screen. The SQL statement that acquires the HTTP Header `User-Agent` is vulnerable at the endpoint that records user information when logging in to the administrator screen. It is possible to execute arbitrary SQL statements. Someone who wants to exploit the vulnerability must be log in to the administrator screen, even with low privileges. Any SQL statement can be executed. Doing so may leak information from the database. Version 13.8.0 contains a fix for this issue. As another mitigation, those who want to execute a SQL statement verbatim with user-enterable parameters should be sure to escape the parameter contents appropriately. | |||||
| CVE-2023-27845 | 1 Kerawen | 1 Omnichannel Stocks | 2023-07-14 | N/A | 9.8 CRITICAL |
| SQL injection vulnerability found in PrestaShop lekerawen_ocs before v.1.4.1 allow a remote attacker to gain privileges via the KerawenHelper::setCartOperationInfo, and KerawenHelper::resetCheckoutSessionData components. | |||||
| CVE-2023-36932 | 1 Progress | 1 Moveit Transfer | 2023-07-12 | N/A | 8.1 HIGH |
| In Progress MOVEit Transfer before 2020.1.11 (12.1.11), 2021.0.9 (13.0.9), 2021.1.7 (13.1.7), 2022.0.7 (14.0.7), 2022.1.8 (14.1.8), and 2023.0.4 (15.0.4), multiple SQL injection vulnerabilities have been identified in the MOVEit Transfer web application that could allow an authenticated attacker to gain unauthorized access to the MOVEit Transfer database. An attacker could submit a crafted payload to a MOVEit Transfer application endpoint that could result in modification and disclosure of MOVEit database content. | |||||
| CVE-2023-30325 | 1 Chatengine Project | 1 Chatengine | 2023-07-12 | N/A | 7.5 HIGH |
| SQL Injection vulnerability in textMessage parameter in /src/chatbotapp/chatWindow.java in wliang6 ChatEngine v.1.0, allows attackers to gain sensitive information. | |||||
| CVE-2023-30323 | 1 Chatengine Project | 1 Chatengine | 2023-07-12 | N/A | 7.5 HIGH |
| SQL Injection vulnerability in username field in /src/chatbotapp/chatWindow.java in Payatu ChatEngine v.1.0, allows attackers to gain sensitive information. | |||||
| CVE-2023-35924 | 1 Glpi-project | 1 Glpi | 2023-07-11 | N/A | 9.8 CRITICAL |
| GLPI is a free asset and IT management software package. Starting in version 10.0.0 and prior to version 10.0.8, GLPI inventory endpoint can be used to drive a SQL injection attack. By default, GLPI inventory endpoint requires no authentication. Version 10.0.8 has a patch for this issue. As a workaround, one may disable native inventory. | |||||
| CVE-2023-36808 | 1 Glpi-project | 1 Glpi | 2023-07-10 | N/A | 9.8 CRITICAL |
| GLPI is a free asset and IT management software package. Starting in version 0.80 and prior to version 10.0.8, Computer Virtual Machine form and GLPI inventory request can be used to perform a SQL injection attack. Version 10.0.8 has a patch for this issue. As a workaround, one may disable native inventory. | |||||
| CVE-2023-22319 | 1 Milesight | 1 Milesightvpn | 2023-07-10 | N/A | 9.8 CRITICAL |
| A sql injection vulnerability exists in the requestHandlers.js LoginAuth functionality of Milesight VPN v2.0.2. A specially-crafted network request can lead to authentication bypass. An attacker can send a malicious packet to trigger this vulnerability. | |||||
| CVE-2023-36968 | 1 Food Ordering System Project | 1 Food Ordering System | 2023-07-10 | N/A | 7.2 HIGH |
| A SQL Injection vulnerability detected in Food Ordering System v1.0 allows attackers to run commands on the database by sending crafted SQL queries to the ID parameter. | |||||
| CVE-2023-36934 | 1 Progress | 1 Moveit Transfer | 2023-07-10 | N/A | 9.1 CRITICAL |
| In Progress MOVEit Transfer before 2020.1.11 (12.1.11), 2021.0.9 (13.0.9), 2021.1.7 (13.1.7), 2022.0.7 (14.0.7), 2022.1.8 (14.1.8), and 2023.0.4 (15.0.4), a SQL injection vulnerability has been identified in the MOVEit Transfer web application that could allow an unauthenticated attacker to gain unauthorized access to the MOVEit Transfer database. An attacker could submit a crafted payload to a MOVEit Transfer application endpoint that could result in modification and disclosure of MOVEit database content. | |||||
| CVE-2022-46163 | 1 Opensuse | 1 Travel Support Program | 2023-07-07 | N/A | 7.5 HIGH |
| Travel support program is a rails app to support the travel support program of openSUSE (TSP). Sensitive user data (bank account details, password Hash) can be extracted via Ransack query injection. Every deployment of travel-support-program below the patched version is affected. The travel-support-program uses the Ransack library to implement search functionality. In its default configuration, Ransack will allow for query conditions based on properties of associated database objects [1]. The `*_start`, `*_end` or `*_cont` search matchers [2] can then be abused to exfiltrate sensitive string values of associated database objects via character-by-character brute-force (A match is indicated by the returned JSON not being empty). A single bank account number can be extracted with <200 requests, a password hash can be extracted with ~1200 requests, all within a few minutes. The problem has been patched in commit d22916275c51500b4004933ff1b0a69bc807b2b7. In order to work around this issue, you can also cherry pick that patch, however it will not work without the Rails 5.0 migration that was done in #150, which in turn had quite a few pull requests it depended on. | |||||
| CVE-2023-3490 | 1 Fossbilling | 1 Fossbilling | 2023-07-06 | N/A | 9.8 CRITICAL |
| SQL Injection in GitHub repository fossbilling/fossbilling prior to 0.5.3. | |||||
| CVE-2023-34487 | 1 Online Hotel Management System Project | 1 Online Hotel Management System | 2023-07-06 | N/A | 9.8 CRITICAL |
| itsourcecode Online Hotel Management System Project In PHP v1.0.0 is vulnerable to SQL Injection. SQL injection points exist in the login password input box. This vulnerability can be exploited through time-based blind injection. | |||||