Total
11593 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-3792 | 1 Gullseye | 1 Gullseye Terminal Operating System | 2023-04-16 | N/A | 9.8 CRITICAL |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in GullsEye GullsEye terminal operating system allows SQL Injection.This issue affects GullsEye terminal operating system: from unspecified before 5.0.13. | |||||
| CVE-2023-26860 | 1 Save Your Carts And Buy Later Or Send It Project | 1 Save Your Carts And Buy Later Or Send It | 2023-04-14 | N/A | 8.8 HIGH |
| SQL injection vulnerability found in PrestaShop Igbudget v.1.0.3 and before allow a remote attacker to gain privileges via the LgBudgetBudgetModuleFrontController::displayAjaxGenerateBudget component. | |||||
| CVE-2023-26325 | 1 Wpdeveloper | 1 Reviewx | 2023-04-13 | N/A | 8.8 HIGH |
| The 'rx_export_review' action in the ReviewX WordPress Plugin, is affected by an authenticated SQL injection vulnerability in the 'filterValue' and 'selectedColumns' parameters. | |||||
| CVE-2022-31890 | 1 Enhancesoft | 1 Audit Log | 2023-04-12 | N/A | 9.8 CRITICAL |
| SQL Injection vulnerability in audit/class.audit.php in osTicket osTicket-plugins before commit a7842d494889fd5533d13deb3c6a7789768795ae via the order parameter to the getOrder function. | |||||
| CVE-2023-28838 | 1 Glpi-project | 1 Glpi | 2023-04-12 | N/A | 8.1 HIGH |
| GLPI is a free asset and IT management software package. Starting in version 0.50 and prior to versions 9.5.13 and 10.0.7, a SQL Injection vulnerability allow users with access rights to statistics or reports to extract all data from database and, in some cases, write a webshell on the server. Versions 9.5.13 and 10.0.7 contain a patch for this issue. As a workaround, remove `Assistance > Statistics` and `Tools > Reports` read rights from every user. | |||||
| CVE-2023-28849 | 1 Glpi-project | 1 Glpi | 2023-04-12 | N/A | 5.4 MEDIUM |
| GLPI is a free asset and IT management software package. Starting in version 10.0.0 and prior to version 10.0.7, GLPI inventory endpoint can be used to drive a SQL injection attack. It can also be used to store malicious code that could be used to perform XSS attack. By default, GLPI inventory endpoint requires no authentication. Version 10.0.7 contains a patch for this issue. As a workaround, disable native inventory. | |||||
| CVE-2020-36072 | 1 Tailor Management System Project | 1 Tailor Management System | 2023-04-12 | N/A | 8.8 HIGH |
| SQL injection vulnerability found in Tailor Management System v.1 allows a remote attacker to execute arbitrary code via the id parameter. | |||||
| CVE-2020-36071 | 1 Tailor Management System Project | 1 Tailor Management System | 2023-04-12 | N/A | 8.8 HIGH |
| SQL injection vulnerability found in Tailor Management System v.1 allows a remote authenticated attacker to execute arbitrary code via the customer parameter of the email.php page. | |||||
| CVE-2020-36073 | 1 Tailor Management System Project | 1 Tailor Management System | 2023-04-12 | N/A | 8.8 HIGH |
| SQL injection vulnerability found in Tailor Management System v.1 allows a remote attacker to execute arbitrary code via the detail parameter of the document.php page. | |||||
| CVE-2020-36074 | 1 Tailor Mangement System Project | 1 Tailor Mangement System | 2023-04-12 | N/A | 8.8 HIGH |
| SQL injection vulnerability found in Tailor Mangement System v.1 allows a remote attacker to execute arbitrary code via the title parameter. | |||||
| CVE-2023-25615 | 1 Sap | 1 Abap Platform | 2023-04-11 | N/A | 4.9 MEDIUM |
| Due to insufficient input sanitization, SAP ABAP - versions 751, 753, 753, 754, 756, 757, 791, allows an authenticated high privileged user to alter the current session of the user by injecting the malicious database queries over the network and gain access to the unintended data. This may lead to a high impact on the confidentiality and no impact on the availability and integrity of the application. | |||||
| CVE-2022-34700 | 1 Microsoft | 1 Dynamics 365 | 2023-04-11 | N/A | 8.8 HIGH |
| Microsoft Dynamics CRM (on-premises) Remote Code Execution Vulnerability | |||||
| CVE-2022-41703 | 1 Apache | 1 Superset | 2023-04-11 | N/A | 5.4 MEDIUM |
| A vulnerability in the SQL Alchemy connector of Apache Superset allows an authenticated user with read access to a specific database to add subqueries to the WHERE and HAVING fields referencing tables on the same database that the user should not have access to, despite the user having the feature flag "ALLOW_ADHOC_SUBQUERY" disabled (default value). This issue affects Apache Superset version 1.5.2 and prior versions and version 2.0.0. | |||||
| CVE-2023-26856 | 1 Dynamic Transaction Queuing System Project | 1 Dynamic Transaction Queuing System | 2023-04-11 | N/A | 7.2 HIGH |
| Dynamic Transaction Queuing System v1.0 was discovered to contain a SQL injection vulnerability via the name parameter at /admin/ajax.php?action=login. | |||||
| CVE-2022-38923 | 1 Iss-oberlausitz | 1 Bluepage Cms | 2023-04-11 | N/A | 9.8 CRITICAL |
| BluePage CMS thru v3.9 processes an insufficiently sanitized HTTP Header allowing MySQL Injection in the 'User-Agent' field using a Time-based blind SLEEP payload. | |||||
| CVE-2022-38922 | 1 Iss-oberlausitz | 1 Bluepage Cms | 2023-04-11 | N/A | 9.8 CRITICAL |
| BluePage CMS thru 3.9 processes an insufficiently sanitized HTTP Header Cookie value allowing MySQL Injection in the 'users-cookie-settings' token using a Time-based blind SLEEP payload. | |||||
| CVE-2023-24812 | 1 Misskey | 1 Misskey | 2023-04-10 | N/A | 9.8 CRITICAL |
| Misskey is an open source, decentralized social media platform. In versions prior to 13.3.3 SQL injection is possible due to insufficient parameter validation in the note search API by tag (notes/search-by-tag). This has been fixed in version 13.3.3. Users are advised to upgrade. Users unable to upgrade should block access to the `api/notes/search-by-tag` endpoint. | |||||
| CVE-2023-28843 | 1 202-ecommerce | 1 Paypal | 2023-04-07 | N/A | 9.8 CRITICAL |
| PrestaShop/paypal is an open source module for the PrestaShop web commerce ecosystem which provides paypal payment support. A SQL injection vulnerability found in the PrestaShop paypal module from release from 3.12.0 to and including 3.16.3 allow a remote attacker to gain privileges, modify data, and potentially affect system availability. The cause of this issue is that SQL queries were being constructed with user input which had not been properly filtered. Only deployments on PrestaShop 1.6 are affected. Users are advised to upgrade to module version 3.16.4. There are no known workarounds for this vulnerability. | |||||
| CVE-2022-42428 | 1 Centreon | 1 Centreon | 2023-04-07 | N/A | 8.8 HIGH |
| This vulnerability allows remote attackers to escalate privileges on affected installations of Centreon. Authentication is required to exploit this vulnerability. The specific flaw exists within the handling of requests to modify poller broker configuration. The issue results from the lack of proper validation of a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to escalate privileges to the level of an administrator. Was ZDI-CAN-18410. | |||||
| CVE-2020-21060 | 1 Phpmywind | 1 Phpmywind | 2023-04-07 | N/A | 8.8 HIGH |
| SQL injection vulnerability found in PHPMyWind v.5.6 allows a remote attacker to gain privileges via the delete function of the administrator management page. | |||||