Total
11593 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-24627 | 1 G Auto-hyperlink Project | 1 G Auto-hyperlink | 2021-11-10 | 6.5 MEDIUM | 7.2 HIGH |
| The G Auto-Hyperlink WordPress plugin through 1.0.1 does not sanitise or escape an 'id' GET parameter before using it in a SQL statement, to select data to be displayed in the admin dashboard, leading to an authenticated SQL injection | |||||
| CVE-2021-24629 | 1 Post Content Xmlrpc Project | 1 Post Content Xmlrpc | 2021-11-10 | 6.5 MEDIUM | 7.2 HIGH |
| The Post Content XMLRPC WordPress plugin through 1.0 does not sanitise or escape multiple GET/POST parameters before using them in SQL statements in the admin dashboard, leading to an authenticated SQL Injections | |||||
| CVE-2021-24630 | 1 Schreikasten Project | 1 Schreikasten | 2021-11-10 | 6.5 MEDIUM | 8.8 HIGH |
| The Schreikasten WordPress plugin through 0.14.18 does not sanitise or escape the id GET parameter before using it in SQL statements in the comments dashboard from various actions, leading to authenticated SQL Injections which can be exploited by users as low as author | |||||
| CVE-2021-24829 | 1 Wp-buy | 1 Visitor Traffic Real Time Statistics | 2021-11-10 | 6.5 MEDIUM | 8.8 HIGH |
| The Visitor Traffic Real Time Statistics WordPress plugin before 3.9 does not validate and escape user input passed to the today_traffic_index AJAX action (available to any authenticated users) before using it in a SQL statement, leading to an SQL injection issue | |||||
| CVE-2021-24827 | 1 Asgaros | 1 Asgaros Forum | 2021-11-10 | 7.5 HIGH | 9.8 CRITICAL |
| The Asgaros Forum WordPress plugin before 1.15.13 does not validate and escape user input when subscribing to a topic before using it in a SQL statement, leading to an unauthenticated SQL injection issue | |||||
| CVE-2021-24625 | 1 Web-dorado | 1 Spidercatalog | 2021-11-10 | 6.5 MEDIUM | 7.2 HIGH |
| The SpiderCatalog WordPress plugin through 1.7.3 does not sanitise or escape the 'parent' and 'ordering' parameters from the admin dashboard before using them in a SQL statement, leading to a SQL injection when adding a category | |||||
| CVE-2021-24791 | 1 Draftpress | 1 Header Footer Code Manager | 2021-11-10 | 6.5 MEDIUM | 7.2 HIGH |
| The Header Footer Code Manager WordPress plugin before 1.1.14 does not validate and escape the "orderby" and "order" request parameters before using them in a SQL statement when viewing the Snippets admin dashboard, leading to SQL injections | |||||
| CVE-2021-24631 | 1 Unlimited Popups Project | 1 Unlimited Popups | 2021-11-10 | 6.5 MEDIUM | 8.8 HIGH |
| The Unlimited PopUps WordPress plugin through 4.5.3 does not sanitise or escape the did GET parameter before using it in a SQL statement, available to users as low as editor, leading to an authenticated SQL Injection | |||||
| CVE-2021-34684 | 1 Hitachi | 1 Vantara Pentaho | 2021-11-09 | 7.5 HIGH | 9.8 CRITICAL |
| Hitachi Vantara Pentaho Business Analytics through 9.1 allows an unauthenticated user to execute arbitrary SQL queries on any Pentaho data source and thus retrieve data from the related databases, as demonstrated by an api/repos/dashboards/editor URI. | |||||
| CVE-2021-42077 | 1 Kaysongroup | 1 Php Event Calendar | 2021-11-09 | 10.0 HIGH | 9.8 CRITICAL |
| PHP Event Calendar before 2021-09-03 allows SQL injection, as demonstrated by the /server/ajax/user_manager.php username parameter. This can be used to execute SQL statements directly on the database, allowing an adversary in some cases to completely compromise the database system. It can also be used to bypass the login form. | |||||
| CVE-2020-22223 | 1 Phpjabbers | 1 Fundraising Script | 2021-11-09 | 7.5 HIGH | 9.8 CRITICAL |
| Stivasoft (Phpjabbers) Fundraising Script v1.0 was discovered to contain a SQL injection vulnerability via the pjActionLoad function. | |||||
| CVE-2020-22225 | 1 Phpjabbers | 1 Fundraising Script | 2021-11-09 | 7.5 HIGH | 9.8 CRITICAL |
| Stivasoft (Phpjabbers) Fundraising Script v1.0 was discovered to contain a SQL injection vulnerability via the pjActionLoadForm function. | |||||
| CVE-2020-22226 | 1 Phpjabbers | 1 Fundraising Script | 2021-11-09 | 7.5 HIGH | 9.8 CRITICAL |
| Stivasoft (Phpjabbers) Fundraising Script v1.0 was discovered to contain a SQL injection vulnerability via the pjActionSetAmount function. | |||||
| CVE-2021-28022 | 1 Servicetonic | 1 Servicetonic | 2021-11-09 | 5.0 MEDIUM | 7.5 HIGH |
| Blind SQL injection in the login form in ServiceTonic Helpdesk software < 9.0.35937 allows attacker to exfiltrate information via specially crafted HQL-compatible time-based SQL queries. | |||||
| CVE-2021-36624 | 1 Phone Shop Sales Management System Project | 1 Phone Shop Sales Management System | 2021-11-06 | 7.5 HIGH | 9.8 CRITICAL |
| Sourcecodester Phone Shop Sales Managements System version 1.0 suffers from a remote SQL injection vulnerability that allows for authentication bypass. | |||||
| CVE-2021-41649 | 1 Online-shopping-system-advanced Project | 1 Online-shopping-system-advanced | 2021-11-05 | 7.5 HIGH | 9.8 CRITICAL |
| An un-authenticated SQL Injection exists in PuneethReddyHC online-shopping-system-advanced through the /homeaction.php cat_id parameter. Using a post request does not sanitize the user input. | |||||
| CVE-2021-38833 | 1 Apartment Visitors Management System Project | 1 Apartment Visitors Management System | 2021-11-05 | 7.5 HIGH | 9.8 CRITICAL |
| SQL injection vulnerability in PHPGurukul Apartment Visitors Management System (AVMS) v. 1.0 allows attackers to execute arbitrary SQL statements and to gain RCE. | |||||
| CVE-2021-35212 | 1 Solarwinds | 1 Orion Platform | 2021-11-05 | 9.0 HIGH | 8.8 HIGH |
| An SQL injection Privilege Escalation Vulnerability was discovered in the Orion Platform reported by the ZDI Team. A blind Boolean SQL injection which could lead to full read/write over the Orion database content including the Orion certificate for any authenticated user. | |||||
| CVE-2021-35458 | 1 Online Pet Shop We App Project | 1 Online Pet Shop We App | 2021-11-05 | 7.5 HIGH | 9.8 CRITICAL |
| Online Pet Shop We App 1.0 is vulnerable to Union SQL Injection in products.php (aka p=products) via the c or s parameter. | |||||
| CVE-2020-18262 | 1 Ed01-cms Project | 1 Ed01-cms | 2021-11-05 | 7.5 HIGH | 9.8 CRITICAL |
| ED01-CMS v1.0 was discovered to contain a SQL injection in the component cposts.php via the cid parameter. | |||||