Total
11593 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-24506 | 1 Quantumcloud | 1 Slider Hero | 2021-08-26 | 6.5 MEDIUM | 8.8 HIGH |
| The Slider Hero with Animation, Video Background & Intro Maker WordPress plugin before 8.2.7 does not sanitise or escape the id attribute of its hero-button shortcode before using it in a SQL statement, allowing users with a role as low as Contributor to perform SQL injection. | |||||
| CVE-2020-18164 | 1 Tp-shop | 1 Tp-shop | 2021-08-25 | 7.5 HIGH | 9.8 CRITICAL |
| SQL Injection vulnerability exists in tp-shop 2.x-3.x via the /index.php/home/api/shop fBill parameter. | |||||
| CVE-2020-18746 | 1 Aitecms | 1 Aitecms | 2021-08-24 | 6.5 MEDIUM | 7.2 HIGH |
| SQL Injection in AiteCMS v1.0 allows remote attackers to execute arbitrary code via the component "aitecms/login/diy_list.php". | |||||
| CVE-2020-22122 | 1 Find A Place Ljcms Project | 1 Find A Place Ljcms | 2021-08-24 | 5.0 MEDIUM | 7.5 HIGH |
| A SQL injection vulnerability in /oa.php?c=Staff&a=read of Find a Place LJCMS v 1.3 allows attackers to access sensitive database information via a crafted POST request. | |||||
| CVE-2020-18877 | 1 Wuzhicms | 1 Wuzhicms | 2021-08-23 | 5.0 MEDIUM | 7.5 HIGH |
| SQL Injection in Wuzhi CMS v4.1.0 allows remote attackers to obtain sensitive information via the 'flag' parameter in the component '/coreframe/app/order/admin/index.php'. | |||||
| CVE-2021-38302 | 1 Newsletter Project | 1 Newsletter | 2021-08-23 | 7.5 HIGH | 9.8 CRITICAL |
| The Newsletter extension through 4.0.0 for TYPO3 allows SQL Injection. | |||||
| CVE-2021-28890 | 1 J2eefast | 1 J2eefast | 2021-08-23 | 7.5 HIGH | 9.8 CRITICAL |
| J2eeFAST 2.2.1 allows remote attackers to perform SQL injection via the (1) compId parameter to fast/sys/user/list, (2) deptId parameter to fast/sys/role/list, or (3) roleId parameter to fast/sys/role/authUser/list, related to the use of ${} to join SQL statements. | |||||
| CVE-2021-37350 | 1 Nagios | 1 Nagios Xi | 2021-08-23 | 7.5 HIGH | 9.8 CRITICAL |
| Nagios XI before version 5.8.5 is vulnerable to SQL injection vulnerability in Bulk Modifications Tool due to improper input sanitisation. | |||||
| CVE-2021-37599 | 1 Nuance | 1 Winscribe Dictation | 2021-08-23 | 7.5 HIGH | 9.8 CRITICAL |
| The exporter/Login.aspx login form in the Exporter in Nuance Winscribe Dictation 4.1.0.99 is vulnerable to SQL injection that allows a remote, unauthenticated attacker to read the database (and execute code in some situations) via the txtPassword parameter. | |||||
| CVE-2021-39302 | 1 Misp | 1 Misp | 2021-08-23 | 6.8 MEDIUM | 9.8 CRITICAL |
| MISP 2.4.148, in certain configurations, allows SQL injection via the app/Model/Log.php $conditions['org'] value. | |||||
| CVE-2020-20975 | 1 Gxlcms | 1 Gxlcms | 2021-08-20 | 7.5 HIGH | 9.8 CRITICAL |
| In \lib\admin\action\dataaction.class.php in Gxlcms v1.1, SQL Injection exists via the $filename parameter. | |||||
| CVE-2021-36789 | 1 Dated News Project | 1 Dated News | 2021-08-20 | 7.5 HIGH | 9.8 CRITICAL |
| The dated_news (aka Dated News) extension through 5.1.1 for TYPO3 allows SQL Injection. | |||||
| CVE-2015-4066 | 1 Tri | 1 Gigpress | 2021-08-19 | 6.5 MEDIUM | N/A |
| Multiple SQL injection vulnerabilities in admin/handlers.php in the GigPress plugin before 2.3.9 for WordPress allow remote authenticated users to execute arbitrary SQL commands via the (1) show_artist_id or (2) show_venue_id parameter in an add action in the gigpress.php page to wp-admin/admin.php. | |||||
| CVE-2021-24507 | 1 Brainstormforce | 1 Astra | 2021-08-17 | 7.5 HIGH | 9.8 CRITICAL |
| The Astra Pro Addon WordPress plugin before 3.5.2 did not properly sanitise or escape some of the POST parameters from the astra_pagination_infinite and astra_shop_pagination_infinite AJAX action (available to both unauthenticated and authenticated user) before using them in SQL statement, leading to an SQL Injection issues | |||||
| CVE-2013-4717 | 1 Otrs | 2 Otrs, Otrs Itsm | 2021-08-17 | 6.5 MEDIUM | 8.8 HIGH |
| Multiple SQL injection vulnerabilities in Open Ticket Request System (OTRS) Help Desk 3.0.x before 3.0.22, 3.1.x before 3.1.18, and 3.2.x before 3.2.9 allow remote authenticated users to execute arbitrary SQL commands via unspecified vectors related to Kernel/Output/HTML/PreferencesCustomQueue.pm, Kernel/System/CustomerCompany.pm, Kernel/System/Ticket/IndexAccelerator/RuntimeDB.pm, Kernel/System/Ticket/IndexAccelerator/StaticDB.pm, and Kernel/System/TicketSearch.pm. | |||||
| CVE-2021-37614 | 1 Progress | 1 Moveit Transfer | 2021-08-17 | 6.5 MEDIUM | 8.8 HIGH |
| In certain Progress MOVEit Transfer versions before 2021.0.3 (aka 13.0.3), SQL injection in the MOVEit Transfer web application could allow an authenticated remote attacker to gain access to the database. Depending on the database engine being used (MySQL, Microsoft SQL Server, or Azure SQL), an attacker may be able to infer information about the structure and contents of the database, or execute SQL statements that alter or delete database elements, via crafted strings sent to unique MOVEit Transfer transaction types. The fixed versions are 2019.0.7 (11.0.7), 2019.1.6 (11.1.6), 2019.2.3 (11.2.3), 2020.0.6 (12.0.6), 2020.1.5 (12.1.5), and 2021.0.3 (13.0.3). | |||||
| CVE-2020-20981 | 1 Metinfo | 1 Metinfo | 2021-08-16 | 5.0 MEDIUM | 7.5 HIGH |
| A SQL injection in the /admin/?n=logs&c=index&a=dolist component of Metinfo 7.0 allows attackers to access sensitive database information. | |||||
| CVE-2021-24520 | 1 Coderstimes | 1 Out Of Stock Message For Woocommerce | 2021-08-16 | 6.5 MEDIUM | 8.8 HIGH |
| The Stock in & out WordPress plugin through 1.0.4 lacks proper sanitization before passing variables to an SQL request, making it vulnerable to SQL Injection attacks. Users with a role of contributor or higher can exploit this vulnerability. | |||||
| CVE-2021-38159 | 1 Progress | 1 Moveit Transfer | 2021-08-14 | 7.5 HIGH | 9.8 CRITICAL |
| In certain Progress MOVEit Transfer versions before 2021.0.4 (aka 13.0.4), SQL injection in the MOVEit Transfer web application could allow an unauthenticated remote attacker to gain access to the database. Depending on the database engine being used (MySQL, Microsoft SQL Server, or Azure SQL), an attacker may be able to infer information about the structure and contents of the database, or execute SQL statements that alter or delete database elements, via crafted strings sent to unique MOVEit Transfer transaction types. The fixed versions are 2019.0.8 (11.0.8), 2019.1.7 (11.1.7), 2019.2.4 (11.2.4), 2020.0.7 (12.0.7), 2020.1.6 (12.1.6), and 2021.0.4 (13.0.4). | |||||
| CVE-2020-28087 | 1 Jeecg | 1 Jeecg Boot | 2021-08-14 | 5.0 MEDIUM | 7.5 HIGH |
| A SQL injection vulnerability in /jeecg boot/sys/dict/loadtreedata of jeecg-boot CMS 2.3 allows attackers to access sensitive database information. | |||||