Total
11593 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-25899 | 1 Void | 1 Aurall Rec Monitor | 2021-08-13 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered in svc-login.php in Void Aural Rec Monitor 9.0.0.1. An unauthenticated attacker can send a crafted HTTP request to perform a blind time-based SQL Injection. The vulnerable parameter is param1. | |||||
| CVE-2021-38167 | 1 Roxy-wi | 1 Roxy-wi | 2021-08-13 | 7.5 HIGH | 9.8 CRITICAL |
| Roxy-WI through 5.2.2.0 allows SQL Injection via check_login. An unauthenticated attacker can extract a valid uuid to bypass authentication. | |||||
| CVE-2021-36455 | 1 Naviwebs | 1 Navigate Cms | 2021-08-13 | 6.5 MEDIUM | 8.8 HIGH |
| SQL Injection vulnerability in Naviwebs Navigate CMS 2.9 via the quicksearch parameter in \lib\packages\comments\comments.php. | |||||
| CVE-2021-38168 | 1 Roxy-wi | 1 Roxy-wi | 2021-08-12 | 6.5 MEDIUM | 8.8 HIGH |
| Roxy-WI through 5.2.2.0 allows authenticated SQL injection via select_servers. | |||||
| CVE-2021-24321 | 1 Bold-themes | 1 Bello | 2021-08-12 | 7.5 HIGH | 9.8 CRITICAL |
| The Bello - Directory & Listing WordPress theme before 1.6.0 did not sanitise the bt_bb_listing_field_price_range_to, bt_bb_listing_field_now_open, bt_bb_listing_field_my_lng, listing_list_view and bt_bb_listing_field_my_lat parameters before using them in a SQL statement, leading to SQL Injection issues | |||||
| CVE-2021-38574 | 1 Foxitsoftware | 2 Foxit Reader, Phantompdf | 2021-08-12 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in Foxit Reader and PhantomPDF before 10.1.4. It allows SQL Injection via crafted data at the end of a string. | |||||
| CVE-2021-36351 | 1 Care2x | 1 Hospital Information Management System | 2021-08-12 | 7.5 HIGH | 9.8 CRITICAL |
| SQL Injection Vulnerability in Care2x Open Source Hospital Information Management 2.7 Alpha via the (1) pday, (2) pmonth, and (3) pyear parameters in GET requests sent to /modules/nursing/nursing-station.php. | |||||
| CVE-2021-31867 | 1 Pimcore | 1 Customer Management Framework | 2021-08-12 | 5.0 MEDIUM | 7.5 HIGH |
| Pimcore Customer Data Framework version 3.0.0 and earlier suffers from a Boolean-based blind SQL injection issue in the $id parameter of the SegmentAssignmentController.php component of the application. This issue was fixed in version 3.0.2 of the product. | |||||
| CVE-2021-31869 | 1 Pimcore | 1 Adminbundle | 2021-08-12 | 5.0 MEDIUM | 7.5 HIGH |
| Pimcore AdminBundle version 6.8.0 and earlier suffers from a SQL injection issue in the specificID variable used by the application. This issue was fixed in version 6.9.4 of the product. | |||||
| CVE-2020-23149 | 1 Rconfig | 1 Rconfig | 2021-08-12 | 5.0 MEDIUM | 7.5 HIGH |
| The dbName parameter in ajaxDbInstall.php of rConfig 3.9.5 is unsanitized, allowing attackers to perform a SQL injection and access sensitive database information. | |||||
| CVE-2020-23150 | 1 Rconfig | 1 Rconfig | 2021-08-12 | 5.0 MEDIUM | 7.5 HIGH |
| A SQL injection vulnerability in config.inc.php of rConfig 3.9.5 allows attackers to access sensitive database information via a crafted GET request to install/lib/ajaxHandlers/ajaxDbInstall.php. | |||||
| CVE-2021-37832 | 1 Digitaldruid | 1 Hoteldruid | 2021-08-11 | 7.5 HIGH | 9.8 CRITICAL |
| A SQL injection vulnerability exists in version 3.0.2 of Hotel Druid when SQLite is being used as the application database. A malicious attacker can issue SQL commands to the SQLite database through the vulnerable idappartamenti parameter. | |||||
| CVE-2021-32590 | 1 Fortinet | 1 Fortiportal | 2021-08-11 | 9.0 HIGH | 8.8 HIGH |
| Multiple improper neutralization of special elements used in an SQL command vulnerabilities in FortiPortal 6.0.0 through 6.0.4, 5.3.0 through 5.3.5, 5.2.0 through 5.2.5, and 4.2.2 and earlier may allow an attacker with regular user's privileges to execute arbitrary commands on the underlying SQL database via specifically crafted HTTP requests. | |||||
| CVE-2020-29011 | 1 Fortinet | 1 Fortisandbox | 2021-08-10 | 6.5 MEDIUM | 8.8 HIGH |
| Instances of SQL Injection vulnerabilities in the checksum search and MTA-quarantine modules of FortiSandbox 3.2.0 through 3.2.2, and 3.1.0 through 3.1.4 may allow an authenticated attacker to execute unauthorized code on the underlying SQL interpreter via specifically crafted HTTP requests. | |||||
| CVE-2021-37557 | 1 Centreon | 1 Centreon | 2021-08-10 | 6.5 MEDIUM | 8.8 HIGH |
| A SQL injection vulnerability in image generation in Centreon before 20.04.14, 20.10.8, and 21.04.2 allows remote authenticated (but low-privileged) attackers to execute arbitrary SQL commands via the include/views/graphs/generateGraphs/generateImage.php index parameter. | |||||
| CVE-2021-37558 | 1 Centreon | 1 Centreon | 2021-08-10 | 7.5 HIGH | 9.8 CRITICAL |
| A SQL injection vulnerability in a MediaWiki script in Centreon before 20.04.14, 20.10.8, and 21.04.2 allows remote unauthenticated attackers to execute arbitrary SQL commands via the host_name and service_description parameters. The vulnerability can be exploited only when a valid Knowledge Base URL is configured on the Knowledge Base configuration page and points to a MediaWiki instance. This relates to the proxy feature in class/centreon-knowledge/ProceduresProxy.class.php and include/configuration/configKnowledge/proxy/proxy.php. | |||||
| CVE-2021-37556 | 1 Centreon | 1 Centreon | 2021-08-10 | 6.5 MEDIUM | 8.8 HIGH |
| A SQL injection vulnerability in reporting export in Centreon before 20.04.14, 20.10.8, and 21.04.2 allows remote authenticated (but low-privileged) attackers to execute arbitrary SQL commands via the include/reporting/dashboard/csvExport/csv_HostGroupLogs.php start and end parameters. | |||||
| CVE-2021-24484 | 1 Ays-pro | 1 Secure Copy Content Protection And Content Locking | 2021-08-10 | 6.5 MEDIUM | 7.2 HIGH |
| The get_reports() function in the Secure Copy Content Protection and Content Locking WordPress plugin before 2.6.7 did not use whitelist or validate the orderby parameter before using it in SQL statements passed to the get_results() DB calls, leading to SQL injection issues in the admin dashboard | |||||
| CVE-2021-24483 | 1 Ays-pro | 1 Poll Maker | 2021-08-10 | 6.5 MEDIUM | 7.2 HIGH |
| The get_poll_categories(), get_polls() and get_reports() functions in the Poll Maker WordPress plugin before 3.2.1 did not use whitelist or validate the orderby parameter before using it in SQL statements passed to the get_results() DB calls, leading to SQL injection issues in the admin dashboard | |||||
| CVE-2021-24492 | 1 Handsome Testimonials \& Reviews Project | 1 Handsome Testimonials \& Reviews | 2021-08-10 | 6.5 MEDIUM | 8.8 HIGH |
| The hndtst_action_instance_callback AJAX call of the Handsome Testimonials & Reviews WordPress plugin before 2.1.1, available to any authenticated users, does not sanitise, validate or escape the hndtst_previewShortcodeInstanceId POST parameter before using it in a SQL statement, leading to an SQL Injection issue. | |||||