Total
11593 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2018-1000869 | 1 Phpipam | 1 Phpipam | 2019-01-08 | 7.5 HIGH | 9.8 CRITICAL |
| phpIPAM version 1.3.2 contains a CWE-89 vulnerability in /app/admin/nat/item-add-submit.php that can result in SQL Injection.. This attack appear to be exploitable via Rough user, exploiting the vulnerability to access information he/she does not have access to.. This vulnerability appears to have been fixed in 1.4. | |||||
| CVE-2018-20508 | 1 Crashfix Project | 1 Crashfix | 2019-01-08 | 7.5 HIGH | 9.8 CRITICAL |
| CrashFix 1.0.4 has SQL Injection via the User[status] parameter. This is related to actionIndex in UserController.php, and the protected\models\User.php search() function. | |||||
| CVE-2018-1000867 | 1 Webidsupport | 1 Webid | 2019-01-07 | 6.5 MEDIUM | 8.8 HIGH |
| WeBid version up to current version 1.2.2 contains a SQL Injection vulnerability in All five yourauctions*.php scripts that can result in Database Read via Blind SQL Injection. This attack appear to be exploitable via HTTP Request. This vulnerability appears to have been fixed in after commit 256a5f9d3eafbc477dcf77c7682446cc4b449c7f. | |||||
| CVE-2018-20329 | 1 Chamilo | 1 Chamilo Lms | 2019-01-07 | 5.5 MEDIUM | 8.1 HIGH |
| Chamilo LMS version 1.11.8 contains a main/inc/lib/CoursesAndSessionsCatalog.class.php SQL injection, allowing users with access to the sessions catalogue (which may optionally be made public) to extract and/or modify database information. | |||||
| CVE-2018-1000871 | 1 Digitaldruid | 1 Hoteldruid | 2019-01-07 | 7.5 HIGH | 9.8 CRITICAL |
| HotelDruid HotelDruid 2.3.0 version 2.3.0 and earlier contains a SQL Injection vulnerability in "id_utente_mod" parameter in gestione_utenti.php file that can result in An attacker can dump all the database records of backend webserver. This attack appear to be exploitable via the attack can be done by anyone via specially crafted sql query passed to the "id_utente_mod=1" parameter. | |||||
| CVE-2018-18923 | 1 Abisoftgt | 1 Ticketly | 2019-01-02 | 7.5 HIGH | 9.8 CRITICAL |
| AbiSoft Ticketly 1.0 is affected by multiple SQL Injection vulnerabilities through the parameters name, category_id and description in action/addproject.php; kind_id, priority_id, project_id, status_id and title in action/addticket.php; and kind_id and status_id in reports.php. | |||||
| CVE-2018-20061 | 1 Frappe | 1 Erpnext | 2019-01-02 | 5.0 MEDIUM | 7.5 HIGH |
| A SQL injection issue was discovered in ERPNext 10.x and 11.x through 11.0.3-beta.29. This attack is only available to a logged-in user; however, many ERPNext sites allow account creation via the web. No special privileges are needed to conduct the attack. By calling a JavaScript function that calls a server-side Python function with carefully chosen arguments, a SQL attack can be carried out which allows SQL queries to be constructed to return any columns from any tables in the database. This is related to /api/resource/Item?fields= URIs, frappe.get_list, and frappe.call. | |||||
| CVE-2018-20479 | 1 S-cms | 1 S-cms | 2018-12-31 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in S-CMS 1.0. It allows SQL Injection via the wap_index.php?type=newsinfo S_id parameter. | |||||
| CVE-2018-20480 | 1 S-cms | 1 S-cms | 2018-12-31 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in S-CMS 1.0. It allows SQL Injection via the js/pic.php P_id parameter. | |||||
| CVE-2018-20018 | 1 S-cms | 1 S-cms | 2018-12-30 | 5.0 MEDIUM | 7.5 HIGH |
| S-CMS V3.0 has SQL injection via the S_id parameter, as demonstrated by the /1/?type=productinfo&S_id=140 URI. | |||||
| CVE-2018-18619 | 1 Advanced Comment System Project | 1 Advanced Comment System | 2018-12-28 | 7.5 HIGH | 9.8 CRITICAL |
| internal/advanced_comment_system/admin.php in Advanced Comment System 1.0 is prone to an SQL injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query, allowing remote attackers to execute the sqli attack via a URL in the "page" parameter. NOTE: The product is discontinued. | |||||
| CVE-2018-1002000 | 1 Kibokolabs | 1 Arigato Autoresponder And Newsletter | 2018-12-27 | 6.5 MEDIUM | 7.2 HIGH |
| There is blind SQL injection in WordPress Arigato Autoresponder and Newsletter v2.5.1.8 These vulnerabilities require administrative privileges to exploit. There is an exploitable blind SQL injection vulnerability via the del_ids variable by POST request. | |||||
| CVE-2018-19893 | 1 Pbootcms | 1 Pbootcms | 2018-12-26 | 7.5 HIGH | 9.8 CRITICAL |
| SearchController.php in PbootCMS 1.2.1 has SQL injection via the index.php/Search/index.html query string. | |||||
| CVE-2018-19898 | 1 Thinkcmf | 1 Thinkcmf | 2018-12-26 | 6.5 MEDIUM | 8.8 HIGH |
| ThinkCMF X2.2.2 has SQL Injection via the method edit_post in ArticleController.class.php and is exploitable by normal authenticated users via the post[id][1] parameter in an article edit_post action. | |||||
| CVE-2018-19897 | 1 Thinkcmf | 1 Thinkcmf | 2018-12-26 | 6.5 MEDIUM | 7.2 HIGH |
| ThinkCMF X2.2.2 has SQL Injection via the function _listorders() in AdminbaseController.class.php and is exploitable with the manager privilege via the listorders[key][1] parameter in a Link listorders action. | |||||
| CVE-2018-19896 | 1 Thinkcmf | 1 Thinkcmf | 2018-12-26 | 6.5 MEDIUM | 7.2 HIGH |
| ThinkCMF X2.2.2 has SQL Injection via the function delete() in SlideController.class.php and is exploitable with the manager privilege via the ids[] parameter in a slide action. | |||||
| CVE-2018-19895 | 1 Thinkcmf | 1 Thinkcmf | 2018-12-26 | 6.5 MEDIUM | 7.2 HIGH |
| ThinkCMF X2.2.2 has SQL Injection via the function edit_post() in NavController.class.php and is exploitable with the manager privilege via the parentid parameter in a nav action. | |||||
| CVE-2018-19894 | 1 Thinkcmf | 1 Thinkcmf | 2018-12-26 | 6.5 MEDIUM | 7.2 HIGH |
| ThinkCMF X2.2.2 has SQL Injection via the functions check() and delete() in CommentadminController.class.php and is exploitable with the manager privilege via the ids[] parameter in a commentadmin action. | |||||
| CVE-2018-13350 | 1 Terra-master | 1 Terramaster Operating System | 2018-12-19 | 7.5 HIGH | 9.8 CRITICAL |
| SQL injection in logtable.php in TerraMaster TOS version 3.1.03 allows attackers to execute SQL queries via the "Event" parameter. | |||||
| CVE-2018-19468 | 1 Hucart | 1 Hucart | 2018-12-19 | 7.5 HIGH | 9.8 CRITICAL |
| HuCart 5.7.4 has SQL injection in get_ip() in system/class/helper_class.php via the X-Forwarded-For HTTP header to the user/index.php?load=login&act=act_login URI. | |||||