Total
11593 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-4893 | 2024-05-15 | N/A | 9.8 CRITICAL | ||
| DigiWin EasyFlow .NET lacks validation for certain input parameters, allowing remote attackers to inject arbitrary SQL commands. This vulnerability enables unauthorized access to read, modify, and delete database records, as well as execute system commands. | |||||
| CVE-2024-32888 | 2024-05-15 | N/A | 10.0 CRITICAL | ||
| The Amazon JDBC Driver for Redshift is a Type 4 JDBC driver that provides database connectivity through the standard JDBC application program interfaces (APIs) available in the Java Platform, Enterprise Editions. Prior to version 2.1.0.28, SQL injection is possible when using the non-default connection property `preferQueryMode=simple` in combination with application code which has a vulnerable SQL that negates a parameter value. There is no vulnerability in the driver when using the default, extended query mode. Note that `preferQueryMode` is not a supported parameter in Redshift JDBC driver, and is inherited code from Postgres JDBC driver. Users who do not override default settings to utilize this unsupported query mode are not affected. This issue is patched in driver version 2.1.0.28. As a workaround, do not use the connection property `preferQueryMode=simple`. (NOTE: Those who do not explicitly specify a query mode use the default of extended query mode and are not affected by this issue.) | |||||
| CVE-2024-27941 | 2024-05-14 | N/A | 8.8 HIGH | ||
| A vulnerability has been identified in RUGGEDCOM CROSSBOW (All versions < V5.5). The affected client systems do not properly sanitize input data before sending it to the SQL server. An attacker could use this vulnerability to compromise the whole database. | |||||
| CVE-2024-27940 | 2024-05-14 | N/A | 8.8 HIGH | ||
| A vulnerability has been identified in RUGGEDCOM CROSSBOW (All versions < V5.5). The affected systems allow any authenticated user to send arbitrary SQL commands to the SQL server. An attacker could use this vulnerability to compromise the whole database. | |||||
| CVE-2024-33009 | 2024-05-14 | N/A | 4.2 MEDIUM | ||
| SAP Global Label Management is vulnerable to SQL injection. On exploitation the attacker can use specially crafted inputs to modify database commands resulting in the retrieval of additional information persisted by the system. This could lead to low impact on Confidentiality and Integrity of the application. | |||||
| CVE-2023-50718 | 2024-05-14 | N/A | 6.5 MEDIUM | ||
| NocoDB is software for building databases as spreadsheets. Prior to version 0.202.10, an authenticated attacker with create access could conduct a SQL Injection attack on MySQL DB using unescaped `table_name`. This vulnerability may result in leakage of sensitive data in the database. Version 0.202.10 contains a patch for the issue. | |||||
| CVE-2024-32655 | 2024-05-14 | N/A | 8.1 HIGH | ||
| Npgsql is the .NET data provider for PostgreSQL. The `WriteBind()` method in `src/Npgsql/Internal/NpgsqlConnector.FrontendMessages.cs` uses `int` variables to store the message length and the sum of parameter lengths. Both variables overflow when the sum of parameter lengths becomes too large. This causes Npgsql to write a message size that is too small when constructing a Postgres protocol message to send it over the network to the database. When parsing the message, the database will only read a small number of bytes and treat any following bytes as new messages while they belong to the old message. Attackers can abuse this to inject arbitrary Postgres protocol messages into the connection, leading to the execution of arbitrary SQL statements on the application's behalf. This vulnerability is fixed in 4.0.14, 4.1.13, 5.0.18, 6.0.11, 7.0.7, and 8.0.3. | |||||
| CVE-2024-4423 | 2024-05-14 | N/A | N/A | ||
| The access control in CemiPark software does not properly validate user-entered data, which allows the authentication bypass. An attacker who has network access to the login panel can log in with administrator rights to the application.This issue affects CemiPark software: 4.5, 4.7, 5.03 and potentially others. The vendor refused to provide the specific range of affected products. | |||||
| CVE-2024-4824 | 2024-05-14 | N/A | 9.8 CRITICAL | ||
| Vulnerability in School ERP Pro+Responsive 1.0 that allows SQL injection through the '/SchoolERP/office_admin/' index in the parameters groups_id, examname, classes_id, es_voucherid, es_class, etc. This vulnerability could allow a remote attacker to send a specially crafted SQL query to the server and retrieve all the information stored in the database. | |||||
| CVE-2022-43279 | 1 Limesurvey | 1 Limesurvey | 2024-05-14 | N/A | 7.2 HIGH |
| LimeSurvey before v5.0.4 was discovered to contain a SQL injection vulnerability via the component /application/views/themeOptions/update.php. | |||||
| CVE-2024-29889 | 2024-05-07 | N/A | 7.1 HIGH | ||
| GLPI is a Free Asset and IT Management Software package. Prior to 10.0.15, an authenticated user can exploit a SQL injection vulnerability in the saved searches feature to alter another user account data take control of it. This vulnerability is fixed in 10.0.15. | |||||
| CVE-2024-31456 | 2024-05-07 | N/A | 7.7 HIGH | ||
| GLPI is a Free Asset and IT Management Software package. Prior to 10.0.15, an authenticated user can exploit a SQL injection vulnerability from map search. This vulnerability is fixed in 10.0.15. | |||||
| CVE-2024-34386 | 2024-05-06 | N/A | 7.6 HIGH | ||
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Lucian Apostol Auto Affiliate Links.This issue affects Auto Affiliate Links: from n/a through 6.4.3.1. | |||||
| CVE-2024-34412 | 2024-05-06 | N/A | 8.5 HIGH | ||
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Parcel Panel ParcelPanel.This issue affects ParcelPanel: from n/a through 3.8.1. | |||||
| CVE-2021-20451 | 2024-05-06 | N/A | 6.0 MEDIUM | ||
| IBM Cognos Controller 10.4.1, 10.4.2, and 11.0.0 is vulnerable to SQL injection. A remote attacker could send specially crafted SQL statements, which could allow the attacker to view, add, modify or delete information in the back-end database. IBM X-Force ID: 196643. | |||||
| CVE-2023-38724 | 2024-05-06 | N/A | 6.3 MEDIUM | ||
| IBM Cognos Controller 10.4.1, 10.4.2, and 11.0.0 is vulnerable to SQL injection. A remote attacker could send specially crafted SQL statements, which could allow the attacker to view, add, modify or delete information in the back-end database. IBM X-Force ID: 262183. | |||||
| CVE-2020-3936 | 1 Unisoon | 2 Ultralog Express, Ultralog Express Firmware | 2024-05-06 | 7.5 HIGH | 9.8 CRITICAL |
| UltraLog Express device management interface does not properly filter user inputted string in some specific parameters, attackers can inject arbitrary SQL command. | |||||
| CVE-2023-27358 | 2024-05-03 | N/A | 8.8 HIGH | ||
| NETGEAR RAX30 SOAP Request SQL Injection Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of NETGEAR RAX30 routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of specific SOAP requests. The issue results from the lack of proper validation of a user-supplied string before using it to construct SQL queries. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of the service account. Was ZDI-CAN-19754. | |||||
| CVE-2023-35720 | 2024-05-03 | N/A | 6.5 MEDIUM | ||
| ASUS RT-AX92U lighttpd mod_webdav.so SQL Injection Information Disclosure Vulnerability. This vulnerability allows network-adjacent attackers to disclose sensitive information on affected ASUS RT-AX92U routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the mod_webdav.so module. When parsing a request, the process does not properly validate a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to disclose information in the context of root. Was ZDI-CAN-16078. | |||||
| CVE-2024-34032 | 2024-05-03 | N/A | 8.8 HIGH | ||
| Delta Electronics DIAEnergie is vulnerable to an SQL injection vulnerability that exists in the GetDIACloudList endpoint. An authenticated attacker can exploit this issue to potentially compromise the system on which DIAEnergie is deployed. | |||||