Total
11593 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-25315 | 1 Hotel Management System Project | 1 Hotel Management System | 2024-02-12 | N/A | 9.8 CRITICAL |
| Code-projects Hotel Managment System 1.0, allows SQL Injection via the 'rid' parameter in Hotel/admin/roombook.php?rid=2. | |||||
| CVE-2024-25316 | 1 Hotel Management System Project | 1 Hotel Management System | 2024-02-12 | N/A | 9.8 CRITICAL |
| Code-projects Hotel Managment System 1.0 allows SQL Injection via the 'eid' parameter in Hotel/admin/usersettingdel.php?eid=2. | |||||
| CVE-2024-1118 | 1 Podlove | 1 Podlove Subscribe Button | 2024-02-10 | N/A | 8.8 HIGH |
| The Podlove Subscribe button plugin for WordPress is vulnerable to UNION-based SQL Injection via the 'button' attribute of the podlove-subscribe-button shortcode in all versions up to, and including, 1.3.10 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | |||||
| CVE-2024-24015 | 1 Xxyopen | 1 Novel-plus | 2024-02-10 | N/A | 9.8 CRITICAL |
| A SQL injection vulnerability exists in Novel-Plus v4.3.0-RC1 and prior versions. An attacker can pass in crafted offset, limit, and sort parameters to perform SQL via /sys/user/exit | |||||
| CVE-2024-24013 | 1 Xxyopen | 1 Novel-plus | 2024-02-10 | N/A | 9.8 CRITICAL |
| A SQL injection vulnerability exists in Novel-Plus v4.3.0-RC1 and prior versions. An attacker can pass crafted offset, limit, and sort parameters to perform SQL injection via /novel/pay/list | |||||
| CVE-2024-24019 | 1 Xxyopen | 1 Novel-plus | 2024-02-10 | N/A | 9.8 CRITICAL |
| A SQL injection vulnerability exists in Novel-Plus v4.3.0-RC1 and prior versions. An attacker can pass in crafted offset, limit, and sort parameters to perform SQL injection via /system/roleDataPerm/list | |||||
| CVE-2024-24018 | 1 Xxyopen | 1 Novel-plus | 2024-02-10 | N/A | 9.8 CRITICAL |
| A SQL injection vulnerability exists in Novel-Plus v4.3.0-RC1 and prior versions. An attacker can pass in crafted offset, limit, and sort parameters to perform SQL injection via /system/dataPerm/list | |||||
| CVE-2024-24023 | 1 Xxyopen | 1 Novel-plus | 2024-02-10 | N/A | 9.8 CRITICAL |
| A SQL injection vulnerability exists in Novel-Plus v4.3.0-RC1 and prior. An attacker can pass specially crafted offset, limit, and sort parameters to perform SQL injection via /novel/bookContent/list. | |||||
| CVE-2024-24003 | 1 Jishenghua | 1 Jsherp | 2024-02-10 | N/A | 9.8 CRITICAL |
| jshERP v3.3 is vulnerable to SQL Injection. The com.jsh.erp.controller.DepotHeadController: com.jsh.erp.utils.BaseResponseInfo findInOutMaterialCount() function of jshERP does not filter `column` and `order` parameters well enough, and an attacker can construct malicious payload to bypass jshERP's protection mechanism in `safeSqlParse` method for sql injection. | |||||
| CVE-2024-24014 | 1 Xxyopen | 1 Novel-plus | 2024-02-10 | N/A | 9.8 CRITICAL |
| A SQL injection vulnerability exists in Novel-Plus v4.3.0-RC1 and prior versions. An attacker can pass crafted offset, limit, and sort parameters to perform SQL injection via /novel/author/list | |||||
| CVE-2024-24017 | 1 Xxyopen | 1 Novel-plus | 2024-02-10 | N/A | 9.8 CRITICAL |
| A SQL injection vulnerability exists in Novel-Plus v4.3.0-RC1 and prior versions. An attacker can pass crafted offset, limit, and sort parameters to perform SQL injection via /common/dict/list | |||||
| CVE-2024-24021 | 1 Xxyopen | 1 Novel-plus | 2024-02-10 | N/A | 9.8 CRITICAL |
| A SQL injection vulnerability exists in Novel-Plus v4.3.0-RC1 and prior. An attacker can pass specially crafted offset, limit, and sort parameters to perform SQL injection via /novel/userFeedback/list. | |||||
| CVE-2008-4078 | 2 Ledgersmb, Sql-ledger | 2 Ledgersmb, Sql-ledger | 2024-02-09 | 6.5 MEDIUM | N/A |
| SQL injection vulnerability in the AR/AP transaction report in (1) LedgerSMB (LSMB) before 1.2.15 and (2) SQL-Ledger 2.8.17 and earlier allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors. | |||||
| CVE-2023-48792 | 1 Zohocorp | 1 Manageengine Adaudit Plus | 2024-02-09 | N/A | 9.8 CRITICAL |
| Zoho ManageEngine ADAudit Plus through 7250 is vulnerable to SQL Injection in the report export option. | |||||
| CVE-2023-48793 | 1 Zohocorp | 1 Manageengine Adaudit Plus | 2024-02-09 | N/A | 9.8 CRITICAL |
| Zoho ManageEngine ADAudit Plus through 7250 allows SQL Injection in the aggregate report feature. | |||||
| CVE-2024-22108 | 1 Gttb | 1 Gtb Central Console | 2024-02-09 | N/A | 9.8 CRITICAL |
| An issue was discovered in GTB Central Console 15.17.1-30814.NG. The method setTermsHashAction at /opt/webapp/lib/PureApi/CCApi.class.php is vulnerable to an unauthenticated SQL injection via /ccapi.php that an attacker can abuse in order to change the Administrator password to a known value. | |||||
| CVE-2022-47072 | 1 Sparxsystems | 1 Enterprise Architect | 2024-02-09 | N/A | 9.8 CRITICAL |
| SQL injection vulnerability in Enterprise Architect 16.0.1605 32-bit allows attackers to run arbitrary SQL commands via the Find parameter in the Select Classifier dialog box.. | |||||
| CVE-2004-0366 | 1 Pam-pgsql | 1 Pam-pgsql | 2024-02-09 | 7.5 HIGH | N/A |
| SQL injection vulnerability in the libpam-pgsql library before 0.5.2 allows attackers to execute arbitrary SQL statements. | |||||
| CVE-2024-24001 | 1 Jishenghua | 1 Jsherp | 2024-02-09 | N/A | 9.8 CRITICAL |
| jshERP v3.3 is vulnerable to SQL Injection. via the com.jsh.erp.controller.DepotHeadController: com.jsh.erp.utils.BaseResponseInfo findallocationDetail() function of jshERP which allows an attacker to construct malicious payload to bypass jshERP's protection mechanism. | |||||
| CVE-2024-24002 | 1 Jishenghua | 1 Jsherp | 2024-02-09 | N/A | 9.8 CRITICAL |
| jshERP v3.3 is vulnerable to SQL Injection. The com.jsh.erp.controller.MaterialController: com.jsh.erp.utils.BaseResponseInfo getListWithStock() function of jshERP does not filter `column` and `order` parameters well enough, and an attacker can construct malicious payload to bypass jshERP's protection mechanism in `safeSqlParse` method for sql injection. | |||||