Total
11593 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-4277 | 1 Xsjczx | 1 Background Management System | 2024-01-25 | N/A | 9.8 CRITICAL |
| A vulnerability was found in Shaoxing Background Management System. It has been declared as critical. This vulnerability affects unknown code of the file /Default/Bd. The manipulation of the argument id leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. VDB-214774 is the identifier assigned to this vulnerability. | |||||
| CVE-2023-46351 | 1 Mypresta | 1 Manufacturers \(brands\) Images Block | 2024-01-25 | N/A | 9.8 CRITICAL |
| In the module mib < 1.6.1 from MyPresta.eu for PrestaShop, a guest can perform SQL injection. The methods `mib::getManufacturersByCategory()` has sensitive SQL calls that can be executed with a trivial http call and exploited to forge a SQL injection. | |||||
| CVE-2023-43985 | 1 Sunnytoo | 1 Stblogsearch | 2024-01-25 | N/A | 9.8 CRITICAL |
| SunnyToo stblogsearch up to v1.0.0 was discovered to contain a SQL injection vulnerability via the StBlogSearchClass::prepareSearch component. | |||||
| CVE-2023-50028 | 1 Prestashopmodules | 1 Sliding Cart Block | 2024-01-25 | N/A | 9.8 CRITICAL |
| In the module "Sliding cart block" (blockslidingcart) up to version 2.3.8 from PrestashopModules.eu for PrestaShop, a guest can perform SQL injection. | |||||
| CVE-2023-20211 | 1 Cisco | 1 Unified Communications Manager | 2024-01-25 | N/A | 8.8 HIGH |
| A vulnerability in the web-based management interface of Cisco Unified Communications Manager (Unified CM) and Cisco Unified Communications Manager Session Management Edition (Unified CM SME) could allow an authenticated, remote attacker to conduct SQL injection attacks on an affected system. This vulnerability is due to improper validation of user-supplied input. An attacker could exploit this vulnerability by authenticating to the application as a user with read-only or higher privileges and sending crafted HTTP requests to an affected system. A successful exploit could allow the attacker to read or modify data in the underlying database or elevate their privileges. | |||||
| CVE-2023-20010 | 1 Cisco | 1 Unified Communications Manager | 2024-01-25 | N/A | 8.8 HIGH |
| A vulnerability in the web-based management interface of Cisco Unified Communications Manager (Unified CM) and Cisco Unified Communications Manager Session Management Edition (Unified CM SME) could allow an authenticated, remote attacker to conduct SQL injection attacks on an affected system. This vulnerability exists because the web-based management interface inadequately validates user input. An attacker could exploit this vulnerability by authenticating to the application as a low-privileged user and sending crafted SQL queries to an affected system. A successful exploit could allow the attacker to read or modify any data on the underlying database or elevate their privileges. | |||||
| CVE-2022-20867 | 1 Cisco | 3 Asyncos, Secure Email And Web Manager, Secure Email Gateway | 2024-01-25 | N/A | 6.5 MEDIUM |
| A vulnerability in web-based management interface of the of Cisco Email Security Appliance and Cisco Secure Email and Web Manager could allow an authenticated, remote attacker to conduct SQL injection attacks as root on an affected system. The attacker must have the credentials of a high-privileged user account. This vulnerability is due to improper validation of user-submitted parameters. An attacker could exploit this vulnerability by authenticating to the application and sending malicious requests to an affected system. A successful exploit could allow the attacker to obtain data or modify data that is stored in the underlying database of the affected system. | |||||
| CVE-2023-50030 | 1 Joommasters | 1 Jmssetting | 2024-01-25 | N/A | 9.8 CRITICAL |
| In the module "Jms Setting" (jmssetting) from Joommasters for PrestaShop, a guest can perform SQL injection in versions <= 1.1.0. The method `JmsSetting::getSecondImgs()` has a sensitive SQL call that can be executed with a trivial http call and exploited to forge a blind SQL injection. | |||||
| CVE-2023-5806 | 1 Mergentech | 1 Quality Management System | 2024-01-25 | N/A | 9.8 CRITICAL |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Mergen Software Quality Management System allows SQL Injection.This issue affects Quality Management System: before v1.2. | |||||
| CVE-2023-5041 | 1 Tracktheclick | 1 Track The Click | 2024-01-24 | N/A | 8.8 HIGH |
| The Track The Click WordPress plugin before 0.3.12 does not properly sanitize query parameters to the stats REST endpoint before using them in a database query, allowing a logged in user with an author role or higher to perform time based blind SQLi attacks on the database. | |||||
| CVE-2024-0405 | 1 Burst-statistics | 1 Burst Statistics | 2024-01-24 | N/A | 6.5 MEDIUM |
| The Burst Statistics – Privacy-Friendly Analytics for WordPress plugin, version 1.5.3, is vulnerable to Post-Authenticated SQL Injection via multiple JSON parameters in the /wp-json/burst/v1/data/compare endpoint. Affected parameters include 'browser', 'device', 'page_id', 'page_url', 'platform', and 'referrer'. This vulnerability arises due to insufficient escaping of user-supplied parameters and the lack of adequate preparation in SQL queries. As a result, authenticated attackers with editor access or higher can append additional SQL queries into existing ones, potentially leading to unauthorized access to sensitive information from the database. | |||||
| CVE-2023-52285 | 1 Lrx0014 | 1 Examsys | 2024-01-24 | N/A | 7.5 HIGH |
| ExamSys 9150244 allows SQL Injection via the /Support/action/Pages.php s_score2 parameter. | |||||
| CVE-2024-22406 | 1 Shopware | 1 Shopware | 2024-01-24 | N/A | 9.8 CRITICAL |
| Shopware is an open headless commerce platform. The Shopware application API contains a search functionality which enables users to search through information stored within their Shopware instance. The searches performed by this function can be aggregated using the parameters in the “aggregations” object. The ‘name’ field in this “aggregations” object is vulnerable SQL-injection and can be exploited using time-based SQL-queries. This issue has been addressed and users are advised to update to Shopware 6.5.7.4. For older versions of 6.1, 6.2, 6.3 and 6.4 corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopware version. | |||||
| CVE-2023-51805 | 1 Tduckcloud | 1 Tduck-platform | 2024-01-24 | N/A | 6.5 MEDIUM |
| SQL Injection vulnerability in TDuckCLoud tduck-platform v.4.0 allows a remote attacker to obtain sensitive information via the getFormKey parameter in the search function of FormDataMysqlService.java file. | |||||
| CVE-2021-24151 | 1 Benjaminrojas | 1 Wp Editor | 2024-01-23 | N/A | 7.2 HIGH |
| The WP Editor WordPress plugin before 1.2.7 did not sanitise or validate its setting fields leading to an authenticated (admin+) blind SQL injection issue via an arbitrary parameter when making a request to save the settings. | |||||
| CVE-2023-6373 | 1 Artplacer | 1 Artplacer Widget | 2024-01-23 | N/A | 8.8 HIGH |
| The ArtPlacer Widget WordPress plugin before 2.20.7 does not sanitize and escape the "id" parameter before submitting the query, leading to a SQLI exploitable by editors and above. Note: Due to the lack of CSRF check, the issue could also be exploited via a CSRF against a logged editor (or above) | |||||
| CVE-2023-2655 | 1 Web-dorado | 1 Contact Form Maker | 2024-01-23 | N/A | 7.2 HIGH |
| The Contact Form by WD WordPress plugin through 1.13.23 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admin | |||||
| CVE-2022-3764 | 1 Wpvibes | 1 Form Vibes | 2024-01-23 | N/A | 7.2 HIGH |
| The plugin does not filter the "delete_entries" parameter from user requests, leading to an SQL Injection vulnerability. | |||||
| CVE-2023-51810 | 1 Stackideas | 1 Easydiscuss | 2024-01-22 | N/A | 7.5 HIGH |
| SQL injection vulnerability in StackIdeas EasyDiscuss v.5.0.5 and fixed in v.5.0.10 allows a remote attacker to obtain sensitive information via a crafted request to the search parameter in the Users module. | |||||
| CVE-2023-0224 | 1 Givewp | 1 Givewp | 2024-01-22 | N/A | 9.8 CRITICAL |
| The GiveWP WordPress plugin before 2.24.1 does not properly escape user input before it reaches SQL queries, which could let unauthenticated attackers perform SQL Injection attacks | |||||