Total
15780 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-38099 | 1 Netgear | 1 Prosafe Network Management System | 2025-02-06 | N/A | 8.8 HIGH |
| NETGEAR ProSAFE Network Management System getNodesByTopologyMapSearch SQL Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of NETGEAR ProSAFE Network Management System. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the getNodesByTopologyMapSearch function. The issue results from the lack of proper validation of a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. Was ZDI-CAN-19723. | |||||
| CVE-2021-34235 | 1 Tsg-solutions | 1 Tokheim Profleet Dialog | 2025-02-06 | 10.0 HIGH | 9.8 CRITICAL |
| Tokheim Profleet DiaLOG 11.005.02 is affected by SQL Injection. The component is the Field__UserLogin parameter on the logon page. | |||||
| CVE-2021-36520 | 1 Washington | 1 I-tech Trainsmart | 2025-02-06 | N/A | 7.5 HIGH |
| A SQL injection vulnerability in I-Tech Trainsmart r1044 exists via a evaluation/assign-evaluation?id= URI. | |||||
| CVE-2023-2094 | 1 Vehicle Service Management System Project | 1 Vehicle Service Management System | 2025-02-06 | 6.5 MEDIUM | 6.3 MEDIUM |
| A vulnerability has been found in SourceCodester Vehicle Service Management System 1.0 and classified as critical. This vulnerability affects unknown code of the file /admin/mechanics/manage_mechanic.php. The manipulation of the argument id leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. VDB-226102 is the identifier assigned to this vulnerability. | |||||
| CVE-2023-27844 | 1 Litextension | 1 Leurlrewrite | 2025-02-06 | N/A | 9.8 CRITICAL |
| SQL injection vulnerability found in PrestaShopleurlrewrite v.1.0 and before allow a remote attacker to gain privileges via the Dispatcher::getController component. | |||||
| CVE-2023-27733 | 1 Dedecms | 1 Dedecms | 2025-02-06 | N/A | 7.2 HIGH |
| DedeCMS v5.7.106 was discovered to contain a SQL injection vulnerability via the component /dede/sys_sql_query.php. | |||||
| CVE-2022-45030 | 1 Rconfig | 1 Rconfig | 2025-02-06 | N/A | 8.8 HIGH |
| A SQL injection vulnerability in rConfig 3.9.7 exists via lib/ajaxHandlers/ajaxCompareGetCmdDates.php?command= (this may interact with secure-file-priv). | |||||
| CVE-2017-18362 | 1 Connectwise | 1 Manageditsync | 2025-02-06 | 7.5 HIGH | 9.8 CRITICAL |
| ConnectWise ManagedITSync integration through 2017 for Kaseya VSA is vulnerable to unauthenticated remote commands that allow full direct access to the Kaseya VSA database. In February 2019, attackers have actively exploited this in the wild to download and execute ransomware payloads on all endpoints managed by the VSA server. If the ManagedIT.asmx page is available via the Kaseya VSA web interface, anyone with access to the page is able to run arbitrary SQL queries, both read and write, without authentication. | |||||
| CVE-2024-11713 | 1 Wpjobportal | 1 Wp Job Portal | 2025-02-06 | N/A | 4.9 MEDIUM |
| The WP Job Portal – A Complete Recruitment System for Company or Job Board website plugin for WordPress is vulnerable to SQL Injection via the 'page_id' parameter of the wpjobportal_deactivate() function in all versions up to, and including, 2.2.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | |||||
| CVE-2024-11714 | 1 Wpjobportal | 1 Wp Job Portal | 2025-02-06 | N/A | 4.9 MEDIUM |
| The WP Job Portal – A Complete Recruitment System for Company or Job Board website plugin for WordPress is vulnerable to SQL Injection via the 'ff' parameter of the getFieldsForVisibleCombobox() function in all versions up to, and including, 2.2.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | |||||
| CVE-2024-13680 | 1 Codepeople | 1 Form Builder Cp | 2025-02-05 | N/A | 6.5 MEDIUM |
| The Form Builder CP plugin for WordPress is vulnerable to SQL Injection via the 'id' parameter of the 'CP_EASY_FORM_WILL_APPEAR_HERE' shortcode in all versions up to, and including, 1.2.41 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | |||||
| CVE-2024-28094 | 1 Schoolbox | 1 Schoolbox | 2025-02-05 | N/A | 8.8 HIGH |
| Chat functionality in Schoolbox application before version 23.1.3 is vulnerable to blind SQL Injection enabling the authenticated attackers to read, modify, and delete database records. | |||||
| CVE-2023-30076 | 1 Judging Management System Project | 1 Judging Management System | 2025-02-05 | N/A | 9.8 CRITICAL |
| Sourcecodester Judging Management System v1.0 is vulnerable to SQL Injection via /php-jms/print_judges.php?print_judges.php=&se_name=&sub_event_id=. | |||||
| CVE-2024-13594 | 1 Neofix | 1 Simple Downloads List | 2025-02-05 | N/A | 6.5 MEDIUM |
| The Simple Downloads List plugin for WordPress is vulnerable to SQL Injection via the 'category' attribute of the 'neofix_sdl' shortcode in all versions up to, and including, 1.4.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | |||||
| CVE-2024-12195 | 1 Wedevs | 1 Wp Project Manager | 2025-02-05 | N/A | 6.5 MEDIUM |
| The WP Project Manager – Task, team, and project management plugin featuring kanban board and gantt charts plugin for WordPress is vulnerable to SQL Injection via the 'project_id' parameter of the /wp-json/pm/v2/projects/2/task-lists REST API endpoint in all versions up to, and including, 2.6.16 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, who have been granted access to a project, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | |||||
| CVE-2023-26865 | 1 Brandsdistribution | 1 Bdroppy | 2025-02-05 | N/A | 9.8 CRITICAL |
| SQL injection vulnerability found in PrestaShop bdroppy v.2.2.12 and before allowing a remote attacker to gain privileges via the BdroppyCronModuleFrontController::importProducts component. | |||||
| CVE-2023-23753 | 1 Vi-solutions | 1 Visforms | 2025-02-05 | N/A | 9.8 CRITICAL |
| The 'Visforms Base Package for Joomla 3' extension is vulnerable to SQL Injection as concatenation is used to construct an SQL Query. An attacker can interact with the database and could be able to read, modify and delete data on it. | |||||
| CVE-2024-6007 | 1 Netentsec | 1 Application Security Gateway | 2025-02-05 | 6.5 MEDIUM | 6.3 MEDIUM |
| A vulnerability classified as critical has been found in Netentsec NS-ASG Application Security Gateway 6.3. This affects an unknown part of the file /protocol/iscgwtunnel/deleteiscgwrouteconf.php. The manipulation of the argument messagecontent leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-268695. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2024-2344 | 1 Theme-fusion | 1 Avada | 2025-02-05 | N/A | 7.2 HIGH |
| The Avada theme for WordPress is vulnerable to SQL Injection via the 'entry' parameter in all versions up to, and including, 7.11.6 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticted attackers, with editor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | |||||
| CVE-2024-1893 | 1 Realestateconnected | 1 Easy Property Listings | 2025-02-05 | N/A | 8.8 HIGH |
| The Easy Property Listings plugin for WordPress is vulnerable to time-based SQL Injection via the ‘property_status’ shortcode attribute in all versions up to, and including, 3.5.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with contributor access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | |||||