Total
14524 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-26784 | 1 Tosec | 1 Kirin Fortress Machine | 2024-11-21 | N/A | 9.8 CRITICAL |
| SQL Injection vulnerability found in Kirin Fortress Machine v.1.7-2020-0610 allows attackers to execute arbitrary code via the /admin.php?controller=admin_commonuser parameter. | |||||
| CVE-2023-26780 | 1 Yf-exam Project | 1 Yf-exam | 2024-11-21 | N/A | 9.8 CRITICAL |
| CleverStupidDog yf-exam v 1.8.0 is vulnerable to SQL Injection. | |||||
| CVE-2023-26584 | 1 Idattend | 1 Idweb | 2024-11-21 | N/A | 9.8 CRITICAL |
| Unauthenticated SQL injection in the GetStudentInconsistencies method in IDAttend’s IDWeb application 3.1.052 and earlier allows extraction or modification of all data by unauthenticated attackers. | |||||
| CVE-2023-26583 | 1 Idattend | 1 Idweb | 2024-11-21 | N/A | 9.8 CRITICAL |
| Unauthenticated SQL injection in the GetCurrentPeriod method in IDAttend’s IDWeb application 3.1.052 and earlier allows extraction or modification of all data by unauthenticated attackers. | |||||
| CVE-2023-26582 | 1 Idattend | 1 Idweb | 2024-11-21 | N/A | 9.8 CRITICAL |
| Unauthenticated SQL injection in the GetExcursionDetails method in IDAttend’s IDWeb application 3.1.052 and earlier allows extraction or modification of all data by unauthenticated attackers. | |||||
| CVE-2023-26581 | 1 Idattend | 1 Idweb | 2024-11-21 | N/A | 9.8 CRITICAL |
| Unauthenticated SQL injection in the GetVisitors method in IDAttend’s IDWeb application 3.1.052 and earlier allows extraction or modification of all data by unauthenticated attackers. | |||||
| CVE-2023-26572 | 1 Idattend | 1 Idweb | 2024-11-21 | N/A | 9.8 CRITICAL |
| Unauthenticated SQL injection in the GetExcursionList method in IDAttend’s IDWeb application 3.1.052 and earlier allows extraction or modification of all data by unauthenticated attackers. | |||||
| CVE-2023-26569 | 1 Idattend | 1 Idweb | 2024-11-21 | N/A | 9.8 CRITICAL |
| Unauthenticated SQL injection in the StudentPopupDetails_Timetable method in IDAttend’s IDWeb application 3.1.052 and earlier allows extraction or modification of all data by unauthenticated attackers. | |||||
| CVE-2023-26568 | 1 Idattend | 1 Idweb | 2024-11-21 | N/A | 9.8 CRITICAL |
| Unauthenticated SQL injection in the GetStudentGroupStudents method in IDAttend’s IDWeb application 3.1.052 and earlier allows extraction or modification of all data by unauthenticated attackers. | |||||
| CVE-2023-26525 | 1 Wedevs | 1 Dokan | 2024-11-21 | N/A | 7.1 HIGH |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in weDevs Dokan – Best WooCommerce Multivendor Marketplace Solution – Build Your Own Amazon, eBay, Etsy.This issue affects Dokan – Best WooCommerce Multivendor Marketplace Solution – Build Your Own Amazon, eBay, Etsy: from n/a through 3.7.12. | |||||
| CVE-2023-26454 | 1 Open-xchange | 1 Open-xchange Appsuite | 2024-11-21 | N/A | 7.6 HIGH |
| Requests to fetch image metadata could be abused to include SQL queries that would be executed unchecked. Exploiting this vulnerability requires at least access to adjacent networks of the imageconverter service, which is not exposed to public networks by default. Arbitrary SQL statements could be executed in the context of the services database user account. API requests are now properly checked for valid content and attempts to circumvent this check are being logged as error. No publicly available exploits are known. | |||||
| CVE-2023-26453 | 1 Open-xchange | 1 Open-xchange Appsuite | 2024-11-21 | N/A | 7.6 HIGH |
| Requests to cache an image could be abused to include SQL queries that would be executed unchecked. Exploiting this vulnerability requires at least access to adjacent networks of the imageconverter service, which is not exposed to public networks by default. Arbitrary SQL statements could be executed in the context of the services database user account. API requests are now properly checked for valid content and attempts to circumvent this check are being logged as error. No publicly available exploits are known. | |||||
| CVE-2023-26452 | 1 Open-xchange | 1 Open-xchange Appsuite | 2024-11-21 | N/A | 7.6 HIGH |
| Requests to cache an image and return its metadata could be abused to include SQL queries that would be executed unchecked. Exploiting this vulnerability requires at least access to adjacent networks of the imageconverter service, which is not exposed to public networks by default. Arbitrary SQL statements could be executed in the context of the services database user account. API requests are now properly checked for valid content and attempts to circumvent this check are being logged as error. No publicly available exploits are known. | |||||
| CVE-2023-26443 | 1 Open-xchange | 1 Open-xchange Appsuite Backend | 2024-11-21 | N/A | 5.5 MEDIUM |
| Full-text autocomplete search allows user-provided SQL syntax to be injected to SQL statements. With existing sanitization in place, this can be abused to trigger benign SQL Exceptions but could potentially be escalated to a malicious SQL injection vulnerability. We now properly encode single quotes for SQL FULLTEXT queries. No publicly available exploits are known. | |||||
| CVE-2023-26440 | 1 Open-xchange | 1 Open-xchange Appsuite Office | 2024-11-21 | N/A | 7.1 HIGH |
| The cacheservice API could be abused to indirectly inject parameters with SQL syntax which was insufficiently sanitized and would later be executed when creating new cache groups. Attackers with access to a local or restricted network could perform arbitrary SQL queries. We have improved the input check for API calls and filter for potentially malicious content. No publicly available exploits are known. | |||||
| CVE-2023-26439 | 1 Open-xchange | 1 Open-xchange Appsuite Office | 2024-11-21 | N/A | 7.6 HIGH |
| The cacheservice API could be abused to inject parameters with SQL syntax which was insufficiently sanitized before getting executed as SQL statement. Attackers with access to a local or restricted network were able to perform arbitrary SQL queries, discovering other users cached data. We have improved the input check for API calls and filter for potentially malicious content. No publicly available exploits are known. | |||||
| CVE-2023-26325 | 1 Wpdeveloper | 1 Reviewx | 2024-11-21 | N/A | 8.8 HIGH |
| The 'rx_export_review' action in the ReviewX WordPress Plugin, is affected by an authenticated SQL injection vulnerability in the 'filterValue' and 'selectedColumns' parameters. | |||||
| CVE-2023-26217 | 1 Tibco | 1 Ebx Add-ons | 2024-11-21 | N/A | 8.8 HIGH |
| The Data Exchange Add-on component of TIBCO Software Inc.'s TIBCO EBX Add-ons contains an easily exploitable vulnerability that allows a low privileged user with import permissions and network access to the EBX server to execute arbitrary SQL statements on the affected system. Affected releases are TIBCO Software Inc.'s TIBCO EBX Add-ons: versions 4.5.17 and below, versions 5.6.2 and below, version 6.1.0. | |||||
| CVE-2023-26037 | 1 Zoneminder | 1 Zoneminder | 2024-11-21 | N/A | 8.9 HIGH |
| ZoneMinder is a free, open source Closed-circuit television software application for Linux which supports IP, USB and Analog cameras. Versions prior to 1.36.33 and 1.37.33 contain an SQL Injection. The minTime and maxTime request parameters are not properly validated and could be used execute arbitrary SQL. This issue is fixed in versions 1.36.33 and 1.37.33. | |||||
| CVE-2023-26034 | 1 Zoneminder | 1 Zoneminder | 2024-11-21 | N/A | 9.6 CRITICAL |
| ZoneMinder is a free, open source Closed-circuit television software application for Linux which supports IP, USB and Analog cameras. Versions prior to 1.36.33 and 1.37.33 are affected by a SQL Injection vulnerability. The (blind) SQL Injection vulnerability is present within the `filter[Query][terms][0][attr]` query string parameter of the `/zm/index.php` endpoint. A user with the View or Edit permissions of Events may execute arbitrary SQL. The resulting impact can include unauthorized data access (and modification), authentication and/or authorization bypass, and remote code execution. | |||||