Total
16884 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-12794 | 1 Codezips | 1 E-commerce Site | 2025-01-06 | 6.5 MEDIUM | 6.3 MEDIUM |
| A vulnerability, which was classified as critical, was found in Codezips E-Commerce Site 1.0. This affects an unknown part of the file /admin/editorder.php. The manipulation of the argument dstatus/quantity/ddate leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2025-0214 | 2025-01-04 | 4.3 MEDIUM | 4.1 MEDIUM | ||
| A vulnerability was found in TMD Custom Header Menu 4.0.0.1 on OpenCart. It has been rated as problematic. This issue affects some unknown processing of the file /admin/index.php. The manipulation of the argument headermenu_id leads to sql injection. The attack may be initiated remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. It is recommended to upgrade the affected component. | |||||
| CVE-2023-35036 | 1 Progress | 1 Moveit Transfer | 2025-01-03 | N/A | 9.1 CRITICAL |
| In Progress MOVEit Transfer before 2021.0.7 (13.0.7), 2021.1.5 (13.1.5), 2022.0.5 (14.0.5), 2022.1.6 (14.1.6), and 2023.0.2 (15.0.2), SQL injection vulnerabilities have been found in the MOVEit Transfer web application that could allow an unauthenticated attacker to gain unauthorized access to MOVEit Transfer's database. An attacker could submit a crafted payload to a MOVEit Transfer application endpoint that could result in modification and disclosure of MOVEit database content. | |||||
| CVE-2024-12832 | 1 Arista | 1 Ng Firewall | 2025-01-03 | N/A | 6.3 MEDIUM |
| Arista NG Firewall ReportEntry SQL Injection Arbitrary File Read and Write Vulnerability. This vulnerability allows remote attackers to create arbitrary files and disclose sensitive information on affected installations of Arista NG Firewall. Authentication is required to exploit this vulnerability. The specific flaw exists within the ReportEntry class. The issue results from the lack of proper validation of a user-supplied string before using it to construct SQL queries. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of the www-data user. Was ZDI-CAN-24325. | |||||
| CVE-2023-34756 | 2 Apple, Bloofox | 2 Macos, Bloofoxcms | 2025-01-03 | N/A | 9.8 CRITICAL |
| bloofox v0.5.2.1 was discovered to contain a SQL injection vulnerability via the cid parameter at admin/index.php?mode=settings&page=charset&action=edit. | |||||
| CVE-2023-34755 | 2 Apple, Bloofox | 2 Macos, Bloofoxcms | 2025-01-03 | N/A | 9.8 CRITICAL |
| bloofox v0.5.2.1 was discovered to contain a SQL injection vulnerability via the userid parameter at admin/index.php?mode=user&action=edit. | |||||
| CVE-2024-32480 | 1 Librenms | 1 Librenms | 2025-01-02 | N/A | 7.2 HIGH |
| LibreNMS is an open-source, PHP/MySQL/SNMP-based network monitoring system. Versions prior to 24.4.0 are vulnerable to SQL injection. The `order` parameter is obtained from `$request`. After performing a string check, the value is directly incorporated into an SQL statement and concatenated, resulting in a SQL injection vulnerability. An attacker may extract a whole database this way. Version 24.4.0 fixes the issue. | |||||
| CVE-2024-32461 | 1 Librenms | 1 Librenms | 2025-01-02 | N/A | 7.1 HIGH |
| LibreNMS is an open-source, PHP/MySQL/SNMP-based network monitoring system. A SQL injection vulnerability in POST /search/search=packages in LibreNMS prior to version 24.4.0 allows a user with global read privileges to execute SQL commands via the package parameter. With this vulnerability, an attacker can exploit a SQL injection time based vulnerability to extract all data from the database, such as administrator credentials. Version 24.4.0 contains a patch for the vulnerability. | |||||
| CVE-2024-2073 | 1 Oretnom23 | 1 Block Inserter For Dynamic Content | 2025-01-02 | 6.5 MEDIUM | 6.3 MEDIUM |
| A vulnerability has been found in SourceCodester Block Inserter for Dynamic Content 1.0 and classified as critical. This vulnerability affects unknown code of the file view_post.php. The manipulation of the argument id leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-255388. | |||||
| CVE-2023-34754 | 2 Apple, Bloofox | 2 Macos, Bloofoxcms | 2025-01-02 | N/A | 9.8 CRITICAL |
| bloofox v0.5.2.1 was discovered to contain a SQL injection vulnerability via the pid parameter at admin/index.php?mode=settings&page=plugins&action=edit. | |||||
| CVE-2023-34753 | 2 Apple, Bloofox | 2 Macos, Bloofoxcms | 2025-01-02 | N/A | 9.8 CRITICAL |
| bloofox v0.5.2.1 was discovered to contain a SQL injection vulnerability via the tid parameter at admin/index.php?mode=settings&page=tmpl&action=edit. | |||||
| CVE-2023-34752 | 2 Apple, Bloofox | 2 Macos, Bloofoxcms | 2025-01-02 | N/A | 9.8 CRITICAL |
| bloofox v0.5.2.1 was discovered to contain a SQL injection vulnerability via the lid parameter at admin/index.php?mode=settings&page=lang&action=edit. | |||||
| CVE-2023-34751 | 2 Apple, Bloofox | 2 Macos, Bloofoxcms | 2025-01-02 | N/A | 9.8 CRITICAL |
| bloofox v0.5.2.1 was discovered to contain a SQL injection vulnerability via the gid parameter at admin/index.php?mode=user&page=groups&action=edit. | |||||
| CVE-2023-34750 | 2 Apple, Bloofox | 2 Macos, Bloofoxcms | 2025-01-02 | N/A | 9.8 CRITICAL |
| bloofox v0.5.2.1 was discovered to contain a SQL injection vulnerability via the cid parameter at admin/index.php?mode=settings&page=projects&action=edit. | |||||
| CVE-2024-2147 | 1 Oretnom23 | 1 Online Mobile Store Management System | 2025-01-02 | 7.5 HIGH | 7.3 HIGH |
| A vulnerability was found in SourceCodester Online Mobile Management Store 1.0. It has been rated as critical. Affected by this issue is some unknown functionality of the file /admin/login.php. The manipulation of the argument username leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-255500. | |||||
| CVE-2024-31495 | 1 Fortinet | 1 Fortiportal | 2025-01-02 | N/A | 4.3 MEDIUM |
| A improper neutralization of special elements used in an sql command ('sql injection') in Fortinet FortiPortal versions 7.0.0 through 7.0.6 and version 7.2.0 allows privileged user to obtain unauthorized information via the report download functionality. | |||||
| CVE-2024-27096 | 1 Glpi-project | 1 Glpi | 2025-01-02 | N/A | 7.7 HIGH |
| GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing. An authenticated user can exploit a SQL injection vulnerability in the search engine to extract data from the database. This issue has been patched in version 10.0.13. | |||||
| CVE-2024-56250 | 2025-01-02 | N/A | 7.6 HIGH | ||
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in GregRoss Just Writing Statistics allows SQL Injection.This issue affects Just Writing Statistics: from n/a through 4.7. | |||||
| CVE-2025-22214 | 2025-01-02 | N/A | 4.3 MEDIUM | ||
| Landray EIS 2001 through 2006 allows Message/fi_message_receiver.aspx?replyid= SQL injection. | |||||
| CVE-2024-1317 | 1 Themeisle | 1 Rss Aggregator By Feedzy | 2024-12-31 | N/A | 8.8 HIGH |
| The RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator plugin for WordPress is vulnerable to SQL Injection via the ‘search_key’ parameter in all versions up to, and including, 4.4.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with contributor access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | |||||