Total
16884 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-24308 | 1 Boostmyshop | 1 Boostmyshop | 2024-11-21 | N/A | 9.8 CRITICAL |
| SQL Injection vulnerability in Boostmyshop (boostmyshopagent) module for Prestashop versions 1.1.9 and before, allows remote attackers to escalate privileges and obtain sensitive information via changeOrderCarrier.php, relayPoint.php, and shippingConfirmation.php. | |||||
| CVE-2024-24303 | 1 Hipresta | 1 Gift Wrapping Pro | 2024-11-21 | N/A | 9.8 CRITICAL |
| SQL Injection vulnerability in HiPresta "Gift Wrapping Pro" (hiadvancedgiftwrapping) module for PrestaShop before version 1.4.1, allows remote attackers to escalate privileges and obtain sensitive information via the HiAdvancedGiftWrappingGiftWrappingModuleFrontController::addGiftWrappingCartValue() method. | |||||
| CVE-2024-24213 | 1 Supabase | 1 Postgres | 2024-11-21 | N/A | 9.8 CRITICAL |
| Supabase PostgreSQL v15.1 was discovered to contain a SQL injection vulnerability via the component /pg_meta/default/query. NOTE: the vendor's position is that this is an intended feature; also, it exists in the Supabase dashboard product, not the Supabase PostgreSQL product. Specifically, /pg_meta/default/query is for SQL queries that are entered in an intended UI by an authorized user. Nothing is injected. | |||||
| CVE-2024-24141 | 1 Remyandrade | 1 School Task Manager | 2024-11-21 | N/A | 9.8 CRITICAL |
| Sourcecodester School Task Manager App 1.0 allows SQL Injection via the 'task' parameter. | |||||
| CVE-2024-24139 | 1 Remyandrade | 1 Login System With Email Verification | 2024-11-21 | N/A | 7.2 HIGH |
| Sourcecodester Login System with Email Verification 1.0 allows SQL Injection via the 'user' parameter. | |||||
| CVE-2024-24133 | 1 Atmail | 1 Atmail | 2024-11-21 | N/A | 9.8 CRITICAL |
| Atmail v6.6.0 was discovered to contain a SQL injection vulnerability via the username parameter on the login page. | |||||
| CVE-2024-24023 | 1 Xxyopen | 1 Novel-plus | 2024-11-21 | N/A | 9.8 CRITICAL |
| A SQL injection vulnerability exists in Novel-Plus v4.3.0-RC1 and prior. An attacker can pass specially crafted offset, limit, and sort parameters to perform SQL injection via /novel/bookContent/list. | |||||
| CVE-2024-24017 | 1 Xxyopen | 1 Novel-plus | 2024-11-21 | N/A | 9.8 CRITICAL |
| A SQL injection vulnerability exists in Novel-Plus v4.3.0-RC1 and prior versions. An attacker can pass crafted offset, limit, and sort parameters to perform SQL injection via /common/dict/list | |||||
| CVE-2024-24004 | 1 Jishenghua | 1 Jsherp | 2024-11-21 | N/A | 9.8 CRITICAL |
| jshERP v3.3 is vulnerable to SQL Injection. The com.jsh.erp.controller.DepotHeadController: com.jsh.erp.utils.BaseResponseInfo findInOutDetail() function of jshERP does not filter `column` and `order` parameters well enough, and an attacker can construct malicious payload to bypass jshERP's protection mechanism in `safeSqlParse` method for sql injection. | |||||
| CVE-2024-24002 | 1 Jishenghua | 1 Jsherp | 2024-11-21 | N/A | 9.8 CRITICAL |
| jshERP v3.3 is vulnerable to SQL Injection. The com.jsh.erp.controller.MaterialController: com.jsh.erp.utils.BaseResponseInfo getListWithStock() function of jshERP does not filter `column` and `order` parameters well enough, and an attacker can construct malicious payload to bypass jshERP's protection mechanism in `safeSqlParse` method for sql injection. | |||||
| CVE-2024-23975 | 2024-11-21 | N/A | 8.8 HIGH | ||
| SQL injection vulnerability exists in GetDIAE_slogListParameters. | |||||
| CVE-2024-23810 | 1 Siemens | 1 Sinec Nms | 2024-11-21 | N/A | 8.8 HIGH |
| A vulnerability has been identified in SINEC NMS (All versions < V2.0 SP1). The affected application is vulnerable to SQL injection. This could allow an unauthenticated remote attacker to execute arbitrary SQL queries on the server database. | |||||
| CVE-2024-23646 | 1 Pimcore | 1 Admin Classic Bundle | 2024-11-21 | N/A | 8.8 HIGH |
| Pimcore's Admin Classic Bundle provides a backend user interface for Pimcore. The application allows users to create zip files from available files on the site. In the 1.x branch prior to version 1.3.2, parameter `selectedIds` is susceptible to SQL Injection. Any backend user with very basic permissions can execute arbitrary SQL statements and thus alter any data or escalate their privileges to at least admin level. Version 1.3.2 contains a fix for this issue. | |||||
| CVE-2024-23507 | 1 Instawp | 1 Instawp Connect | 2024-11-21 | N/A | 8.5 HIGH |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in InstaWP Team InstaWP Connect – 1-click WP Staging & Migration.This issue affects InstaWP Connect – 1-click WP Staging & Migration: from n/a through 0.1.0.9. | |||||
| CVE-2024-23494 | 2024-11-21 | N/A | 8.8 HIGH | ||
| SQL injection vulnerability exists in GetDIAE_unListParameters. | |||||
| CVE-2024-22406 | 1 Shopware | 1 Shopware | 2024-11-21 | N/A | 9.3 CRITICAL |
| Shopware is an open headless commerce platform. The Shopware application API contains a search functionality which enables users to search through information stored within their Shopware instance. The searches performed by this function can be aggregated using the parameters in the “aggregations” object. The ‘name’ field in this “aggregations” object is vulnerable SQL-injection and can be exploited using time-based SQL-queries. This issue has been addressed and users are advised to update to Shopware 6.5.7.4. For older versions of 6.1, 6.2, 6.3 and 6.4 corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopware version. | |||||
| CVE-2024-22283 | 1 Delhivery | 1 Logistics Courier | 2024-11-21 | N/A | 8.5 HIGH |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Delhivery Delhivery Logistics Courier.This issue affects Delhivery Logistics Courier: from n/a through 1.0.107. | |||||
| CVE-2024-22221 | 1 Dell | 1 Unity Operating Environment | 2024-11-21 | N/A | 4.5 MEDIUM |
| Dell Unity, versions prior to 5.4, contains SQL Injection vulnerability. An authenticated attacker could potentially exploit this vulnerability, leading to exposure of sensitive information. | |||||
| CVE-2024-22196 | 1 Nginxui | 1 Nginx Ui | 2024-11-21 | N/A | 7.0 HIGH |
| Nginx-UI is an online statistics for Server Indicators Monitor CPU usage, memory usage, load average, and disk usage in real-time. This issue may lead to information disclosure. By using `DefaultQuery`, the `"desc"` and `"id"` values are used as default values if the query parameters are not set. Thus, the `order` and `sort_by` query parameter are user-controlled and are being appended to the `order` variable without any sanitization. This issue has been patched in version 2.0.0.beta.9. | |||||
| CVE-2024-22147 | 1 Wpovernight | 1 Woocommerce Pdf Invoices\& Packing Slips | 2024-11-21 | N/A | 7.6 HIGH |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WP Overnight PDF Invoices & Packing Slips for WooCommerce.This issue affects PDF Invoices & Packing Slips for WooCommerce: from n/a through 3.7.5. | |||||