Total
16055 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-32704 | 1 Dhis2 | 1 Dhis 2 | 2024-11-21 | 6.5 MEDIUM | 8.5 HIGH |
| DHIS 2 is an information system for data capture, management, validation, analytics and visualization. A SQL injection security vulnerability has been found in specific versions of DHIS2. This vulnerability affects the /api/trackedEntityInstances API endpoint in DHIS2 versions 2.34.4, 2.35.2, 2.35.3, 2.35.4, and 2.36.0. Earlier versions, such as 2.34.3 and 2.35.1 and all versions 2.33 and older are unaffected. The system is vulnerable to attack only from users that are logged in to DHIS2, and there is no known way of exploiting the vulnerability without first being logged in as a DHIS2 user. A successful exploit of this vulnerability could allow the malicious user to read, edit and delete data in the DHIS2 instance. There are no known exploits of the security vulnerabilities addressed by these patch releases. However, we strongly recommend that all DHIS2 implementations using versions 2.34, 2.35 and 2.36 install these patches as soon as possible. There is no straightforward known workaround for DHIS2 instances using the Tracker functionality other than upgrading the affected DHIS2 server to one of the patches in which this vulnerability has been fixed. For implementations which do NOT use Tracker functionality, it may be possible to block all network access to POST to the /api/trackedEntityInstance endpoint as a temporary workaround while waiting to upgrade. | |||||
| CVE-2021-32615 | 1 Piwigo | 1 Piwigo | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| Piwigo 11.4.0 allows admin/user_list_backend.php order[0][dir] SQL Injection. | |||||
| CVE-2021-32590 | 1 Fortinet | 1 Fortiportal | 2024-11-21 | 9.0 HIGH | 9.9 CRITICAL |
| Multiple improper neutralization of special elements used in an SQL command vulnerabilities in FortiPortal 6.0.0 through 6.0.4, 5.3.0 through 5.3.5, 5.2.0 through 5.2.5, and 4.2.2 and earlier may allow an attacker with regular user's privileges to execute arbitrary commands on the underlying SQL database via specifically crafted HTTP requests. | |||||
| CVE-2021-32582 | 1 Connectwise | 1 Connectwise Automate | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered in ConnectWise Automate before 2021.5. A blind SQL injection vulnerability exists in core agent inventory communication that can enable an attacker to extract database information or administrative credentials from an instance via crafted monitor status responses. | |||||
| CVE-2021-32474 | 1 Moodle | 1 Moodle | 2024-11-21 | 6.5 MEDIUM | 7.2 HIGH |
| An SQL injection risk existed on sites with MNet enabled and configured, via an XML-RPC call from the connected peer host. Note that this required site administrator access or access to the keypair. Moodle 3.10 to 3.10.3, 3.9 to 3.9.6, 3.8 to 3.8.8, 3.5 to 3.5.17 and earlier unsupported versions are affected. | |||||
| CVE-2021-32428 | 1 Viaviweb | 1 Ebook | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| SQL Injection vulnerability in viaviwebtech Android EBook App (Books App, PDF, ePub, Online Book Reading, Download Books) 10 via the author_id parameter to api.php. | |||||
| CVE-2021-32104 | 1 Open-emr | 1 Openemr | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| A SQL injection vulnerability exists (with user privileges) in interface/forms/eye_mag/save.php in OpenEMR 5.0.2.1. | |||||
| CVE-2021-32102 | 1 Open-emr | 1 Openemr | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| A SQL injection vulnerability exists (with user privileges) in library/custom_template/ajax_code.php in OpenEMR 5.0.2.1. | |||||
| CVE-2021-32099 | 1 Artica | 1 Pandora Fms | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| A SQL injection vulnerability in the pandora_console component of Artica Pandora FMS 742 allows an unauthenticated attacker to upgrade his unprivileged session via the /include/chart_generator.php session_id parameter, leading to a login bypass. | |||||
| CVE-2021-32051 | 1 Hexagon | 1 Intergraph G\!nius | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| Hexagon G!nius Auskunftsportal before 5.0.0.0 allows SQL injection via the GiPWorkflow/Service/DownloadPublicFile id parameter. | |||||
| CVE-2021-31869 | 1 Pimcore | 1 Adminbundle | 2024-11-21 | 5.0 MEDIUM | 6.5 MEDIUM |
| Pimcore AdminBundle version 6.8.0 and earlier suffers from a SQL injection issue in the specificID variable used by the application. This issue was fixed in version 6.9.4 of the product. | |||||
| CVE-2021-31867 | 1 Pimcore | 1 Customer Management Framework | 2024-11-21 | 5.0 MEDIUM | 6.5 MEDIUM |
| Pimcore Customer Data Framework version 3.0.0 and earlier suffers from a Boolean-based blind SQL injection issue in the $id parameter of the SegmentAssignmentController.php component of the application. This issue was fixed in version 3.0.2 of the product. | |||||
| CVE-2021-31856 | 1 Layer5 | 1 Meshery | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| A SQL Injection vulnerability in the REST API in Layer5 Meshery 0.5.2 allows an attacker to execute arbitrary SQL commands via the /experimental/patternfiles endpoint (order parameter in GetMesheryPatterns in models/meshery_pattern_persister.go). | |||||
| CVE-2021-31849 | 1 Mcafee | 1 Data Loss Prevention Endpoint | 2024-11-21 | 6.5 MEDIUM | 8.4 HIGH |
| SQL injection vulnerability in McAfee Data Loss Prevention (DLP) ePO extension prior to 11.7.100 allows a remote attacker logged into ePO as an administrator to inject arbitrary SQL into the ePO database through the user management section of the DLP ePO extension. | |||||
| CVE-2021-31827 | 1 Progress | 1 Moveit Transfer | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| In Progress MOVEit Transfer before 2021.0 (13.0), a SQL injection vulnerability has been found in the MOVEit Transfer web app that could allow an authenticated attacker to gain unauthorized access to MOVEit Transfer's database. Depending on the database engine being used (MySQL, Microsoft SQL Server, or Azure SQL), an attacker may be able to infer information about the structure and contents of the database in addition to executing SQL statements that alter or destroy database elements. This is in MOVEit.DMZ.WebApp in SILHuman.vb. | |||||
| CVE-2021-31818 | 1 Octopus | 1 Server | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
| Affected versions of Octopus Server are prone to an authenticated SQL injection vulnerability in the Events REST API because user supplied data in the API request isn’t parameterised correctly. Exploiting this vulnerability could allow unauthorised access to database tables. | |||||
| CVE-2021-31632 | 1 B2evolution | 1 B2evolution Cms | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| b2evolution CMS v7.2.3 was discovered to contain a SQL injection vulnerability via the parameter cfqueryparam in the User login section. This vulnerability allows attackers to execute arbitrary code via a crafted input. | |||||
| CVE-2021-31586 | 1 Accellion | 1 Kiteworks | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| Accellion Kiteworks before 7.4.0 allows an authenticated user to perform SQL Injection via LDAPGroup Search. | |||||
| CVE-2021-31316 | 1 Control-webpanel | 1 Webpanel | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
| The unprivileged user portal part of CentOS Web Panel is affected by a SQL Injection via the 'idsession' HTTP POST parameter. | |||||
| CVE-2021-30486 | 1 Sysaid | 1 Sysaid | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| SysAid 20.3.64 b14 is affected by Blind and Stacker SQL injection via AssetManagementChart.jsp (GET computerID), AssetManagementChart.jsp (POST group1), AssetManagementList.jsp (GET computerID or group1), or AssetManagementSummary.jsp (GET group1). | |||||