SaltStack Salt 2018.3, 2019.2 is affected by: SQL Injection. The impact is: An attacker could escalate privileges on MySQL server deployed by cloud provider. It leads to RCE. The component is: The mysql.user_chpass function from the MySQL module for Salt. The attack vector is: specially crafted password string. The fixed version is: 2018.3.4.
Max CVSS
9.8
Published
2019-07-18
Updated
2019-08-13
EPSS
0.24%
Synetics GmbH I-doit 1.12 and earlier is affected by: SQL Injection. The impact is: Unauthenticated mysql database access. The component is: Web login form. The attack vector is: An attacker can exploit the vulnerability by sending a malicious HTTP POST request. The fixed version is: 1.12.1.
Max CVSS
9.8
Published
2019-07-18
Updated
2019-07-23
EPSS
0.14%
Jeesite 1.2.7 is affected by: SQL Injection. The impact is: sensitive information disclosure. The component is: updateProcInsIdByBusinessId() function in src/main/java/com.thinkgem.jeesite/modules/act/ActDao.java has SQL Injection vulnerability. The attack vector is: network connectivity,authenticated. The fixed version is: 4.0 and later.
Max CVSS
6.5
Published
2019-07-23
Updated
2019-07-24
EPSS
0.07%
marginalia < 1.6 is affected by: SQL Injection. The impact is: The impact is a injection of any SQL queries when a user controller argument is added as a component. The component is: Affects users that add a component that is user controller, for instance a parameter or a header. The attack vector is: Hacker inputs a SQL to a vulnerable vector(header, http parameter, etc). The fixed version is: 1.6.
Max CVSS
9.8
Published
2019-07-24
Updated
2019-07-29
EPSS
0.14%
zzcms 8.3 and earlier is affected by: SQL Injection. The impact is: sql inject. The component is: zs/subzs.php.
Max CVSS
9.8
Published
2019-07-23
Updated
2019-07-24
EPSS
0.21%
zzcms version 8.3 and earlier is affected by: SQL Injection. The impact is: zzcms File Delete to Code Execution.
Max CVSS
9.8
Published
2019-07-23
Updated
2019-07-24
EPSS
0.28%
TechyTalk Quick Chat WordPress Plugin All up to the latest is affected by: SQL Injection. The impact is: Access to the database. The component is: like_escape is used in Quick-chat.php line 399. The attack vector is: Crafted ajax request.
Max CVSS
9.8
Published
2019-07-18
Updated
2019-07-23
EPSS
0.12%
Deepwoods Software WebLibrarian 3.5.2 and earlier is affected by: SQL Injection. The impact is: Exposing the entire database. The component is: Function "AllBarCodes" (defined at database_code.php line 1018) is vulnerable to a boolean-based blind sql injection. This function call can be triggered by any user logged-in with at least Volunteer role or manage_circulation capabilities. PoC : /wordpress/wp-admin/admin.php?page=weblib-circulation-desk&orderby=title&order=DESC.
Max CVSS
6.5
Published
2019-07-15
Updated
2019-08-21
EPSS
0.08%
OPT/NET BV OPTOSS Next Gen Network Management System (NG-NetMS) version v3.6-2 and earlier versions contains a SQL Injection vulnerability in Identified vulnerable parameters: id, id_access_type and id_attr_access that can result in a malicious attacker can include own SQL commands which database will execute. This attack appears to be exploitable via network connectivity.
Max CVSS
9.8
Published
2019-02-04
Updated
2019-02-06
EPSS
0.35%
An issue was discovered in TYPO3 before 8.7.30, 9.x before 9.5.12, and 10.x before 10.2.2. Because escaping of user-submitted content is mishandled, the class QueryGenerator is vulnerable to SQL injection. Exploitation requires having the system extension ext:lowlevel installed, and a valid backend user who has administrator privileges.
Max CVSS
7.2
Published
2019-12-17
Updated
2019-12-20
EPSS
0.09%
In Joomla! before 3.9.14, the lack of validation of configuration parameters used in SQL queries caused various SQL injection vectors.
Max CVSS
9.8
Published
2019-12-18
Updated
2019-12-18
EPSS
0.20%
Octeth Oempro 4.7 and 4.8 allow SQL injection. The parameter CampaignID in Campaign.Get is vulnerable.
Max CVSS
9.8
Published
2019-12-12
Updated
2023-01-28
EPSS
10.94%
_account_move_file_in_folder.ajax.php in MFScripts YetiShare 3.5.2 directly inserts values from the fileIds parameter into a SQL string. This allows an attacker to inject their own SQL and manipulate the query, typically extracting data from the database, aka SQL Injection.
Max CVSS
8.8
Published
2019-12-30
Updated
2020-01-07
EPSS
0.09%
translation_manage_text.ajax.php and various *_manage.ajax.php in MFScripts YetiShare 3.5.2 through 4.5.3 directly insert values from the aSortDir_0 and/or sSortDir_0 parameter into a SQL string. This allows an attacker to inject their own SQL and manipulate the query, typically extracting data from the database, aka SQL Injection.
Max CVSS
7.2
Published
2019-12-30
Updated
2020-01-08
EPSS
0.09%
Zoho ManageEngine Applications Manager before 13640 allows a remote authenticated SQL injection via the Agent servlet agentid parameter to the Agent.java process function.
Max CVSS
8.8
Published
2019-12-11
Updated
2023-01-30
EPSS
0.27%
Zoho ManageEngine Applications Manager before 13620 allows a remote unauthenticated SQL injection via the SyncEventServlet eventid parameter to the SyncEventServlet.java doGet function.
Max CVSS
9.8
Published
2019-12-11
Updated
2023-02-02
EPSS
5.26%
OpenTrade before 2019-11-23 allows SQL injection, related to server/modules/api/v1.js and server/utils.js.
Max CVSS
9.8
Published
2019-11-25
Updated
2019-12-04
EPSS
0.14%
NAPC Xinet Elegant 6 Asset Library 6.1.655 allows Pre-Authentication SQL Injection via the /elegant6/login LoginForm[username] field when double quotes are used.
Max CVSS
9.8
Published
2019-12-02
Updated
2019-12-11
EPSS
1.09%
rConfig 3.9.2 allows devices.php?searchColumn= SQL injection.
Max CVSS
8.8
Published
2019-11-21
Updated
2019-11-26
EPSS
0.13%
main/resources/mapper/NewBeeMallGoodsMapper.xml in newbee-mall (aka New Bee) before 2019-10-23 allows search?goodsCategoryId=&keyword= SQL Injection.
Max CVSS
9.8
Published
2019-11-18
Updated
2019-12-03
EPSS
0.21%
An issue was discovered in TitanHQ WebTitan before 5.18. Some functions, such as /history-x.php, of the administration interface are vulnerable to SQL Injection through the results parameter. This could be used by an attacker to extract sensitive information from the appliance database.
Max CVSS
7.5
Published
2019-12-02
Updated
2019-12-04
EPSS
0.17%
A SQL injection vulnerability in Redmine through 3.2.9 and 3.3.x before 3.3.10 allows Redmine users to access protected information via a crafted object query.
Max CVSS
6.5
Published
2019-11-21
Updated
2019-11-26
EPSS
0.46%
SuiteCRM 7.10.x versions prior to 7.10.21 and 7.11.x versions prior to 7.11.9 allow SQL Injection.
Max CVSS
9.8
Published
2019-11-06
Updated
2019-11-06
EPSS
0.15%
A SQL injection vulnerability in a /login/forgot1 POST request in ARP-GUARD 4.0.0-5 allows unauthenticated remote attackers to execute arbitrary SQL commands via the user_id parameter.
Max CVSS
9.8
Published
2019-11-04
Updated
2019-11-05
EPSS
0.20%
An issue was discovered in YouPHPTube through 7.7. User input passed through the live_stream_code POST parameter to /plugin/LiveChat/getChat.json.php is not properly sanitized (in getFromChat in plugin/LiveChat/Objects/LiveChatObj.php) before being used to construct a SQL query. This can be exploited by malicious users to, e.g., read sensitive data from the database through in-band SQL Injection attacks. Successful exploitation of this vulnerability requires the Live Chat plugin to be enabled.
Max CVSS
9.8
Published
2019-11-02
Updated
2019-12-04
EPSS
0.25%
554 vulnerabilities found
1 2 3 4 5 6 ...... 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23
This web site uses cookies for managing your session, storing preferences, website analytics and additional purposes described in our privacy policy.
By using this web site you are agreeing to CVEdetails.com terms of use!