| # |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
|
1 |
CVE-2020-35848 |
89 |
|
Sql |
2020-12-30 |
2022-04-05 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Agentejo Cockpit before 0.11.2 allows NoSQL injection via the Controller/Auth.php newpassword function. |
|
2 |
CVE-2020-35847 |
89 |
|
Sql |
2020-12-30 |
2022-04-05 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Agentejo Cockpit before 0.11.2 allows NoSQL injection via the Controller/Auth.php resetpassword function. |
|
3 |
CVE-2020-35846 |
89 |
|
Sql |
2020-12-30 |
2022-09-02 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Agentejo Cockpit before 0.11.2 allows NoSQL injection via the Controller/Auth.php check function. |
|
4 |
CVE-2020-35743 |
89 |
|
Sql |
2020-12-31 |
2021-01-07 |
6.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
Partial |
|
HGiga MailSherlock contains a SQL injection flaw. Attackers can inject and launch SQL commands in a URL parameter of specific cgi pages. |
|
5 |
CVE-2020-35742 |
89 |
|
Sql |
2020-12-31 |
2021-01-07 |
6.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
Partial |
|
HGiga MailSherlock contains a vulnerability of SQL Injection. Attackers can inject and launch SQL commands in a URL parameter. |
|
6 |
CVE-2020-35708 |
89 |
|
Sql |
2020-12-25 |
2020-12-28 |
6.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
Partial |
|
phpList 3.5.9 allows SQL injection by admins who provide a crafted fourth line of a file to the "Config - Import Administrators" page. |
|
7 |
CVE-2020-35666 |
89 |
|
Sql |
2020-12-23 |
2020-12-23 |
6.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
Partial |
|
Steedos Platform through 1.21.24 allows NoSQL injection because the /api/collection/findone implementation in server/packages/steedos_base.js mishandles req.body validation, as demonstrated by MongoDB operator attacks such as an X-User-Id[$ne]=1 value. |
|
8 |
CVE-2020-35613 |
89 |
|
Sql |
2020-12-28 |
2020-12-30 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
An issue was discovered in Joomla! 3.0.0 through 3.9.22. Improper filter blacklist configuration leads to a SQL injection vulnerability in the backend user list. |
|
9 |
CVE-2020-35545 |
89 |
|
Sql |
2020-12-17 |
2020-12-21 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Time-based SQL injection exists in Spotweb 1.4.9 via the query string. |
|
10 |
CVE-2020-35382 |
89 |
|
Sql |
2020-12-14 |
2020-12-14 |
6.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
Partial |
|
SQL Injection in Classbooking before 2.4.1 via the username field of a CSV file when adding a new user. |
|
11 |
CVE-2020-35378 |
89 |
|
Exec Code Sql Bypass |
2020-12-14 |
2020-12-14 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
SQL Injection in the login page in Online Bus Ticket Reservation 1.0 allows attackers to execute arbitrary SQL commands and bypass authentication via the username and password fields. |
|
12 |
CVE-2020-35276 |
89 |
|
Sql Bypass |
2020-12-21 |
2020-12-23 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
EgavilanMedia ECM Address Book 1.0 is affected by SQL injection. An attacker can bypass the Admin Login panel through SQLi and get Admin access and add or remove any user. |
|
13 |
CVE-2020-35245 |
89 |
|
Sql |
2020-12-26 |
2020-12-29 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Flamingo (aka FlamingoIM) through 2020-09-29 has a SQL injection vulnerability in UserManager::addUser. |
|
14 |
CVE-2020-35244 |
89 |
|
Sql |
2020-12-26 |
2020-12-29 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Flamingo (aka FlamingoIM) through 2020-09-29 has a SQL injection vulnerability in UserManager::addGroup. |
|
15 |
CVE-2020-35243 |
89 |
|
Sql |
2020-12-26 |
2020-12-29 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Flamingo (aka FlamingoIM) through 2020-09-29 has a SQL injection vulnerability in UserManager::updateUserInfoInDb. |
|
16 |
CVE-2020-35242 |
89 |
|
Sql |
2020-12-26 |
2020-12-29 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Flamingo (aka FlamingoIM) through 2020-09-29 has a SQL injection vulnerability in UserManager::updateUserTeamInfoInDbAndMemory. |
|
17 |
CVE-2020-35151 |
89 |
|
Sql |
2020-12-21 |
2020-12-22 |
6.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
Partial |
|
The Online Marriage Registration System 1.0 post parameter "searchdata" in the user/search.php request is vulnerable to Time Based Sql Injection. |
|
18 |
CVE-2020-35122 |
89 |
|
Sql Bypass |
2020-12-15 |
2020-12-17 |
4.0 |
None |
Remote |
Low |
??? |
None |
Partial |
None |
|
An issue was discovered in the Keysight Database Connector plugin before 1.5.0 for Confluence. A malicious user could bypass the access controls for using a saved database connection profile to submit arbitrary SQL against a saved database connection. |
|
19 |
CVE-2020-29574 |
89 |
|
Sql |
2020-12-11 |
2020-12-14 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
An SQL injection vulnerability in the WebAdmin of Cyberoam OS through 2020-12-04 allows unauthenticated attackers to execute arbitrary SQL statements remotely. |
|
20 |
CVE-2020-29474 |
89 |
|
Exec Code Sql |
2020-12-24 |
2021-04-22 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
EGavilan Media EGM Address Book 1.0 contains a SQL injection vulnerability. An attacker can gain Admin Panel access using malicious SQL injection queries to perform remote arbitrary code execution. |
|
21 |
CVE-2020-29472 |
89 |
|
Exec Code Sql |
2020-12-24 |
2021-04-22 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
EGavilan Media Under Construction page with cPanel 1.0 contains a SQL injection vulnerability. An attacker can gain Admin Panel access using malicious SQL injection queries to perform remote arbitrary code execution. |
|
22 |
CVE-2020-29288 |
89 |
|
Sql |
2020-12-02 |
2020-12-03 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
An SQL injection vulnerability was discovered in Gym Management System In manage_user.php file, GET parameter 'id' is vulnerable. |
|
23 |
CVE-2020-29287 |
89 |
|
Sql |
2020-12-02 |
2020-12-03 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
An SQL injection vulnerability was discovered in Car Rental Management System v1.0 can be exploited via the id parameter in view_car.php or the car_id parameter in booking.php. |
|
24 |
CVE-2020-29285 |
89 |
|
Sql |
2020-12-02 |
2020-12-04 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
SQL injection vulnerability was discovered in Point of Sales in PHP/PDO 1.0, which can be exploited via the id parameter to edit_category.php. |
|
25 |
CVE-2020-29284 |
89 |
|
Sql |
2020-12-02 |
2020-12-04 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
The file view-chair-list.php in Multi Restaurant Table Reservation System 1.0 does not perform input validation on the table_id parameter which allows unauthenticated SQL Injection. An attacker can send malicious input in the GET request to /dashboard/view-chair-list.php?table_id= to trigger the vulnerability. |
|
26 |
CVE-2020-29283 |
89 |
|
Sql |
2020-12-02 |
2020-12-04 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
An SQL injection vulnerability was discovered in Online Doctor Appointment Booking System PHP and Mysql via the q parameter to getuser.php. |
|
27 |
CVE-2020-29282 |
89 |
|
Sql Bypass |
2020-12-02 |
2020-12-04 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
SQL injection vulnerability in BloodX 1.0 allows attackers to bypass authentication. |
|
28 |
CVE-2020-29280 |
89 |
|
Sql |
2020-12-02 |
2020-12-03 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
The Victor CMS v1.0 application is vulnerable to SQL injection via the 'search' parameter on the search.php page. |
|
29 |
CVE-2020-29228 |
89 |
|
Sql |
2020-12-30 |
2021-01-04 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
EGavilanMedia User Registration and Login System With Admin Panel 1.0 is affected by SQL injection in the User Login Page. |
|
30 |
CVE-2020-28994 |
89 |
|
Sql |
2020-11-24 |
2020-11-30 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
A SQL injection vulnerability was discovered in Karenderia Multiple Restaurant System, affecting versions 5.4.2 and below. The vulnerability allows for an unauthenticated attacker to perform various tasks such as modifying and leaking all contents of the database. |
|
31 |
CVE-2020-28860 |
89 |
|
Sql |
2020-12-14 |
2020-12-15 |
6.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
Partial |
|
OpenAssetDigital Asset Management (DAM) through 12.0.19 does not correctly sanitize user supplied input, incorporating it into its SQL queries, allowing for authenticated blind SQL injection. |
|
32 |
CVE-2020-28413 |
89 |
|
Sql |
2020-12-30 |
2021-01-05 |
4.0 |
None |
Remote |
Low |
??? |
Partial |
None |
None |
|
In MantisBT 2.24.3, SQL Injection can occur in the parameter "access" of the mc_project_get_users function through the API SOAP. |
|
33 |
CVE-2020-28183 |
89 |
|
Sql |
2020-11-17 |
2020-12-01 |
10.0 |
None |
Remote |
Low |
Not required |
Complete |
Complete |
Complete |
|
SQL injection vulnerability in SourceCodester Water Billing System 1.0 via the username and password parameters to process.php. |
|
34 |
CVE-2020-28138 |
89 |
|
Sql |
2020-11-17 |
2020-11-23 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
SourceCodester Online Clothing Store 1.0 is affected by a SQL Injection via the txtUserName parameter to login.php. |
|
35 |
CVE-2020-28133 |
89 |
|
+Priv Sql Bypass |
2020-11-17 |
2020-12-01 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
An issue was discovered in SourceCodester Simple Grocery Store Sales And Inventory System 1.0. There was authentication bypass in web login functionality allows an attacker to gain client privileges via SQL injection in sales_inventory/login.php. |
|
36 |
CVE-2020-28115 |
89 |
|
Exec Code Sql |
2020-11-05 |
2020-11-10 |
6.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
Partial |
|
SQL Injection vulnerability in "Documents component" found in AudimexEE version 14.1.0 allows an attacker to execute arbitrary SQL commands via the object_path parameter. |
|
37 |
CVE-2020-28091 |
89 |
|
Sql |
2020-11-18 |
2020-12-01 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
cxuucms v3 has a SQL injection vulnerability, which can lead to the leakage of all database data via the keywords parameter via search.php. |
|
38 |
CVE-2020-28074 |
89 |
|
Sql Bypass |
2020-12-23 |
2020-12-23 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
SourceCodester Online Health Care System 1.0 is affected by SQL Injection which allows a potential attacker to bypass the authentication system and become an admin. |
|
39 |
CVE-2020-28073 |
89 |
|
Sql Bypass |
2020-12-23 |
2020-12-23 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
SourceCodester Library Management System 1.0 is affected by SQL Injection allowing an attacker to bypass the user authentication and impersonate any user on the system. |
|
40 |
CVE-2020-28070 |
89 |
|
Exec Code Sql |
2020-12-23 |
2020-12-23 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
SourceCodester Alumni Management System 1.0 is affected by SQL injection causing arbitrary remote code execution from GET input in view_event.php via the 'id' parameter. |
|
41 |
CVE-2020-27995 |
89 |
|
Exec Code Sql |
2020-10-29 |
2020-11-03 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
SQL Injection in Zoho ManageEngine Applications Manager 14 before 14560 allows an attacker to execute commands on the server via the MyPage.do template_resid parameter. |
|
42 |
CVE-2020-27886 |
89 |
|
Sql |
2020-10-29 |
2020-11-04 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
An issue was discovered in EyesOfNetwork eonweb 5.3-7 through 5.3-8. The eonweb web interface is prone to a SQL injection, allowing an unauthenticated attacker to exploit the username_available function of the includes/functions.php file (which is called by login.php). |
|
43 |
CVE-2020-27848 |
89 |
|
Sql |
2020-12-30 |
2021-01-04 |
6.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
Partial |
|
dotCMS before 20.10.1 allows SQL injection, as demonstrated by the /api/v1/containers orderby parameter. The PaginatorOrdered classes that are used to paginate results of a REST endpoints do not sanitize the orderBy parameter and in some cases it is vulnerable to SQL injection attacks. A user must be an authenticated manager in the dotCMS system to exploit this vulnerability. |
|
44 |
CVE-2020-27660 |
89 |
|
Exec Code Sql |
2020-11-30 |
2022-04-12 |
10.0 |
None |
Remote |
Low |
Not required |
Complete |
Complete |
Complete |
|
SQL injection vulnerability in request.cgi in Synology SafeAccess before 1.2.3-0234 allows remote attackers to execute arbitrary SQL commands via the domain parameter. |
|
45 |
CVE-2020-27615 |
89 |
|
Sql XSS |
2020-10-21 |
2020-10-23 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
The Loginizer plugin before 1.6.4 for WordPress allows SQL injection (with resultant XSS), related to loginizer_login_failed and lz_valid_ip. |
|
46 |
CVE-2020-27481 |
89 |
|
Sql |
2020-11-12 |
2020-11-23 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
An unauthenticated SQL Injection vulnerability in Good Layers LMS Plugin <= 2.1.4 exists due to the usage of "wp_ajax_nopriv" call in WordPress, which allows any unauthenticated user to get access to the function "gdlr_lms_cancel_booking" where POST Parameter "id" was sent straight into SQL query without sanitization. |
|
47 |
CVE-2020-27207 |
416 |
|
DoS Exec Code Sql |
2020-11-26 |
2020-12-03 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
Zetetic SQLCipher 4.x before 4.4.1 has a use-after-free, related to sqlcipher_codec_pragma and sqlite3Strlen30 in sqlite3.c. A remote denial of service attack can be performed. For example, a SQL injection can be used to execute the crafted SQL command sequence. After that, some unexpected RAM data is read. |
|
48 |
CVE-2020-26944 |
89 |
|
Sql |
2020-10-16 |
2020-10-26 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
An issue was discovered in Aptean Product Configurator 4.61.0000 on Windows. A Time based SQL injection affects the nameTxt parameter on the main login page (aka cse?cmd=LOGIN). This can be exploited directly, and remotely. |
|
49 |
CVE-2020-26935 |
89 |
|
Sql |
2020-10-10 |
2023-01-31 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
An issue was discovered in SearchController in phpMyAdmin before 4.9.6 and 5.x before 5.0.3. A SQL injection vulnerability was discovered in how phpMyAdmin processes SQL statements in the search feature. An attacker could use this flaw to inject malicious SQL in to a query. |
|
50 |
CVE-2020-26805 |
89 |
|
Sql |
2020-11-12 |
2020-11-17 |
6.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
Partial |
|
In Sentrifugo 3.2, admin can edit employee's informations via this endpoint --> /sentrifugo/index.php/empadditionaldetails/edit/userid/2. In this POST request, "employeeNumId" parameter is affected by SQLi vulnerability. Attacker can inject SQL commands into query, read data from database or write data into the database. |
