| # |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
|
1 |
CVE-2021-33894 |
|
|
Sql |
2021-06-09 |
2021-06-09 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
In Progress MOVEit Transfer before 2019.0.6 (11.0.6), 2019.1.x before 2019.1.5 (11.1.5), 2019.2.x before 2019.2.2 (11.2.2), 2020.x before 2020.0.5 (12.0.5), 2020.1.x before 2020.1.4 (12.1.4), and 2021.x before 2021.0.1 (13.0.1), a SQL injection vulnerability exists in SILUtility.vb in MOVEit.DMZ.WebApp in the MOVEit Transfer web app. This could allow an authenticated attacker to gain unauthorized access to the database. Depending on the database engine being used (MySQL, Microsoft SQL Server, or Azure SQL), an attacker may be able to infer information about the structure and contents of the database and/or execute SQL statements that alter or delete database elements. |
|
2 |
CVE-2021-33470 |
89 |
|
Sql |
2021-05-26 |
2021-06-09 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
COVID19 Testing Management System 1.0 is vulnerable to SQL Injection via the admin panel. |
|
3 |
CVE-2021-33180 |
89 |
|
Exec Code Sql |
2021-06-01 |
2021-06-09 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability in cgi component in Synology Media Server before 1.8.1-2876 allows remote attackers to execute arbitrary SQL commands via unspecified vectors. |
|
4 |
CVE-2021-32932 |
|
|
Sql |
2021-06-11 |
2021-06-11 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
The affected product is vulnerable to a SQL injection, which may allow an unauthorized attacker to disclose information on the iView (versions prior to v5.7.03.6182). |
|
5 |
CVE-2021-32615 |
89 |
|
Sql |
2021-05-13 |
2021-05-21 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Piwigo 11.4.0 allows admin/user_list_backend.php order[0][dir] SQL Injection. |
|
6 |
CVE-2021-32104 |
89 |
|
Sql |
2021-05-07 |
2021-05-11 |
6.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
Partial |
|
A SQL injection vulnerability exists (with user privileges) in interface/forms/eye_mag/save.php in OpenEMR 5.0.2.1. |
|
7 |
CVE-2021-32102 |
89 |
|
Sql |
2021-05-07 |
2021-05-11 |
6.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
Partial |
|
A SQL injection vulnerability exists (with user privileges) in library/custom_template/ajax_code.php in OpenEMR 5.0.2.1. |
|
8 |
CVE-2021-32099 |
89 |
|
Sql Bypass |
2021-05-07 |
2021-05-11 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
A SQL injection vulnerability in the pandora_console component of Artica Pandora FMS 742 allows an unauthenticated attacker to upgrade his unprivileged session via the /include/chart_generator.php session_id parameter, leading to a login bypass. |
|
9 |
CVE-2021-32051 |
89 |
|
Sql |
2021-05-14 |
2021-05-21 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Hexagon G!nius Auskunftsportal before 5.0.0.0 allows SQL injection via the GiPWorkflow/Service/DownloadPublicFile id parameter. |
|
10 |
CVE-2021-31856 |
|
|
Exec Code Sql |
2021-04-28 |
2021-04-28 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
A SQL Injection vulnerability in the REST API in Layer5 Meshery 0.5.2 allows an attacker to execute arbitrary SQL commands via the /experimental/patternfiles endpoint (order parameter in GetMesheryPatterns in models/meshery_pattern_persister.go). |
|
11 |
CVE-2021-31827 |
89 |
|
Sql |
2021-05-18 |
2021-05-25 |
6.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
Partial |
|
In Progress MOVEit Transfer before 2021.0 (13.0), a SQL injection vulnerability has been found in the MOVEit Transfer web app that could allow an authenticated attacker to gain unauthorized access to MOVEit Transfer's database. Depending on the database engine being used (MySQL, Microsoft SQL Server, or Azure SQL), an attacker may be able to infer information about the structure and contents of the database in addition to executing SQL statements that alter or destroy database elements. This is in MOVEit.DMZ.WebApp in SILHuman.vb. |
|
12 |
CVE-2021-31777 |
|
|
Sql |
2021-04-28 |
2021-05-03 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
The dce (aka Dynamic Content Element) extension 2.2.0 through 2.6.x before 2.6.2, and 2.7.x before 2.7.1, for TYPO3 allows SQL Injection via a backend user account. |
|
13 |
CVE-2021-31316 |
89 |
|
Sql |
2021-05-18 |
2021-05-24 |
10.0 |
None |
Remote |
Low |
Not required |
Complete |
Complete |
Complete |
|
The unprivileged user portal part of CentOS Web Panel is affected by a SQL Injection via the 'idsession' HTTP POST parameter. |
|
14 |
CVE-2021-30459 |
89 |
|
Sql |
2021-04-14 |
2021-04-21 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
A SQL Injection issue in the SQL Panel in Jazzband Django Debug Toolbar before 1.11.1, 2.x before 2.2.1, and 3.x before 3.2.1 allows attackers to execute SQL statements by changing the raw_sql input field of the SQL explain, analyze, or select form. |
|
15 |
CVE-2021-30177 |
89 |
|
Exec Code Sql |
2021-04-07 |
2021-04-13 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
There is a SQL Injection vulnerability in PHP-Nuke 8.3.3 in the User Registration section, leading to remote code execution. This occurs because the U.S. state is not validated to be two letters, and the OrderBy field is not validated to be one of LASTNAME, CITY, or STATE. |
|
16 |
CVE-2021-30176 |
89 |
|
Sql |
2021-04-13 |
2021-04-14 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
The ZEROF Expert pro/2.0 application for mobile devices allows SQL Injection via the Authorization header to the /v2/devices/add endpoint. |
|
17 |
CVE-2021-30175 |
89 |
|
Sql |
2021-04-13 |
2021-04-14 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
ZEROF Web Server 1.0 (April 2021) allows SQL Injection via the /HandleEvent endpoint for the login page. |
|
18 |
CVE-2021-30081 |
89 |
|
Sql |
2021-05-24 |
2021-05-27 |
6.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
Partial |
|
An issue was discovered in emlog 6.0.0stable. There is a SQL Injection vulnerability that can execute any SQL statement and query server sensitive data via admin/navbar.php?action=add_page. |
|
19 |
CVE-2021-30055 |
89 |
|
Sql |
2021-04-05 |
2021-04-08 |
6.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
Partial |
|
A SQL injection vulnerability in Knowage Suite version 7.1 exists in the documentexecution/url analytics driver component via the 'par_year' parameter when running a report. |
|
20 |
CVE-2021-30000 |
89 |
|
Exec Code Sql |
2021-04-02 |
2021-04-07 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
An issue was discovered in LATRIX 0.6.0. SQL injection in the txtaccesscode parameter of inandout.php leads to information disclosure and code execution. |
|
21 |
CVE-2021-29350 |
89 |
|
Sql |
2021-04-29 |
2021-06-01 |
6.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
Partial |
|
SQL injection in the getip function in conn/function.php in ??100-???????? 1.1 allows remote attackers to inject arbitrary SQL commands via the X-Forwarded-For header to admin/product_add.php. |
|
22 |
CVE-2021-29343 |
89 |
|
Sql |
2021-03-30 |
2021-04-05 |
5.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
None |
|
Ovidentia CMS 6.x contains a SQL injection vulnerability in the "id" parameter of index.php. The "checkbox" property into "text" data can be extracted and displayed in the text region or in source code. |
|
23 |
CVE-2021-29099 |
89 |
|
Sql |
2021-06-07 |
2021-06-10 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
A SQL injection vulnerability exists in some configurations of ArcGIS Server versions 10.8.1 and earlier. Specially crafted web requests can expose information that is not intended to be disclosed (not customer datasets). Web Services that use file based data sources (file Geodatabase or Shape Files or tile cached services) are unaffected by this issue. |
|
24 |
CVE-2021-29090 |
89 |
|
Exec Code Sql |
2021-06-02 |
2021-06-10 |
9.0 |
None |
Remote |
Low |
??? |
Complete |
Complete |
Complete |
|
Improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability in PHP component in Synology Photo Station before 6.8.14-3500 allows remote authenticated users to execute arbitrary SQL command via unspecified vectors. |
|
25 |
CVE-2021-29089 |
89 |
|
Exec Code Sql |
2021-06-02 |
2021-06-10 |
10.0 |
None |
Remote |
Low |
Not required |
Complete |
Complete |
Complete |
|
Improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability in thumbnail component in Synology Photo Station before 6.8.14-3500 allows remote attackers users to execute arbitrary SQL commands via unspecified vectors. |
|
26 |
CVE-2021-29053 |
89 |
|
Exec Code Sql |
2021-05-17 |
2021-05-24 |
6.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
Partial |
|
Multiple SQL injection vulnerabilities in Liferay Portal 7.3.5 and Liferay DXP 7.3 before fix pack 1 allow remote authenticated users to execute arbitrary SQL commands via the classPKField parameter to (1) CommerceChannelRelFinder.countByC_C, or (2) CommerceChannelRelFinder.findByC_C. |
|
27 |
CVE-2021-28970 |
89 |
|
Sql |
2021-04-01 |
2021-04-07 |
4.0 |
None |
Remote |
Low |
??? |
Partial |
None |
None |
|
eMPS 9.0.1.923211 on the Central Management of FireEye EX 3500 devices allows remote authenticated users to conduct SQL injection attacks via the job_id parameter to the email search feature. According to the vendor, the issue is fixed in 9.0.3. |
|
28 |
CVE-2021-28969 |
89 |
|
Sql |
2021-04-01 |
2021-04-07 |
4.0 |
None |
Remote |
Low |
??? |
Partial |
None |
None |
|
eMPS 9.0.1.923211 on FireEye EX 3500 devices allows remote authenticated users to conduct SQL injection attacks via the sort_by parameter to the email search feature. According to the vendor, the issue is fixed in 9.0.3. NOTE: this is different from CVE-2020-25034 and affects newer versions of the software. |
|
29 |
CVE-2021-28925 |
89 |
|
Sql |
2021-04-08 |
2021-04-13 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
SQL injection vulnerability in Nagios Network Analyzer before 2.4.3 via the o[col] parameter to api/checks/read/. |
|
30 |
CVE-2021-28828 |
89 |
|
Sql |
2021-04-20 |
2021-04-23 |
6.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
Partial |
|
The Administration GUI component of TIBCO Software Inc.'s TIBCO Administrator - Enterprise Edition, TIBCO Administrator - Enterprise Edition, TIBCO Administrator - Enterprise Edition Distribution for TIBCO Silver Fabric, TIBCO Administrator - Enterprise Edition Distribution for TIBCO Silver Fabric, TIBCO Administrator - Enterprise Edition for z/Linux, and TIBCO Administrator - Enterprise Edition for z/Linux contains an easily exploitable vulnerability that allows a low privileged attacker with network access to execute a SQL injection attack on the affected system. Affected releases are TIBCO Software Inc.'s TIBCO Administrator - Enterprise Edition: versions 5.10.2 and below, TIBCO Administrator - Enterprise Edition: versions 5.11.0 and 5.11.1, TIBCO Administrator - Enterprise Edition Distribution for TIBCO Silver Fabric: versions 5.10.2 and below, TIBCO Administrator - Enterprise Edition Distribution for TIBCO Silver Fabric: versions 5.11.0 and 5.11.1, TIBCO Administrator - Enterprise Edition for z/Linux: versions 5.10.2 and below, and TIBCO Administrator - Enterprise Edition for z/Linux: versions 5.11.0 and 5.11.1. |
|
31 |
CVE-2021-28668 |
89 |
|
Sql |
2021-03-29 |
2021-04-01 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Xerox AltaLink B80xx before 103.008.020.23120, C8030/C8035 before 103.001.020.23120, C8045/C8055 before 103.002.020.23120 and C8070 before 103.003.020.23120 has several SQL injection vulnerabilities. |
|
32 |
CVE-2021-28419 |
89 |
|
Sql |
2021-03-18 |
2021-04-27 |
6.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
Partial |
|
The "order_col" parameter in archive.php of SEO Panel 4.8.0 is vulnerable to time-based blind SQL injection, which leads to the ability to retrieve all databases. |
|
33 |
CVE-2021-28381 |
89 |
|
Sql |
2021-03-16 |
2021-03-22 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
The vhs (aka VHS: Fluid ViewHelpers) extension before 5.1.1 for TYPO3 allows SQL injection via isLanguageViewHelper. |
|
34 |
CVE-2021-28295 |
89 |
|
Sql |
2021-03-16 |
2021-03-22 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Online Ordering System 1.0 is vulnerable to unauthenticated SQL injection through /onlineordering/GPST/admin/design.php, which may lead to database information disclosure. |
|
35 |
CVE-2021-28245 |
89 |
|
Sql |
2021-03-31 |
2021-04-05 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
PbootCMS 3.0.4 contains a SQL injection vulnerability through index.php via the search parameter that can reveal sensitive information through adding an admin account. |
|
36 |
CVE-2021-28242 |
77 |
|
Sql +Info |
2021-04-15 |
2021-06-04 |
6.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
Partial |
|
SQL Injection in the "evoadm.php" component of b2evolution v7.2.2-stable allows remote attackers to obtain sensitive database information by injecting SQL commands into the "cf_name" parameter when creating a new filter under the "Collections" tab. |
|
37 |
CVE-2021-28157 |
89 |
|
Exec Code Sql |
2021-04-14 |
2021-04-21 |
6.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
Partial |
|
An SQL Injection issue in Devolutions Server before 2021.1 and Devolutions Server LTS before 2020.3.18 allows an administrative user to execute arbitrary SQL commands via a username in api/security/userinfo/delete. |
|
38 |
CVE-2021-28142 |
89 |
|
Sql |
2021-04-06 |
2021-04-19 |
6.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
Partial |
|
CITSmart before 9.1.2.28 mishandles the "filtro de autocomplete." |
|
39 |
CVE-2021-27973 |
89 |
|
Sql |
2021-04-02 |
2021-04-30 |
6.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
Partial |
|
SQL injection exists in Piwigo before 11.4.0 via the language parameter to admin.php?page=languages. |
|
40 |
CVE-2021-27948 |
89 |
|
Sql |
2021-03-15 |
2021-03-16 |
6.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
Partial |
|
SQL Injection vulnerability in MyBB before 1.8.26 via User Groups. (issue 3 of 3). |
|
41 |
CVE-2021-27947 |
89 |
|
Sql |
2021-03-15 |
2021-03-16 |
6.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
Partial |
|
SQL Injection vulnerability in MyBB before 1.8.26 via the Copy Forum feature in Forum Management. (issue 2 of 3). |
|
42 |
CVE-2021-27946 |
89 |
|
Sql |
2021-03-15 |
2021-03-23 |
6.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
Partial |
|
SQL Injection vulnerability in MyBB before 1.8.26 via poll vote count. (issue 1 of 3). |
|
43 |
CVE-2021-27928 |
78 |
|
Exec Code Sql |
2021-03-19 |
2021-05-26 |
9.0 |
None |
Remote |
Low |
??? |
Complete |
Complete |
Complete |
|
A remote code execution issue was discovered in MariaDB 10.2 before 10.2.37, 10.3 before 10.3.28, 10.4 before 10.4.18, and 10.5 before 10.5.9; Percona Server through 2021-03-03; and the wsrep patch through 2021-03-03 for MySQL. An untrusted search path leads to eval injection, in which a database SUPER user can execute OS commands after modifying wsrep_provider and wsrep_notify_cmd. NOTE: this does not affect an Oracle product. |
|
44 |
CVE-2021-27890 |
89 |
|
Sql |
2021-03-15 |
2021-03-23 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
SQL Injection vulnerablity in MyBB before 1.8.26 via theme properties included in theme XML files. |
|
45 |
CVE-2021-27828 |
89 |
|
Sql |
2021-06-01 |
2021-06-09 |
6.4 |
None |
Remote |
Low |
Not required |
None |
Partial |
Partial |
|
SQL injection in In4Suite ERP 3.2.74.1370 allows attackers to modify or delete data, causing persistent changes to the application's content or behavior by using malicious SQL queries. |
|
46 |
CVE-2021-27672 |
89 |
|
Sql +Info |
2021-04-15 |
2021-04-21 |
4.0 |
None |
Remote |
Low |
??? |
Partial |
None |
None |
|
SQL Injection in the "admin_boxes.ajax.php" component of Tribal Systems Zenario CMS v8.8.52729 allows remote attackers to obtain sesnitive database information by injecting SQL commands into the "cID" parameter when creating a new HTML component. |
|
47 |
CVE-2021-27581 |
89 |
|
Sql |
2021-03-05 |
2021-03-15 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
The Blog module in Kentico CMS 5.5 R2 build 5.5.3996 allows SQL injection via the tagname parameter. |
|
48 |
CVE-2021-27545 |
89 |
|
Sql +Info |
2021-04-15 |
2021-04-21 |
4.0 |
None |
Remote |
Low |
??? |
Partial |
None |
None |
|
SQL Injection in the "add-services.php" component of PHPGurukul Beauty Parlour Management System v1.0 allows remote attackers to obtain sensitive database information by injecting SQL commands into the "sername" parameter. |
|
49 |
CVE-2021-27320 |
89 |
|
Sql |
2021-03-24 |
2021-03-24 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Blind SQL injection in contactus.php in Doctor Appointment System 1.0 allows an unauthenticated attacker to insert malicious SQL queries via firstname parameter. |
|
50 |
CVE-2021-27319 |
89 |
|
Sql |
2021-03-24 |
2021-03-24 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Blind SQL injection in contactus.php in Doctor Appointment System 1.0 allows an unauthenticated attacker to insert malicious SQL queries via email parameter. |
