Total
14188 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-6027 | 1 Themify | 1 Product Filter | 2024-06-24 | N/A | 7.5 HIGH |
| The Themify – WooCommerce Product Filter plugin for WordPress is vulnerable to time-based SQL Injection via the ‘conditions’ parameter in all versions up to, and including, 1.4.9 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | |||||
| CVE-2024-6003 | 2024-06-17 | N/A | N/A | ||
| A vulnerability was found in Guangdong Baolun Electronics IP Network Broadcasting Service Platform 2.0. It has been classified as critical. Affected is an unknown function of the file /api/v2/maps. The manipulation of the argument orderColumn leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-268692. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2024-36408 | 1 Salesagility | 1 Suitecrm | 2024-06-12 | N/A | 8.8 HIGH |
| SuiteCRM is an open-source Customer Relationship Management (CRM) software application. In versions prior to 7.14.4 and 8.6.1, poor input validation allows for SQL Injection in the `Alerts` controller. Versions 7.14.4 and 8.6.1 contain a fix for this issue. | |||||
| CVE-2024-36410 | 1 Salesagility | 1 Suitecrm | 2024-06-12 | N/A | 8.8 HIGH |
| SuiteCRM is an open-source Customer Relationship Management (CRM) software application. In versions prior to 7.14.4 and 8.6.1, poor input validation allows for SQL Injection in EmailUIAjax messages count controller. Versions 7.14.4 and 8.6.1 contain a fix for this issue. | |||||
| CVE-2024-36409 | 1 Salesagility | 1 Suitecrm | 2024-06-12 | N/A | 8.8 HIGH |
| SuiteCRM is an open-source Customer Relationship Management (CRM) software application. In versions prior to 7.14.4 and 8.6.1, poor input validation allows for SQL Injection in Tree data entry point. Versions 7.14.4 and 8.6.1 contain a fix for this issue. | |||||
| CVE-2024-36411 | 1 Salesagility | 1 Suitecrm | 2024-06-12 | N/A | 8.8 HIGH |
| SuiteCRM is an open-source Customer Relationship Management (CRM) software application. In versions prior to 7.14.4 and 8.6.1, poor input validation allows for SQL Injection in EmailUIAjax displayView controller. Versions 7.14.4 and 8.6.1 contain a fix for this issue. | |||||
| CVE-2024-36412 | 1 Salesagility | 1 Suitecrm | 2024-06-12 | N/A | 9.8 CRITICAL |
| SuiteCRM is an open-source Customer Relationship Management (CRM) software application. Prior to versions 7.14.4 and 8.6.1, a vulnerability in events response entry point allows for a SQL injection attack. Versions 7.14.4 and 8.6.1 contain a fix for this issue. | |||||
| CVE-2024-5733 | 1 Online Discussion Forum Project | 1 Online Discussion Forum | 2024-06-11 | N/A | 9.8 CRITICAL |
| A vulnerability was found in itsourcecode Online Discussion Forum 1.0. It has been rated as critical. This issue affects some unknown processing of the file register_me.php. The manipulation of the argument eaddress leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-267407. | |||||
| CVE-2024-36393 | 1 Sysaid | 1 Sysaid | 2024-06-11 | N/A | 9.8 CRITICAL |
| SysAid - CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') | |||||
| CVE-2024-4743 | 1 Lifterlms | 1 Lifterlms | 2024-06-11 | N/A | 6.5 MEDIUM |
| The LifterLMS – WordPress LMS Plugin for eLearning plugin for WordPress is vulnerable to SQL Injection via the orderBy attribute of the lifterlms_favorites shortcode in all versions up to, and including, 7.6.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | |||||
| CVE-2024-5636 | 1 Bakery Online Ordering System Project | 1 Bakery Online Ordering System | 2024-06-11 | N/A | 9.8 CRITICAL |
| A vulnerability was found in itsourcecode Bakery Online Ordering System 1.0. It has been rated as critical. Affected by this issue is some unknown functionality of the file report/index.php. The manipulation of the argument procduct leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-267092. | |||||
| CVE-2024-4295 | 1 Icegram | 1 Email Subscribers \& Newsletters | 2024-06-11 | N/A | 9.8 CRITICAL |
| The Email Subscribers by Icegram Express plugin for WordPress is vulnerable to SQL Injection via the ‘hash’ parameter in all versions up to, and including, 5.7.20 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | |||||
| CVE-2024-5635 | 1 Bakery Online Ordering System Project | 1 Bakery Online Ordering System | 2024-06-11 | N/A | 9.8 CRITICAL |
| A vulnerability was found in itsourcecode Bakery Online Ordering System 1.0. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file index.php. The manipulation of the argument txtsearch leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-267091. | |||||
| CVE-2023-51448 | 1 Cacti | 1 Cacti | 2024-06-10 | N/A | 8.8 HIGH |
| Cacti provides an operational monitoring and fault management framework. Version 1.2.25 has a Blind SQL Injection (SQLi) vulnerability within the SNMP Notification Receivers feature in the file `‘managers.php’`. An authenticated attacker with the “Settings/Utilities” permission can send a crafted HTTP GET request to the endpoint `‘/cacti/managers.php’` with an SQLi payload in the `‘selected_graphs_array’` HTTP GET parameter. As of time of publication, no patched versions exist. | |||||
| CVE-2023-49085 | 1 Cacti | 1 Cacti | 2024-06-10 | N/A | 8.8 HIGH |
| Cacti provides an operational monitoring and fault management framework. In versions 1.2.25 and prior, it is possible to execute arbitrary SQL code through the `pollers.php` script. An authorized user may be able to execute arbitrary SQL code. The vulnerable component is the `pollers.php`. Impact of the vulnerability - arbitrary SQL code execution. As of time of publication, a patch does not appear to exist. | |||||
| CVE-2024-5771 | 2024-06-10 | N/A | N/A | ||
| A vulnerability classified as critical was found in LabVantage LIMS 2017. This vulnerability affects unknown code of the file /labvantage/rc?command=page&page=SampleList&_iframename=list of the component POST Request Handler. The manipulation of the argument param1 leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. VDB-267454 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2024-4903 | 2024-06-07 | N/A | N/A | ||
| A vulnerability was found in Tongda OA 2017. It has been declared as critical. This vulnerability affects unknown code of the file /general/meeting/manage/delete.php. The manipulation of the argument M_ID_STR leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-264436. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2024-28996 | 1 Solarwinds | 1 Solarwinds Platform | 2024-06-06 | N/A | 8.1 HIGH |
| The SolarWinds Platform was determined to be affected by a SWQL Injection Vulnerability. Attack complexity is high for this vulnerability. | |||||
| CVE-2023-4974 | 1 Creativeitem | 1 Academy Lms | 2024-06-05 | N/A | 9.8 CRITICAL |
| A vulnerability was found in Academy LMS 6.2. It has been rated as critical. Affected by this issue is some unknown functionality of the file /academy/tutor/filter of the component GET Parameter Handler. The manipulation of the argument price_min/price_max leads to sql injection. The attack may be launched remotely. VDB-239750 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2023-5283 | 1 Engineers Online Portal Project | 1 Engineers Online Portal | 2024-06-05 | N/A | 8.8 HIGH |
| A vulnerability was found in SourceCodester Engineers Online Portal 1.0. It has been rated as critical. This issue affects some unknown processing of the file teacher_signup.php. The manipulation of the argument firstname/lastname leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-240911. | |||||