Total
14188 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-29410 | 1 Hermit Project | 1 Hermit | 2023-11-07 | 6.5 MEDIUM | 8.8 HIGH |
| Authenticated SQL Injection (SQLi) vulnerability in Mufeng's Hermit ????? plugin <= 3.1.6 on WordPress allows attackers with Subscriber or higher user roles to execute SQLi attack via (&ids). | |||||
| CVE-2022-29411 | 1 Hermit Project | 1 Hermit | 2023-11-07 | 7.5 HIGH | 9.8 CRITICAL |
| SQL Injection (SQLi) vulnerability in Mufeng's Hermit ????? plugin <= 3.1.6 on WordPress allows attackers to execute SQLi attack via (&id). | |||||
| CVE-2022-29304 | 1 Online Sports Complex Booking System Project | 1 Online Sports Complex Booking System | 2023-11-07 | 6.5 MEDIUM | 8.8 HIGH |
| Online Sports Complex Booking System 1.0 is vulnerable to SQL Injection via /classes/master.php?f=delete_ Facility. | |||||
| CVE-2022-29317 | 1 Simple Bus Ticket Booking System Project | 1 Simple Bus Ticket Booking System | 2023-11-07 | 7.5 HIGH | 9.8 CRITICAL |
| Simple Bus Ticket Booking System v1.0 was discovered to contain multiple SQL injection vulnerbilities via the username and password parameters at /assets/partials/_handleLogin.php. | |||||
| CVE-2022-28110 | 1 Hotel Management System Project | 1 Hotel Management System | 2023-11-07 | 7.5 HIGH | 9.8 CRITICAL |
| Hotel Management System v1.0 was discovered to contain a SQL injection vulnerability via the username parameter at the login page. | |||||
| CVE-2022-27485 | 1 Fortinet | 1 Fortisandbox | 2023-11-07 | N/A | 6.5 MEDIUM |
| A improper neutralization of special elements used in an sql command ('sql injection') vulnerability [CWE-89] in Fortinet FortiSandbox version 4.2.0, 4.0.0 through 4.0.2, 3.2.0 through 3.2.3, 3.1.x and 3.0.x allows a remote and authenticated attacker with read permission to retrieve arbitrary files from the underlying Linux system via a crafted HTTP request. | |||||
| CVE-2022-27596 | 1 Qnap | 2 Qts, Quts Hero | 2023-11-07 | N/A | 9.8 CRITICAL |
| A vulnerability has been reported to affect QNAP device running QuTS hero, QTS. If exploited, this vulnerability allows remote attackers to inject malicious code. We have already fixed this vulnerability in the following versions of QuTS hero, QTS: QuTS hero h5.0.1.2248 build 20221215 and later QTS 5.0.1.2234 build 20221201 and later | |||||
| CVE-2022-28346 | 2 Debian, Djangoproject | 2 Debian Linux, Django | 2023-11-07 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in Django 2.2 before 2.2.28, 3.2 before 3.2.13, and 4.0 before 4.0.4. QuerySet.annotate(), aggregate(), and extra() methods are subject to SQL injection in column aliases via a crafted dictionary (with dictionary expansion) as the passed **kwargs. | |||||
| CVE-2022-28962 | 1 Online Sports Complex Booking System Project | 1 Online Sports Complex Booking System | 2023-11-07 | 7.5 HIGH | 9.8 CRITICAL |
| Online Sports Complex Booking System 1.0 is vulnerable to SQL Injection via /scbs/classes/Users.php?f=delete_client. | |||||
| CVE-2022-28347 | 2 Debian, Djangoproject | 2 Debian Linux, Django | 2023-11-07 | 7.5 HIGH | 9.8 CRITICAL |
| A SQL injection issue was discovered in QuerySet.explain() in Django 2.2 before 2.2.28, 3.2 before 3.2.13, and 4.0 before 4.0.4. This occurs by passing a crafted dictionary (with dictionary expansion) as the **options argument, and placing the injection payload in an option name. | |||||
| CVE-2022-24844 | 2 Gin-vue-admin Project, Postgresql | 2 Gin-vue-admin, Postgresql | 2023-11-07 | 6.5 MEDIUM | 8.8 HIGH |
| Gin-vue-admin is a backstage management system based on vue and gin, which separates the front and rear of the full stack. The problem occurs in the following code in server/service/system/sys_auto_code_pgsql.go, which means that PostgreSQL must be used as the database for this vulnerability to occur. Users must: Require JWT login) and be using PostgreSQL to be affected. This issue has been resolved in version 2.5.1. There are no known workarounds. | |||||
| CVE-2022-24407 | 5 Cyrusimap, Debian, Fedoraproject and 2 more | 8 Cyrus-sasl, Debian Linux, Fedora and 5 more | 2023-11-07 | 6.5 MEDIUM | 8.8 HIGH |
| In Cyrus SASL 2.1.17 through 2.1.27 before 2.1.28, plugins/sql.c does not escape the password for a SQL INSERT or UPDATE statement. | |||||
| CVE-2022-22338 | 1 Ibm | 1 Sterling B2b Integrator | 2023-11-07 | N/A | 9.8 CRITICAL |
| IBM Sterling B2B Integrator Standard Edition 6.0.0.0 through 6.1.2.1 is vulnerable to SQL injection. A remote attacker could send specially crafted SQL statements, which could allow the attacker to view, add, modify or delete information in the back-end database. IBM X-Force ID: 219510. | |||||
| CVE-2022-21664 | 3 Debian, Fedoraproject, Wordpress | 3 Debian Linux, Fedora, Wordpress | 2023-11-07 | 6.5 MEDIUM | 8.8 HIGH |
| WordPress is a free and open-source content management system written in PHP and paired with a MariaDB database. Due to lack of proper sanitization in one of the classes, there's potential for unintended SQL queries to be executed. This has been patched in WordPress version 5.8.3. Older affected versions are also fixed via security release, that go back till 4.1.34. We strongly recommend that you keep auto-updates enabled. There are no known workarounds for this issue. | |||||
| CVE-2022-20786 | 1 Cisco | 1 Unified Communications Manager Im And Presence Service | 2023-11-07 | 5.5 MEDIUM | 8.1 HIGH |
| A vulnerability in the web-based management interface of Cisco Unified Communications Manager IM & Presence Service (Unified CM IM&P) could allow an authenticated, remote attacker to conduct SQL injection attacks on an affected system. This vulnerability is due to improper validation of user-submitted parameters. An attacker could exploit this vulnerability by authenticating to the application and sending malicious requests to an affected system. A successful exploit could allow the attacker to obtain data or modify data that is stored in the underlying database of the affected system. | |||||
| CVE-2022-0814 | 1 Ubigeo De Peru Para Woocommerce Project | 1 Ubigeo De Peru Para Woocommerce | 2023-11-07 | 7.5 HIGH | 9.8 CRITICAL |
| The Ubigeo de Perú para Woocommerce WordPress plugin before 3.6.4 does not properly sanitise and escape some parameters before using them in SQL statements via various AJAX actions, some of which are available to unauthenticated users, leading to SQL Injections | |||||
| CVE-2022-0983 | 2 Fedoraproject, Moodle | 3 Extra Packages For Enterprise Linux, Fedora, Moodle | 2023-11-07 | 6.5 MEDIUM | 8.8 HIGH |
| An SQL injection risk was identified in Badges code relating to configuring criteria. Access to the relevant capability was limited to teachers and managers by default. | |||||
| CVE-2022-0507 | 1 Pandorafms | 1 Pandora Fms | 2023-11-07 | 6.5 MEDIUM | 8.8 HIGH |
| Found a potential security vulnerability inside the Pandora API. Affected Pandora FMS version range: all versions of NG version, up to OUM 759. This vulnerability could allow an attacker with authenticated IP to inject SQL. | |||||
| CVE-2021-4246 | 1 Lmeve Project | 1 Lmeve | 2023-11-07 | N/A | 9.8 CRITICAL |
| A vulnerability was found in roxlukas LMeve and classified as critical. Affected by this issue is some unknown functionality of the component Login Page. The manipulation of the argument X-Forwarded-For leads to sql injection. The attack may be launched remotely. The name of the patch is 29e1ead3bb1c1fad53b77dfc14534496421c5b5d. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-216176. | |||||
| CVE-2021-4340 | 1 Stylemixthemes | 1 Ulisting | 2023-11-07 | N/A | 7.5 HIGH |
| The uListing plugin for WordPress is vulnerable to generic SQL Injection via the ‘listing_id’ parameter in versions up to, and including, 1.6.6 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | |||||