Total
14188 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-27845 | 1 Kerawen | 1 Omnichannel Stocks | 2023-07-14 | N/A | 9.8 CRITICAL |
| SQL injection vulnerability found in PrestaShop lekerawen_ocs before v.1.4.1 allow a remote attacker to gain privileges via the KerawenHelper::setCartOperationInfo, and KerawenHelper::resetCheckoutSessionData components. | |||||
| CVE-2023-29095 | 1 Rsvpmaker Project | 1 Rsvpmaker | 2023-07-13 | N/A | 7.2 HIGH |
| Auth. (admin+) SQL Injection (SQLi) vulnerability in David F. Carr RSVPMaker plugin < 10.5.5 versions. | |||||
| CVE-2023-36932 | 1 Progress | 1 Moveit Transfer | 2023-07-12 | N/A | 8.1 HIGH |
| In Progress MOVEit Transfer before 2020.1.11 (12.1.11), 2021.0.9 (13.0.9), 2021.1.7 (13.1.7), 2022.0.7 (14.0.7), 2022.1.8 (14.1.8), and 2023.0.4 (15.0.4), multiple SQL injection vulnerabilities have been identified in the MOVEit Transfer web application that could allow an authenticated attacker to gain unauthorized access to the MOVEit Transfer database. An attacker could submit a crafted payload to a MOVEit Transfer application endpoint that could result in modification and disclosure of MOVEit database content. | |||||
| CVE-2023-30325 | 1 Chatengine Project | 1 Chatengine | 2023-07-12 | N/A | 7.5 HIGH |
| SQL Injection vulnerability in textMessage parameter in /src/chatbotapp/chatWindow.java in wliang6 ChatEngine v.1.0, allows attackers to gain sensitive information. | |||||
| CVE-2023-30323 | 1 Chatengine Project | 1 Chatengine | 2023-07-12 | N/A | 7.5 HIGH |
| SQL Injection vulnerability in username field in /src/chatbotapp/chatWindow.java in Payatu ChatEngine v.1.0, allows attackers to gain sensitive information. | |||||
| CVE-2023-35924 | 1 Glpi-project | 1 Glpi | 2023-07-11 | N/A | 9.8 CRITICAL |
| GLPI is a free asset and IT management software package. Starting in version 10.0.0 and prior to version 10.0.8, GLPI inventory endpoint can be used to drive a SQL injection attack. By default, GLPI inventory endpoint requires no authentication. Version 10.0.8 has a patch for this issue. As a workaround, one may disable native inventory. | |||||
| CVE-2023-36808 | 1 Glpi-project | 1 Glpi | 2023-07-10 | N/A | 9.8 CRITICAL |
| GLPI is a free asset and IT management software package. Starting in version 0.80 and prior to version 10.0.8, Computer Virtual Machine form and GLPI inventory request can be used to perform a SQL injection attack. Version 10.0.8 has a patch for this issue. As a workaround, one may disable native inventory. | |||||
| CVE-2023-22319 | 1 Milesight | 1 Milesightvpn | 2023-07-10 | N/A | 9.8 CRITICAL |
| A sql injection vulnerability exists in the requestHandlers.js LoginAuth functionality of Milesight VPN v2.0.2. A specially-crafted network request can lead to authentication bypass. An attacker can send a malicious packet to trigger this vulnerability. | |||||
| CVE-2023-36968 | 1 Food Ordering System Project | 1 Food Ordering System | 2023-07-10 | N/A | 7.2 HIGH |
| A SQL Injection vulnerability detected in Food Ordering System v1.0 allows attackers to run commands on the database by sending crafted SQL queries to the ID parameter. | |||||
| CVE-2023-36934 | 1 Progress | 1 Moveit Transfer | 2023-07-10 | N/A | 9.1 CRITICAL |
| In Progress MOVEit Transfer before 2020.1.11 (12.1.11), 2021.0.9 (13.0.9), 2021.1.7 (13.1.7), 2022.0.7 (14.0.7), 2022.1.8 (14.1.8), and 2023.0.4 (15.0.4), a SQL injection vulnerability has been identified in the MOVEit Transfer web application that could allow an unauthenticated attacker to gain unauthorized access to the MOVEit Transfer database. An attacker could submit a crafted payload to a MOVEit Transfer application endpoint that could result in modification and disclosure of MOVEit database content. | |||||
| CVE-2022-46163 | 1 Opensuse | 1 Travel Support Program | 2023-07-07 | N/A | 7.5 HIGH |
| Travel support program is a rails app to support the travel support program of openSUSE (TSP). Sensitive user data (bank account details, password Hash) can be extracted via Ransack query injection. Every deployment of travel-support-program below the patched version is affected. The travel-support-program uses the Ransack library to implement search functionality. In its default configuration, Ransack will allow for query conditions based on properties of associated database objects [1]. The `*_start`, `*_end` or `*_cont` search matchers [2] can then be abused to exfiltrate sensitive string values of associated database objects via character-by-character brute-force (A match is indicated by the returned JSON not being empty). A single bank account number can be extracted with <200 requests, a password hash can be extracted with ~1200 requests, all within a few minutes. The problem has been patched in commit d22916275c51500b4004933ff1b0a69bc807b2b7. In order to work around this issue, you can also cherry pick that patch, however it will not work without the Rails 5.0 migration that was done in #150, which in turn had quite a few pull requests it depended on. | |||||
| CVE-2023-33592 | 1 Lost And Found Information System Project | 1 Lost And Found Information System | 2023-07-07 | N/A | 9.8 CRITICAL |
| Lost and Found Information System v1.0 was discovered to contain a SQL injection vulnerability via the component /php-lfis/admin/?page=system_info/contact_information. | |||||
| CVE-2023-3490 | 1 Fossbilling | 1 Fossbilling | 2023-07-06 | N/A | 9.8 CRITICAL |
| SQL Injection in GitHub repository fossbilling/fossbilling prior to 0.5.3. | |||||
| CVE-2023-34487 | 1 Online Hotel Management System Project | 1 Online Hotel Management System | 2023-07-06 | N/A | 9.8 CRITICAL |
| itsourcecode Online Hotel Management System Project In PHP v1.0.0 is vulnerable to SQL Injection. SQL injection points exist in the login password input box. This vulnerability can be exploited through time-based blind injection. | |||||
| CVE-2023-34735 | 1 Property Cloud Platform Management Center Project | 1 Property Cloud Platform Management Center | 2023-07-06 | N/A | 9.8 CRITICAL |
| Property Cloud Platform Management Center 1.0 is vulnerable to error-based SQL injection. | |||||
| CVE-2023-34418 | 1 Lenovo | 1 Xclarity Administrator | 2023-07-06 | N/A | 8.1 HIGH |
| A valid, authenticated LXCA user may be able to gain unauthorized access to events and other data stored in LXCA due to a SQL injection vulnerability in a specific web API. | |||||
| CVE-2023-36663 | 1 It-novum | 1 Openitcockpit | 2023-07-05 | N/A | 8.8 HIGH |
| it-novum openITCOCKPIT (aka open IT COCKPIT) 4.6.4 before 4.6.5 allows SQL Injection (by authenticated users) via the sort parameter of the API interface. | |||||
| CVE-2022-47614 | 1 Inspireui | 1 Mstore Api | 2023-07-03 | N/A | 7.5 HIGH |
| Unauth. SQL Injection (SQLi) vulnerability in InspireUI MStore API plugin <= 3.9.7 versions. | |||||
| CVE-2023-32529 | 1 Trendmicro | 1 Apex Central | 2023-06-30 | N/A | 8.8 HIGH |
| Vulnerable modules of Trend Micro Apex Central (on-premise) contain vulnerabilities which would allow authenticated users to perform a SQL injection that could lead to remote code execution. Please note: an attacker must first obtain authentication on the target system in order to exploit these vulnerabilities. This is similar to, but not identical to CVE-2023-32530. | |||||
| CVE-2023-2080 | 1 Forcepoint | 2 Email Security, Web Security | 2023-06-30 | N/A | 9.8 CRITICAL |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Forcepoint Cloud Security Gateway (CSG) Portal on Web Cloud Security Gateway, Email Security Cloud allows Blind SQL Injection. | |||||