Total
14188 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-36975 | 1 Ivanti | 1 Avalanche | 2023-04-05 | N/A | 9.8 CRITICAL |
| This vulnerability allows remote attackers to bypass authentication on affected installations of Ivanti Avalanche 6.3.2.3490. The specific flaw exists within the ProfileDaoImpl class. A crafted request can trigger execution of SQL queries composed from a user-supplied string. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-15332. | |||||
| CVE-2022-36973 | 1 Ivanti | 1 Avalanche | 2023-04-05 | N/A | 8.8 HIGH |
| This vulnerability allows remote attackers to bypass authentication on affected installations of Ivanti Avalanche 6.3.2.3490. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the ProfileDaoImpl class. A crafted request can trigger execution of SQL queries composed from a user-supplied string. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-15329. | |||||
| CVE-2022-36972 | 1 Ivanti | 1 Avalanche | 2023-04-05 | N/A | 9.8 CRITICAL |
| This vulnerability allows remote attackers to bypass authentication on affected installations of Ivanti Avalanche 6.3.2.3490. The specific flaw exists within the ProfileDaoImpl class. A crafted request can trigger execution of SQL queries composed from a user-supplied string. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-15328. | |||||
| CVE-2022-42429 | 1 Centreon | 1 Centreon | 2023-04-05 | N/A | 8.8 HIGH |
| This vulnerability allows remote attackers to escalate privileges on affected installations of Centreon. Authentication is required to exploit this vulnerability. The specific flaw exists within the handling of requests to modify poller broker configuration. The issue results from the lack of proper validation of a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to escalate privileges to the level of an administrator. Was ZDI-CAN-18557. | |||||
| CVE-2022-31056 | 1 Glpi-project | 1 Glpi | 2023-04-03 | 7.5 HIGH | 9.8 CRITICAL |
| GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing. In affected versions all assistance forms (Ticket/Change/Problem) permit sql injection on the actor fields. This issue has been resolved in version 10.0.2 and all affected users are advised to upgrade. | |||||
| CVE-2023-27847 | 1 Xipblog Project | 1 Xipblog | 2023-04-01 | N/A | 9.8 CRITICAL |
| SQL injection vulnerability found in PrestaShop xipblog v.2.0.1 and before allow a remote attacker to gain privileges via the xipcategoryclass and xippostsclass components. | |||||
| CVE-2023-28437 | 1 Dataease | 1 Dataease | 2023-03-30 | N/A | 9.8 CRITICAL |
| Dataease is an open source data visualization and analysis tool. The blacklist for SQL injection protection is missing entries. This vulnerability has been fixed in version 1.18.5. There are no known workarounds. | |||||
| CVE-2023-24840 | 1 Hgiga | 1 Oaklouds Mailsherlock | 2023-03-30 | N/A | 7.2 HIGH |
| HGiga MailSherlock mail query function has vulnerability of insufficient validation for user input. An authenticated remote attacker with administrator privilege can exploit this vulnerability to inject SQL commands to read, modify, and delete the database. | |||||
| CVE-2023-28660 | 1 E-dynamics | 1 Events Made Easy | 2023-03-28 | N/A | 8.8 HIGH |
| The Events Made Easy WordPress Plugin, version <= 2.3.14 is affected by an authenticated SQL injection vulnerability in the 'search_name' parameter in the eme_recurrences_list action. | |||||
| CVE-2023-27034 | 1 Joommasters | 1 Jms Blog | 2023-03-28 | N/A | 9.8 CRITICAL |
| PrestaShop jmsblog 2.5.5 was discovered to contain a SQL injection vulnerability. | |||||
| CVE-2023-28661 | 1 Accesspressthemes | 1 Wp Popup Banners | 2023-03-28 | N/A | 8.8 HIGH |
| The WP Popup Banners WordPress Plugin, version <= 1.2.5, is affected by an authenticated SQL injection vulnerability in the 'value' parameter in the get_popup_data action. | |||||
| CVE-2023-28438 | 1 Pimcore | 1 Pimcore | 2023-03-27 | N/A | 8.0 HIGH |
| Pimcore is an open source data and experience management platform. Prior to version 10.5.19, since a user with 'report' permission can already write arbitrary SQL queries and given the fact that this endpoint is using the GET method (no CSRF protection), an attacker can inject an arbitrary query by manipulating a user to click on a link. Users should upgrade to version 10.5.19 to receive a patch or, as a workaround, may apply the patch manually. | |||||
| CVE-2022-26986 | 1 Impresscms | 1 Impresscms | 2023-03-27 | 8.5 HIGH | 7.2 HIGH |
| SQL Injection in ImpressCMS 1.4.3 and earlier allows remote attackers to inject into the code in unintended way, this allows an attacker to read and modify the sensitive information from the database used by the application. If misconfigured, an attacker can even upload a malicious web shell to compromise the entire system. | |||||
| CVE-2023-24258 | 1 Spip | 1 Spip | 2023-03-24 | N/A | 9.8 CRITICAL |
| SPIP v4.1.5 and earlier was discovered to contain a SQL injection vulnerability via the _oups parameter. This vulnerability allows attackers to execute arbitrary code via a crafted POST request. | |||||
| CVE-2023-1578 | 1 Pimcore | 1 Pimcore | 2023-03-24 | N/A | 8.8 HIGH |
| SQL Injection in GitHub repository pimcore/pimcore prior to 10.5.19. | |||||
| CVE-2023-1545 | 1 Teampass | 1 Teampass | 2023-03-24 | N/A | 7.5 HIGH |
| SQL Injection in GitHub repository nilsteampassnet/teampass prior to 3.0.0.23. | |||||
| CVE-2023-28108 | 1 Pimcore | 1 Pimcore | 2023-03-22 | N/A | 7.8 HIGH |
| Pimcore is an open source data and experience management platform. Prior to version 10.5.19, quoting is not done properly in UUID DAO model. There is the theoretical possibility to inject custom SQL if the developer is using this methods with input data and not doing proper input validation in advance and so relies on the auto-quoting being done by the DAO class. Users should update to version 10.5.19 to receive a patch or, as a workaround, apply the patch manually. | |||||
| CVE-2023-26784 | 1 Tosec | 1 Kirin Fortress Machine | 2023-03-22 | N/A | 9.8 CRITICAL |
| SQL Injection vulnerability found in Kirin Fortress Machine v.1.7-2020-0610 allows attackers to execute arbitrary code via the /admin.php?controller=admin_commonuser parameter. | |||||
| CVE-2023-27037 | 1 Qibosoft | 1 Qibocms | 2023-03-22 | N/A | 8.8 HIGH |
| Qibosoft QiboCMS v7 was discovered to contain a remote code execution (RCE) vulnerability via the Get_Title function at label_set_rs.php | |||||
| CVE-2023-25206 | 1 Prestashop | 1 Advanced Reviews | 2023-03-17 | N/A | 8.8 HIGH |
| PrestaShop ws_productreviews < 3.6.2 is vulnerable to SQL Injection. | |||||