Total
14188 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-7003 | 1 Avaya | 1 Control Manager | 2023-02-03 | 6.4 MEDIUM | 10.0 CRITICAL |
| A SQL injection vulnerability in the reporting component of Avaya Control Manager could allow an unauthenticated attacker to execute arbitrary SQL commands and retrieve sensitive data related to other users on the system. Affected versions of Avaya Control Manager include 7.x and 8.0.x versions prior to 8.0.4.0. Unsupported versions not listed here were not evaluated. | |||||
| CVE-2019-5454 | 1 Nextcloud | 1 Nextcloud | 2023-02-03 | 7.5 HIGH | 9.8 CRITICAL |
| SQL Injection in the Nextcloud Android app prior to version 3.0.0 allows to destroy a local cache when a harmful query is executed requiring to resetup the account. | |||||
| CVE-2018-3885 | 1 Erpnext | 1 Erpnext | 2023-02-03 | 6.5 MEDIUM | 8.8 HIGH |
| An exploitable SQL injection vulnerability exists in the authenticated part of ERPNext v10.1.6. Specially crafted web requests can cause SQL injections resulting in data compromise. The order_by parameter can be used to perform an SQL injection attack. An attacker can use a browser to trigger these vulnerabilities, and no special tools are required. | |||||
| CVE-2018-3884 | 1 Erpnext | 1 Erpnext | 2023-02-03 | 6.5 MEDIUM | 8.8 HIGH |
| An exploitable SQL injection vulnerability exists in the authenticated part of ERPNext v10.1.6. Specially crafted web requests can cause SQL injections resulting in data compromise. The sort_by and start parameter can be used to perform an SQL injection attack. An attacker can use a browser to trigger these vulnerabilities, and no special tools are required. | |||||
| CVE-2019-15984 | 1 Cisco | 1 Data Center Network Manager | 2023-02-02 | 9.0 HIGH | 7.2 HIGH |
| Multiple vulnerabilities in the REST and SOAP API endpoints of Cisco Data Center Network Manager (DCNM) could allow an authenticated, remote attacker to execute arbitrary SQL commands on an affected device. To exploit these vulnerabilities, an attacker would need administrative privileges on the DCNM application. For more information about these vulnerabilities, see the Details section of this advisory. Note: The severity of these vulnerabilities is aggravated by the vulnerabilities described in the Cisco Data Center Network Manager Authentication Bypass Vulnerabilities advisory, published simultaneously with this one. | |||||
| CVE-2022-26651 | 2 Debian, Digium | 3 Debian Linux, Asterisk, Certified Asterisk | 2023-02-02 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in Asterisk through 19.x and Certified Asterisk through 16.8-cert13. The func_odbc module provides possibly inadequate escaping functionality for backslash characters in SQL queries, resulting in user-provided data creating a broken SQL query or possibly a SQL injection. This is fixed in 16.25.2, 18.11.2, and 19.3.2, and 16.8-cert14. | |||||
| CVE-2011-4802 | 1 Dolibarr | 1 Dolibarr Erp\/crm | 2023-02-02 | 6.5 MEDIUM | N/A |
| Multiple SQL injection vulnerabilities in Dolibarr 3.1.0 RC and probably earlier allow remote authenticated users to execute arbitrary SQL commands via the (1) sortfield, (2) sortorder, and (3) sall parameters to user/index.php and (b) user/group/index.php; the id parameter to (4) info.php, (5) perms.php, (6) param_ihm.php, (7) note.php, and (8) fiche.php in user/; and (9) rowid parameter to admin/boxes.php. | |||||
| CVE-2018-3882 | 1 Erpnext | 1 Erpnext | 2023-02-02 | 6.5 MEDIUM | 8.8 HIGH |
| An exploitable SQL injection vulnerability exists in the authenticated part of ERPNext v10.1.6. Specially crafted web requests can cause SQL injections resulting in data compromise. The searchfield parameter can be used to perform an SQL injection attack. An attacker can use a browser to trigger these vulnerabilities, and no special tools are required. | |||||
| CVE-2018-3883 | 1 Erpnext | 1 Erpnext | 2023-02-02 | 6.5 MEDIUM | 8.8 HIGH |
| An exploitable SQL injection vulnerability exists in the authenticated part of ERPNext v10.1.6. Specially crafted web requests can cause SQL injections resulting in data compromise. The employee and sort_order parameter can be used to perform an SQL injection attack. An attacker can use a browser to trigger these vulnerabilities, and no special tools are required. | |||||
| CVE-2019-19649 | 1 Zohocorp | 1 Manageengine Applications Manager | 2023-02-02 | 7.5 HIGH | 9.8 CRITICAL |
| Zoho ManageEngine Applications Manager before 13620 allows a remote unauthenticated SQL injection via the SyncEventServlet eventid parameter to the SyncEventServlet.java doGet function. | |||||
| CVE-2014-4984 | 1 Dejavuprotech | 1 Crescendo - Sales Crm | 2023-02-01 | 7.5 HIGH | 9.8 CRITICAL |
| Déjà Vu Crescendo Sales CRM has remote SQL Injection | |||||
| CVE-2019-20361 | 1 Icegram | 1 Email Subscribers \& Newsletters | 2023-01-31 | 7.5 HIGH | 9.8 CRITICAL |
| There was a flaw in the WordPress plugin, Email Subscribers & Newsletters before 4.3.1, that allowed SQL statements to be passed to the database in the hash parameter (a blind SQL injection vulnerability). | |||||
| CVE-2014-5109 | 1 Netfortris | 1 Trixbox | 2023-01-31 | 7.5 HIGH | N/A |
| SQL injection vulnerability in maint/modules/endpointcfg/endpoint_generic.php in Fonality trixbox allows remote attackers to execute arbitrary SQL commands via the mac parameter in a Submit action. | |||||
| CVE-2010-0702 | 1 Netfortris | 1 Trixbox | 2023-01-31 | 7.5 HIGH | N/A |
| SQL injection vulnerability in cisco/services/PhonecDirectory.php in Fonality Trixbox 2.2.4 allows remote attackers to execute arbitrary SQL commands via the ID parameter. | |||||
| CVE-2022-1691 | 1 Realtyworkstation | 1 Realty Workstation | 2023-01-31 | 4.0 MEDIUM | 4.9 MEDIUM |
| The Realty Workstation WordPress plugin before 1.0.15 does not sanitise and escape the trans_edit parameter before using it in a SQL statement when an agent edit a transaction, leading to an SQL injection | |||||
| CVE-2021-37589 | 1 Virtuasoftware | 1 Cobranca | 2023-01-31 | 5.0 MEDIUM | 7.5 HIGH |
| Virtua Cobranca before 12R allows SQL Injection on the login page. | |||||
| CVE-2018-16384 | 1 Owasp | 1 Owasp Modsecurity Core Rule Set | 2023-01-30 | 5.0 MEDIUM | 7.5 HIGH |
| A SQL injection bypass (aka PL1 bypass) exists in OWASP ModSecurity Core Rule Set (owasp-modsecurity-crs) through v3.1.0-rc3 via {`a`b} where a is a special function name (such as "if") and b is the SQL statement to be executed. | |||||
| CVE-2019-19650 | 1 Zohocorp | 1 Manageengine Applications Manager | 2023-01-30 | 6.5 MEDIUM | 8.8 HIGH |
| Zoho ManageEngine Applications Manager before 13640 allows a remote authenticated SQL injection via the Agent servlet agentid parameter to the Agent.java process function. | |||||
| CVE-2019-11821 | 1 Synology | 1 Photo Station | 2023-01-30 | 7.5 HIGH | 9.8 CRITICAL |
| SQL injection vulnerability in synophoto_csPhotoDB.php in Synology Photo Station before 6.8.11-3489 and before 6.3-2977 allows remote attackers to execute arbitrary SQL command via the type parameter. | |||||
| CVE-2019-13413 | 1 Boiteasite | 1 Rencontre | 2023-01-30 | 7.5 HIGH | 9.8 CRITICAL |
| The Rencontre plugin before 3.1.3 for WordPress allows SQL Injection via inc/rencontre_widget.php. | |||||