Total
14188 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-0694 | 1 Elbtide | 1 Advanced Booking Calendar | 2022-03-28 | 7.5 HIGH | 9.8 CRITICAL |
| The Advanced Booking Calendar WordPress plugin before 1.7.0 does not validate and escape the calendar parameter before using it in a SQL statement via the abc_booking_getSingleCalendar AJAX action (available to both unauthenticated and authenticated users), leading to an unauthenticated SQL injection | |||||
| CVE-2022-26266 | 1 Piwigo | 1 Piwigo | 2022-03-28 | 6.5 MEDIUM | 8.8 HIGH |
| Piwigo v12.2.0 was discovered to contain a SQL injection vulnerability via pwg.users.php. | |||||
| CVE-2021-45821 | 1 Btiteam | 1 Xbtit | 2022-03-28 | 6.5 MEDIUM | 8.8 HIGH |
| A blind SQL injection vulnerability exists in Xbtit 3.1 via the sid parameter in ajaxchat/getHistoryChatData.php file that is accessible by a registered user. As a result, a malicious user can extract sensitive data such as usernames and passwords and in some cases use this vulnerability in order to get a remote code execution on the remote web server. | |||||
| CVE-2022-26293 | 1 Online Project Time Management System Project | 1 Online Project Time Management System | 2022-03-28 | 7.5 HIGH | 9.8 CRITICAL |
| Online Project Time Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter in the function save_employee at /ptms/classes/Users.php. | |||||
| CVE-2022-25607 | 1 Foliovision | 1 Fv Flowplayer Video Player | 2022-03-25 | 6.5 MEDIUM | 7.2 HIGH |
| Authenticated (author or higher user role) SQL Injection (SQLi) vulnerability discovered in FV Flowplayer Video Player WordPress plugin (versions <= 7.5.15.727). | |||||
| CVE-2022-24752 | 1 Sylius | 1 Syliusgridbundle | 2022-03-25 | 7.5 HIGH | 9.8 CRITICAL |
| SyliusGridBundle is a package of generic data grids for Symfony applications. Prior to versions 1.10.1 and 1.11-rc2, values added at the end of query sorting were passed directly to the database. The maintainers do not know if this could lead to direct SQL injections but took steps to remediate the vulnerability. The issue is fixed in versions 1.10.1 and 1.11-rc2. As a workaround, overwrite the`Sylius\Component\Grid\Sorting\Sorter.php` class and register it in the container. More information about this workaround is available in the GitHub Security Advisory. | |||||
| CVE-2021-44088 | 1 Attendance And Payroll System Project | 1 Attendance And Payroll System | 2022-03-24 | 7.5 HIGH | 9.8 CRITICAL |
| An SQL Injection vulnerability exists in Sourcecodester Attendance and Payroll System v1.0 which allows a remote attacker to bypass authentication via unsanitized login parameters. | |||||
| CVE-2021-45794 | 1 Slims | 1 Senayan Library Management System | 2022-03-24 | 5.0 MEDIUM | 7.5 HIGH |
| Slims9 Bulian 9.4.2 is affected by SQL injection in /admin/modules/system/backup.php. User data can be obtained. | |||||
| CVE-2021-45793 | 1 Slims | 1 Senayan Library Management System | 2022-03-24 | 5.0 MEDIUM | 7.5 HIGH |
| Slims9 Bulian 9.4.2 is affected by SQL injection in lib/comment.inc.php. User data can be obtained. | |||||
| CVE-2021-45791 | 1 Slims | 1 Senayan Library Management System | 2022-03-23 | 6.5 MEDIUM | 8.8 HIGH |
| Slims8 Akasia 8.3.1 is affected by SQL injection in /admin/modules/bibliography/index.php, /admin/modules/membership/member_type.php, /admin/modules/system/user_group.php, and /admin/modules/membership/index.php through the dir parameter. It can be used by remotely authenticated librarian users. | |||||
| CVE-2022-25494 | 1 Online Banking System Project | 1 Online Banking System | 2022-03-23 | 7.5 HIGH | 9.8 CRITICAL |
| Online Banking System v1.0 was discovered to contain a SQL injection vulnerability via staff_login.php. | |||||
| CVE-2022-25488 | 1 Thedigitalcraft | 1 Atomcms | 2022-03-23 | 7.5 HIGH | 9.8 CRITICAL |
| Atom CMS v2.0 was discovered to contain a SQL injection vulnerability via the id parameter in /admin/ajax/avatar.php. | |||||
| CVE-2022-25506 | 1 Freetakserver-ui Project | 1 Freetakserver-ui | 2022-03-22 | 4.0 MEDIUM | 6.5 MEDIUM |
| FreeTAKServer-UI v1.9.8 was discovered to contain a SQL injection vulnerability via the API endpoint /AuthenticateUser. | |||||
| CVE-2022-0478 | 1 Mage-people | 1 Event Manager And Tickets Selling For Woocommerce | 2022-03-21 | 6.5 MEDIUM | 8.8 HIGH |
| The Event Manager and Tickets Selling for WooCommerce WordPress plugin before 3.5.8 does not validate and escape the post_author_gutenberg parameter before using it in a SQL statement when creating/editing events, which could allow users with a role as low as contributor to perform SQL Injection attacks | |||||
| CVE-2022-0254 | 1 Highfivery | 1 Zero-spam | 2022-03-21 | 7.5 HIGH | 9.8 CRITICAL |
| The WordPress Zero Spam WordPress plugin before 5.2.11 does not properly sanitise and escape the order and orderby parameters before using them in a SQL statement in the admin dashboard, leading to a SQL injection | |||||
| CVE-2022-0658 | 1 Wielebenwir | 1 Commonsbooking | 2022-03-21 | 7.5 HIGH | 9.8 CRITICAL |
| The CommonsBooking WordPress plugin before 2.6.8 does not sanitise and escape the location parameter of the calendar_data AJAX action (available to unauthenticated users) before it is used in dynamically constructed SQL queries, leading to an unauthenticated SQL injection | |||||
| CVE-2022-22735 | 1 Sedlex | 1 Simple Quotation | 2022-03-21 | 6.5 MEDIUM | 8.8 HIGH |
| The Simple Quotation WordPress plugin through 1.3.2 does not have authorisation (and CSRF) checks in various of its AJAX actions and is lacking escaping of user data when using it in SQL statements, allowing any authenticated users, such as subscriber to perform SQL injection attacks | |||||
| CVE-2022-0169 | 1 10web | 1 Photo Gallery | 2022-03-21 | 7.5 HIGH | 9.8 CRITICAL |
| The Photo Gallery by 10Web WordPress plugin before 1.6.0 does not validate and escape the bwg_tag_id_bwg_thumbnails_0 parameter before using it in a SQL statement via the bwg_frontend_data AJAX action (available to unauthenticated and authenticated users), leading to an unauthenticated SQL injection | |||||
| CVE-2021-25007 | 1 Molie Instructure Canvas Linking Tool Project | 1 Molie Instructure Canvas Linking Tool | 2022-03-20 | 7.5 HIGH | 9.8 CRITICAL |
| The MOLIE WordPress plugin through 0.5 does not validate and escape a post parameter before using in a SQL statement, leading to an SQL Injection | |||||
| CVE-2021-24959 | 1 Techspawn | 1 Wp-email-users | 2022-03-20 | 6.5 MEDIUM | 8.8 HIGH |
| The WP Email Users WordPress plugin through 1.7.6 does not escape the data_raw parameter in the weu_selected_users_1 AJAX action, available to any authenticated users, allowing them to perform SQL injection attacks. | |||||