Total
14188 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-25760 | 1 Projectworlds | 1 Visitor Management System In Php | 2022-01-01 | 6.5 MEDIUM | 8.8 HIGH |
| Projectworlds Visitor Management System in PHP 1.0 allows SQL Injection. The file front.php does not perform input validation on the 'rid' parameter. An attacker can append SQL queries to the input to extract sensitive information from the database. | |||||
| CVE-2021-43851 | 1 Anuko | 1 Time Tracker | 2021-12-28 | 6.5 MEDIUM | 8.8 HIGH |
| Anuko Time Tracker is an open source, web-based time tracking application written in PHP. SQL injection vulnerability exist in multiple files in Time Tracker version 1.19.33.5606 and prior due to not properly checking of the "group" and "status" parameters in POST requests. Group parameter is posted along when navigating between organizational subgroups (groups.php file). Status parameter is used in multiple files to change a status of an entity such as making a project, task, or user inactive. This issue has been patched in version 1.19.33.5607. An upgrade is highly recommended. If an upgrade is not practical, introduce ttValidStatus function as in the latest version and start using it user input check blocks wherever status field is used. For groups.php fix, introduce ttValidInteger function as in the latest version and use it in the access check block in the file. | |||||
| CVE-2021-43157 | 1 Projectworlds | 1 Online Shopping System In Php | 2021-12-28 | 7.5 HIGH | 9.8 CRITICAL |
| Projectsworlds Online Shopping System PHP 1.0 is vulnerable to SQL injection via the id parameter in cart_remove.php. | |||||
| CVE-2021-43629 | 1 Projectworlds | 1 Hospital Management System In Php | 2021-12-28 | 7.5 HIGH | 9.8 CRITICAL |
| Projectworlds Hospital Management System v1.0 is vulnerable to SQL injection via multiple parameters in admin_home.php. | |||||
| CVE-2021-43630 | 1 Projectworlds | 1 Hospital Management System In Php | 2021-12-28 | 6.5 MEDIUM | 8.8 HIGH |
| Projectworlds Hospital Management System v1.0 is vulnerable to SQL injection via multiple parameters in add_patient.php. As a result, an authenticated malicious user can compromise the databases system and in some cases leverage this vulnerability to get remote code execution on the remote web server. | |||||
| CVE-2021-43631 | 1 Projectworlds | 1 Hospital Management System In Php | 2021-12-28 | 7.5 HIGH | 9.8 CRITICAL |
| Projectworlds Hospital Management System v1.0 is vulnerable to SQL injection via the appointment_no parameter in payment.php. | |||||
| CVE-2021-43628 | 1 Projectworlds | 1 Hospital Management System In Php | 2021-12-28 | 7.5 HIGH | 9.8 CRITICAL |
| Projectworlds Hospital Management System v1.0 is vulnerable to SQL injection via the email parameter in hms-staff.php. | |||||
| CVE-2021-43155 | 1 Projectworlds | 1 Online Book Store Project In Php | 2021-12-28 | 7.5 HIGH | 9.8 CRITICAL |
| Projectsworlds Online Book Store PHP v1.0 is vulnerable to SQL injection via the "bookisbn" parameter in cart.php. | |||||
| CVE-2021-44874 | 1 Dalmark | 1 Systeam Enterprise Resource Planning | 2021-12-27 | 6.5 MEDIUM | 8.8 HIGH |
| Dalmark Systems Systeam 2.22.8 build 1724 is vulnerable to Insecure design on report build via SQL query. The Systeam application is an ERP system that uses a mixed architecture based on SaaS tenant and user management, and on-premise database and web application counterparts. The bi report module exposes direct SQL commands via POST data in order to select data for report generation. A malicious actor can use the bi report endpoint as a direct SQL prompt under the authenticated user. | |||||
| CVE-2021-45253 | 1 Simple Cold Storage Management System Project | 1 Simple Cold Storage Managment System | 2021-12-27 | 7.5 HIGH | 9.8 CRITICAL |
| The id parameter in view_storage.php from Simple Cold Storage Management System 1.0 appears to be vulnerable to SQL injection attacks. A payload injects a SQL sub-query that calls MySQL's load_file function with a UNC file path that references a URL on an external domain. The application interacted with that domain, indicating that the injected SQL query was executed. | |||||
| CVE-2021-24846 | 1 Ni Woocommerce Custom Order Status Project | 1 Ni Woocommerce Custom Order Status | 2021-12-27 | 6.5 MEDIUM | 8.8 HIGH |
| The get_query() function of the Ni WooCommerce Custom Order Status WordPress plugin before 1.9.7, used by the niwoocos_ajax AJAX action, available to all authenticated users, does not properly sanitise the sort parameter before using it in a SQL statement, leading to an SQL injection, exploitable by any authenticated users, such as subscriber | |||||
| CVE-2021-24849 | 1 Wclovers | 1 Frontend Manager For Woocommerce Along With Bookings Subscription Listings Compatible | 2021-12-27 | 7.5 HIGH | 9.8 CRITICAL |
| The wcfm_ajax_controller AJAX action of the WCFM Marketplace WordPress plugin before 3.4.12, available to unauthenticated and authenticated user, does not properly sanitise multiple parameters before using them in SQL statements, leading to SQL injections | |||||
| CVE-2020-18081 | 1 Sem-cms | 1 Semcms | 2021-12-22 | 5.0 MEDIUM | 7.5 HIGH |
| The checkuser function of SEMCMS 3.8 was discovered to contain a vulnerability which allows attackers to obtain the password in plaintext through a SQL query. | |||||
| CVE-2021-41843 | 1 Open-emr | 1 Openemr | 2021-12-22 | 6.8 MEDIUM | 6.5 MEDIUM |
| An authenticated SQL injection issue in the calendar search function of OpenEMR 6.0.0 before patch 3 allows an attacker to read data from all tables of the database via the parameter provider_id, as demonstrated by the /interface/main/calendar/index.php?module=PostCalendar&func=search URI. | |||||
| CVE-2021-43451 | 1 Employee Record Management System Project | 1 Employee Record Management System | 2021-12-22 | 7.5 HIGH | 9.8 CRITICAL |
| SQL Injection vulnerability exists in PHPGURUKUL Employee Record Management System 1.2 via the Email POST parameter in /forgetpassword.php. | |||||
| CVE-2021-44280 | 1 Attendance Management System Project | 1 Attendance Management System | 2021-12-22 | 7.5 HIGH | 9.8 CRITICAL |
| attendance management system 1.0 is affected by a SQL injection vulnerability in admin/incFunctions.php through the makeSafe function. | |||||
| CVE-2021-41262 | 1 Galette | 1 Galette | 2021-12-21 | 6.5 MEDIUM | 8.8 HIGH |
| Galette is a membership management web application built for non profit organizations and released under GPLv3. Versions prior to 0.9.6 are subject to SQL injection attacks by users with "member" privilege. Users are advised to upgrade to version 0.9.6 as soon as possible. There are no known workarounds. | |||||
| CVE-2021-40850 | 1 Tcman | 1 Gim | 2021-12-21 | 7.5 HIGH | 9.8 CRITICAL |
| TCMAN GIM is vulnerable to a SQL injection vulnerability inside several available webservice methods in /PC/WebService.asmx. | |||||
| CVE-2021-43806 | 1 Enalean | 1 Tuleap | 2021-12-21 | 6.5 MEDIUM | 8.8 HIGH |
| Tuleap is a Libre and Open Source tool for end to end traceability of application and system developments. In affected versions Tuleap does not sanitize properly user settings when constructing the SQL query to browse and search commits in the CVS repositories. A authenticated malicious user with read access to a CVS repository could execute arbitrary SQL queries. Tuleap instances without an active CVS repositories are not impacted. The following versions contain the fix: Tuleap Community Edition 13.2.99.155, Tuleap Enterprise Edition 13.1-7, and Tuleap Enterprise Edition 13.2-6. | |||||
| CVE-2021-43830 | 1 Openproject | 1 Openproject | 2021-12-20 | 6.5 MEDIUM | 8.8 HIGH |
| OpenProject is a web-based project management software. OpenProject versions >= 12.0.0 are vulnerable to a SQL injection in the budgets module. For authenticated users with the "Edit budgets" permission, the request to reassign work packages to another budget unsufficiently sanitizes user input in the `reassign_to_id` parameter. The vulnerability has been fixed in version 12.0.4. Versions prior to 12.0.0 are not affected. If you're upgrading from an older version, ensure you are upgrading to at least version 12.0.4. If you are unable to upgrade in a timely fashion, the following patch can be applied: https://github.com/opf/openproject/pull/9983.patch | |||||