Total
14188 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-36299 | 1 Dell | 1 Emc Idrac9 Firmware | 2021-11-27 | 5.5 MEDIUM | 8.1 HIGH |
| Dell iDRAC9 versions 4.40.00.00 and later, but prior to 4.40.29.00 and 5.00.00.00 contain an SQL injection vulnerability. A remote authenticated malicious user with low privileges may potentially exploit this vulnerability to cause information disclosure or denial of service by supplying specially crafted input data to the affected application. | |||||
| CVE-2021-36300 | 1 Dell | 1 Emc Idrac9 Firmware | 2021-11-26 | 6.4 MEDIUM | 8.2 HIGH |
| iDRAC9 versions prior to 5.00.00.00 contain an improper input validation vulnerability. An unauthenticated remote attacker may potentially exploit this vulnerability by sending a specially crafted malicious request to crash the webserver or cause information disclosure. | |||||
| CVE-2021-41674 | 1 E-negosyo System Project | 1 E-negosyo System | 2021-11-26 | 7.5 HIGH | 9.8 CRITICAL |
| An SQL Injection vulnerability exists in Sourcecodester E-Negosyo System 1.0 via the user_email parameter in /admin/login.php. | |||||
| CVE-2021-41676 | 1 Pharmacy Point Of Sale System Project | 1 Pharmacy Point Of Sale System | 2021-11-26 | 7.5 HIGH | 9.8 CRITICAL |
| An SQL Injection vulnerabilty exists in the oretnom23 Pharmacy Point of Sale System 1.0 in the login function in actions.php. | |||||
| CVE-2021-42325 | 1 Froxlor | 1 Froxlor | 2021-11-26 | 7.5 HIGH | 9.8 CRITICAL |
| Froxlor through 0.10.29.1 allows SQL injection in Database/Manager/DbManagerMySQL.php via a custom DB name. | |||||
| CVE-2021-36916 | 1 Wpwave | 1 Hide My Wp | 2021-11-26 | 7.5 HIGH | 9.8 CRITICAL |
| The SQL injection vulnerability in the Hide My WP WordPress plugin (versions <= 6.2.3) is possible because of how the IP address is retrieved and used inside a SQL query. The function "hmwp_get_user_ip" tries to retrieve the IP address from multiple headers, including IP address headers that the user can spoof, such as "X-Forwarded-For." As a result, the malicious payload supplied in one of these IP address headers will be directly inserted into the SQL query, making SQL injection possible. | |||||
| CVE-2021-24877 | 1 Mainwp | 1 Mainwp Child | 2021-11-26 | 6.0 MEDIUM | 7.2 HIGH |
| The MainWP Child WordPress plugin before 4.1.8 does not validate the orderby and order parameter before using them in a SQL statement, leading to an SQL injection exploitable by high privilege users such as admin when the Backup and Staging by WP Time Capsule plugin is installed | |||||
| CVE-2021-41648 | 1 Online-shopping-system-advanced Project | 1 Online-shopping-system-advanced | 2021-11-26 | 5.0 MEDIUM | 7.5 HIGH |
| An un-authenticated SQL Injection exists in PuneethReddyHC online-shopping-system-advanced through the /action.php prId parameter. Using a post request does not sanitize the user input. | |||||
| CVE-2021-43408 | 1 Duplicate Post Project | 1 Duplicate Post | 2021-11-24 | 9.0 HIGH | 8.8 HIGH |
| The "Duplicate Post" WordPress plugin up to and including version 1.1.9 is vulnerable to SQL Injection. SQL injection vulnerabilities occur when client supplied data is included within an SQL Query insecurely. SQL Injection can typically be exploited to read, modify and delete SQL table data. In many cases it also possible to exploit features of SQL server to execute system commands and/or access the local file system. This particular vulnerability can be exploited by any authenticated user who has been granted access to use the Duplicate Post plugin. By default, this is limited to Administrators, however the plugin presents the option to permit access to the Editor, Author, Contributor and Subscriber roles. | |||||
| CVE-2017-11509 | 2 Debian, Firebirdsql | 2 Debian Linux, Firebird | 2021-11-23 | 9.0 HIGH | 8.8 HIGH |
| An authenticated remote attacker can execute arbitrary code in Firebird SQL Server versions 2.5.7 and 3.0.2 by executing a malformed SQL statement. | |||||
| CVE-2021-42665 | 1 Engineers Online Portal Project | 1 Engineers Online Portal | 2021-11-23 | 7.5 HIGH | 9.8 CRITICAL |
| An SQL Injection vulnerability exists in Sourcecodester Engineers Online Portal in PHP via the login form inside of index.php, which can allow an attacker to bypass authentication. | |||||
| CVE-2021-24758 | 1 Email Log Project | 1 Email Log | 2021-11-19 | 6.5 MEDIUM | 8.8 HIGH |
| The Email Log WordPress plugin before 2.4.7 does not properly validate, sanitise and escape the "orderby" and "order" GET parameters before using them in SQL statement in the admin dashboard, leading to SQL injections | |||||
| CVE-2021-24772 | 1 Xwp | 1 Stream | 2021-11-19 | 6.5 MEDIUM | 8.8 HIGH |
| The Stream WordPress plugin before 3.8.2 does not sanitise and validate the order GET parameter from the Stream Records admin dashboard before using it in a SQL statement, leading to an SQL injection issue. | |||||
| CVE-2021-41931 | 1 Recruitment Management System Project | 1 Recruitment Management System | 2021-11-18 | 7.5 HIGH | 9.8 CRITICAL |
| The Company's Recruitment Management System in id=2 of the parameter from view_vacancy app on-page appears to be vulnerable to SQL injection. The payloads 19424269' or '1309'='1309 and 39476597' or '2917'='2923 were each submitted in the id parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way. | |||||
| CVE-2021-41765 | 1 Montala | 1 Resourcespace | 2021-11-17 | 7.5 HIGH | 9.8 CRITICAL |
| A SQL injection issue in pages/edit_fields/9_ajax/add_keyword.php of ResourceSpace 9.5 and 9.6 < rev 18274 allows remote unauthenticated attackers to execute arbitrary SQL commands via the k parameter. This allows attackers to uncover the full contents of the ResourceSpace database, including user session cookies. An attacker who gets an admin user session cookie can use the session cookie to execute arbitrary code on the server. | |||||
| CVE-2021-26795 | 1 Talariax | 1 Sendquick Alert Plus Server Admin | 2021-11-17 | 6.5 MEDIUM | 8.8 HIGH |
| A SQL Injection vulnerability in /appliance/shiftmgn.php in TalariaX sendQuick Alert Plus Server Admin 4.3 before 8HF11 allows attackers to obtain sensitive information via a Roster Time to Roster Management. | |||||
| CVE-2021-42670 | 1 Engineers Online Portal Project | 1 Engineers Online Portal | 2021-11-17 | 7.5 HIGH | 9.8 CRITICAL |
| A SQL injection vulnerability exists in Sourcecodester Engineers Online Portal in PHP via the id parameter to the announcements_student.php web page. As a result a malicious user can extract sensitive data from the web server and in some cases use this vulnerability in order to get a remote code execution on the remote web server. | |||||
| CVE-2021-43130 | 1 Customer Relationship Management System Project | 1 Customer Relationship Management System | 2021-11-17 | 10.0 HIGH | 9.8 CRITICAL |
| An SQL Injection vulnerability exists in Sourcecodester Customer Relationship Management System (CRM) 1.0 via the username parameter in customer/login.php. | |||||
| CVE-2021-24844 | 1 Wpaffiliatemanager | 1 Affiliates Manager | 2021-11-13 | 6.5 MEDIUM | 7.2 HIGH |
| The Affiliates Manager WordPress plugin before 2.8.7 does not validate the orderby parameter before using it in an SQL statement in the admin dashboard, leading to an SQL Injection issue | |||||
| CVE-2021-24628 | 1 Wow-company | 1 Wow Forms | 2021-11-10 | 6.5 MEDIUM | 7.2 HIGH |
| The Wow Forms WordPress plugin through 3.1.3 does not sanitise or escape a 'did' GET parameter before using it in a SQL statement, when deleting a form in the admin dashboard, leading to an authenticated SQL injection | |||||