Total
11922 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-36410 | 1 Salesagility | 1 Suitecrm | 2024-06-12 | N/A | 8.8 HIGH |
| SuiteCRM is an open-source Customer Relationship Management (CRM) software application. In versions prior to 7.14.4 and 8.6.1, poor input validation allows for SQL Injection in EmailUIAjax messages count controller. Versions 7.14.4 and 8.6.1 contain a fix for this issue. | |||||
| CVE-2024-36411 | 1 Salesagility | 1 Suitecrm | 2024-06-12 | N/A | 8.8 HIGH |
| SuiteCRM is an open-source Customer Relationship Management (CRM) software application. In versions prior to 7.14.4 and 8.6.1, poor input validation allows for SQL Injection in EmailUIAjax displayView controller. Versions 7.14.4 and 8.6.1 contain a fix for this issue. | |||||
| CVE-2024-36412 | 1 Salesagility | 1 Suitecrm | 2024-06-12 | N/A | 9.8 CRITICAL |
| SuiteCRM is an open-source Customer Relationship Management (CRM) software application. Prior to versions 7.14.4 and 8.6.1, a vulnerability in events response entry point allows for a SQL injection attack. Versions 7.14.4 and 8.6.1 contain a fix for this issue. | |||||
| CVE-2024-5733 | 1 Online Discussion Forum Project | 1 Online Discussion Forum | 2024-06-11 | 7.5 HIGH | 9.8 CRITICAL |
| A vulnerability was found in itsourcecode Online Discussion Forum 1.0. It has been rated as critical. This issue affects some unknown processing of the file register_me.php. The manipulation of the argument eaddress leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-267407. | |||||
| CVE-2024-36673 | 1 Pharmacy\/medical Store Point Of Sale System Project | 1 Pharmacy\/medical Store Point Of Sale System | 2024-06-11 | N/A | 9.8 CRITICAL |
| Sourcecodester Pharmacy/Medical Store Point of Sale System 1.0 is vulnerable SQL Injection via login.php. This vulnerability stems from inadequate validation of user inputs for the email and password parameters, allowing attackers to inject malicious SQL queries. | |||||
| CVE-2024-36779 | 1 Stock Management System Project | 1 Stock Management System | 2024-06-11 | N/A | 9.8 CRITICAL |
| Sourcecodester Stock Management System v1.0 is vulnerable to SQL Injection via editCategories.php. | |||||
| CVE-2024-36393 | 1 Sysaid | 1 Sysaid | 2024-06-11 | N/A | 9.8 CRITICAL |
| SysAid - CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') | |||||
| CVE-2024-5329 | 1 Unlimited-elements | 1 Unlimited Elements For Elementor \(free Widgets\, Addons\, Templates\) | 2024-06-11 | N/A | 8.8 HIGH |
| The Unlimited Elements For Elementor (Free Widgets, Addons, Templates) plugin for WordPress is vulnerable to blind SQL Injection via the ‘data[addonID]’ parameter in all versions up to, and including, 1.5.109 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | |||||
| CVE-2024-4743 | 1 Lifterlms | 1 Lifterlms | 2024-06-11 | N/A | 6.5 MEDIUM |
| The LifterLMS – WordPress LMS Plugin for eLearning plugin for WordPress is vulnerable to SQL Injection via the orderBy attribute of the lifterlms_favorites shortcode in all versions up to, and including, 7.6.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | |||||
| CVE-2024-5636 | 1 Bakery Online Ordering System Project | 1 Bakery Online Ordering System | 2024-06-11 | 6.5 MEDIUM | 9.8 CRITICAL |
| A vulnerability was found in itsourcecode Bakery Online Ordering System 1.0. It has been rated as critical. Affected by this issue is some unknown functionality of the file report/index.php. The manipulation of the argument procduct leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-267092. | |||||
| CVE-2024-4295 | 1 Icegram | 1 Email Subscribers \& Newsletters | 2024-06-11 | N/A | 9.8 CRITICAL |
| The Email Subscribers by Icegram Express plugin for WordPress is vulnerable to SQL Injection via the ‘hash’ parameter in all versions up to, and including, 5.7.20 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | |||||
| CVE-2024-5635 | 1 Bakery Online Ordering System Project | 1 Bakery Online Ordering System | 2024-06-11 | 6.5 MEDIUM | 9.8 CRITICAL |
| A vulnerability was found in itsourcecode Bakery Online Ordering System 1.0. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file index.php. The manipulation of the argument txtsearch leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-267091. | |||||
| CVE-2024-5773 | 2024-06-10 | 6.5 MEDIUM | 6.3 MEDIUM | ||
| A vulnerability, which was classified as critical, was found in Netentsec NS-ASG Application Security Gateway 6.3. Affected is an unknown function of the file /protocol/firewall/deletemacbind.php. The manipulation of the argument messagecontent leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-267456. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2022-33171 | 1 Typeorm | 1 Typeorm | 2024-06-10 | 7.5 HIGH | 9.8 CRITICAL |
| The findOne function in TypeORM before 0.3.0 can either be supplied with a string or a FindOneOptions object. When input to the function is a user-controlled parsed JSON object, supplying a crafted FindOneOptions instead of an id string leads to SQL injection. NOTE: the vendor's position is that the user's application is responsible for input validation | |||||
| CVE-2024-35305 | 2024-06-10 | N/A | N/A | ||
| Unauth Time-Based SQL Injection in API allows to exploit HTTP request Authorization header. This issue affects Pandora FMS: from 700 through <777. | |||||
| CVE-2024-31460 | 2024-06-10 | N/A | 6.5 MEDIUM | ||
| Cacti provides an operational monitoring and fault management framework. Prior to version 1.2.27, some of the data stored in `automation_tree_rules.php` is not thoroughly checked and is used to concatenate the SQL statement in `create_all_header_nodes()` function from `lib/api_automation.php` , finally resulting in SQL injection. Using SQL based secondary injection technology, attackers can modify the contents of the Cacti database, and based on the modified content, it may be possible to achieve further impact, such as arbitrary file reading, and even remote code execution through arbitrary file writing. Version 1.2.27 contains a patch for the issue. | |||||
| CVE-2024-31458 | 2024-06-10 | N/A | 4.6 MEDIUM | ||
| Cacti provides an operational monitoring and fault management framework. Prior to version 1.2.27, some of the data stored in `form_save()` function in `graph_template_inputs.php` is not thoroughly checked and is used to concatenate the SQL statement in `draw_nontemplated_fields_graph_item()` function from `lib/html_form_templates.php` , finally resulting in SQL injection. Version 1.2.27 contains a patch for the issue. | |||||
| CVE-2024-31445 | 2024-06-10 | N/A | 8.8 HIGH | ||
| Cacti provides an operational monitoring and fault management framework. Prior to version 1.2.27, a SQL injection vulnerability in `automation_get_new_graphs_sql` function of `api_automation.php` allows authenticated users to exploit these SQL injection vulnerabilities to perform privilege escalation and remote code execution. In `api_automation.php` line 856, the `get_request_var('filter')` is being concatenated into the SQL statement without any sanitization. In `api_automation.php` line 717, The filter of `'filter'` is `FILTER_DEFAULT`, which means there is no filter for it. Version 1.2.27 contains a patch for the issue. | |||||
| CVE-2024-1597 | 2 Fedoraproject, Postgresql | 2 Fedora, Postgresql Jdbc Driver | 2024-06-10 | N/A | 9.8 CRITICAL |
| pgjdbc, the PostgreSQL JDBC Driver, allows attacker to inject SQL if using PreferQueryMode=SIMPLE. Note this is not the default. In the default mode there is no vulnerability. A placeholder for a numeric value must be immediately preceded by a minus. There must be a second placeholder for a string value after the first placeholder; both must be on the same line. By constructing a matching string payload, the attacker can inject SQL to alter the query,bypassing the protections that parameterized queries bring against SQL Injection attacks. Versions before 42.7.2, 42.6.1, 42.5.5, 42.4.4, 42.3.9, and 42.2.28 are affected. | |||||
| CVE-2023-51448 | 1 Cacti | 1 Cacti | 2024-06-10 | N/A | 8.8 HIGH |
| Cacti provides an operational monitoring and fault management framework. Version 1.2.25 has a Blind SQL Injection (SQLi) vulnerability within the SNMP Notification Receivers feature in the file `‘managers.php’`. An authenticated attacker with the “Settings/Utilities” permission can send a crafted HTTP GET request to the endpoint `‘/cacti/managers.php’` with an SQLi payload in the `‘selected_graphs_array’` HTTP GET parameter. As of time of publication, no patched versions exist. | |||||