Total
15969 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-36412 | 1 Salesagility | 1 Suitecrm | 2024-11-21 | N/A | 10.0 CRITICAL |
| SuiteCRM is an open-source Customer Relationship Management (CRM) software application. Prior to versions 7.14.4 and 8.6.1, a vulnerability in events response entry point allows for a SQL injection attack. Versions 7.14.4 and 8.6.1 contain a fix for this issue. | |||||
| CVE-2024-36411 | 1 Salesagility | 1 Suitecrm | 2024-11-21 | N/A | 9.6 CRITICAL |
| SuiteCRM is an open-source Customer Relationship Management (CRM) software application. In versions prior to 7.14.4 and 8.6.1, poor input validation allows for SQL Injection in EmailUIAjax displayView controller. Versions 7.14.4 and 8.6.1 contain a fix for this issue. | |||||
| CVE-2024-36410 | 1 Salesagility | 1 Suitecrm | 2024-11-21 | N/A | 9.6 CRITICAL |
| SuiteCRM is an open-source Customer Relationship Management (CRM) software application. In versions prior to 7.14.4 and 8.6.1, poor input validation allows for SQL Injection in EmailUIAjax messages count controller. Versions 7.14.4 and 8.6.1 contain a fix for this issue. | |||||
| CVE-2024-36409 | 1 Salesagility | 1 Suitecrm | 2024-11-21 | N/A | 9.6 CRITICAL |
| SuiteCRM is an open-source Customer Relationship Management (CRM) software application. In versions prior to 7.14.4 and 8.6.1, poor input validation allows for SQL Injection in Tree data entry point. Versions 7.14.4 and 8.6.1 contain a fix for this issue. | |||||
| CVE-2024-36408 | 1 Salesagility | 1 Suitecrm | 2024-11-21 | N/A | 9.6 CRITICAL |
| SuiteCRM is an open-source Customer Relationship Management (CRM) software application. In versions prior to 7.14.4 and 8.6.1, poor input validation allows for SQL Injection in the `Alerts` controller. Versions 7.14.4 and 8.6.1 contain a fix for this issue. | |||||
| CVE-2024-36393 | 1 Sysaid | 1 Sysaid | 2024-11-21 | N/A | 9.9 CRITICAL |
| SysAid - CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') | |||||
| CVE-2024-36082 | 1 Codepeople | 1 Music Store | 2024-11-21 | N/A | 6.5 MEDIUM |
| SQL injection vulnerability in Music Store - WordPress eCommerce versions prior to 1.1.14 allows a remote authenticated attacker with an administrative privilege to execute arbitrary SQL commands. Information stored in the database may be obtained or altered by the attacker. | |||||
| CVE-2024-35750 | 1 Wpdevart | 1 Gallery | 2024-11-21 | N/A | 8.5 HIGH |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in wpdevart Responsive Image Gallery, Gallery Album.This issue affects Responsive Image Gallery, Gallery Album: from n/a through 2.0.3. | |||||
| CVE-2024-35736 | 1 Themeisle | 1 Visualizer | 2024-11-21 | N/A | 8.5 HIGH |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Themeisle Visualizer.This issue affects Visualizer: from n/a through 3.11.1. | |||||
| CVE-2024-35630 | 2024-11-21 | N/A | 7.6 HIGH | ||
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in LJ Apps WP TripAdvisor Review Slider allows Blind SQL Injection.This issue affects WP TripAdvisor Review Slider: from n/a through 12.6. | |||||
| CVE-2024-35563 | 2024-11-21 | N/A | 9.8 CRITICAL | ||
| CDG-Server-V5.6.2.126.139 and earlier was discovered to contain a SQL injection vulnerability via the permissionId parameter in CDGTempPermissions. | |||||
| CVE-2024-35548 | 2024-11-21 | N/A | 5.4 MEDIUM | ||
| A SQL injection vulnerability in Mybatis plus versions below 3.5.6 allows remote attackers to obtain database information via a Boolean blind injection. NOTE: the vendor's position is that this can only occur in a misconfigured application; the documentation discusses how to develop applications that avoid SQL injection. | |||||
| CVE-2024-35361 | 2024-11-21 | N/A | 9.8 CRITICAL | ||
| MTab Bookmark v1.9.5 has an SQL injection vulnerability in /LinkStore/getIcon. An attacker can execute arbitrary SQL statements through this vulnerability without requiring any user rights. | |||||
| CVE-2024-35359 | 1 Dino Physics School Assistant Project | 1 Dino Physics School Assistant | 2024-11-21 | N/A | 9.8 CRITICAL |
| A vulnerability has been discovered in Diño Physics School Assistant version 2.3. The vulnerability impacts an unidentified code within the file /classes/Master.php?f=view_item. Manipulating the argument id can result in SQL injection. | |||||
| CVE-2024-35349 | 1 Dino Physics School Assistant Project | 1 Dino Physics School Assistant | 2024-11-21 | N/A | 9.8 CRITICAL |
| A vulnerability has been discovered in Diño Physics School Assistant version 2.3. The vulnerability impacts an unidentified code within the file /admin/category/view_category.php. Manipulating the argument id can result in SQL injection. | |||||
| CVE-2024-35305 | 2024-11-21 | N/A | N/A | ||
| Unauth Time-Based SQL Injection in API allows to exploit HTTP request Authorization header. This issue affects Pandora FMS: from 700 through <777. | |||||
| CVE-2024-35182 | 2024-11-21 | N/A | 5.9 MEDIUM | ||
| Meshery is an open source, cloud native manager that enables the design and management of Kubernetes-based infrastructure and applications. A SQL injection vulnerability in Meshery prior to version 0.7.22 may lead to arbitrary file write by using a SQL injection stacked queries payload, and the ATTACH DATABASE command. Additionally, attackers may be able to access and modify any data stored in the database, like performance profiles (which may contain session cookies), Meshery application data, or any Kubernetes configuration added to the system. The Meshery project exposes the function `GetAllEvents` at the API URL `/api/v2/events`. The sort query parameter read in `events_streamer.go` is directly used to build a SQL query in `events_persister.go`. Version 0.7.22 fixes this issue by using the `SanitizeOrderInput` function. | |||||
| CVE-2024-35181 | 2024-11-21 | N/A | 5.9 MEDIUM | ||
| Meshery is an open source, cloud native manager that enables the design and management of Kubernetes-based infrastructure and applications. A SQL injection vulnerability in Meshery prior to version 0.7.22 may lead to arbitrary file write by using a SQL injection stacked queries payload, and the ATTACH DATABASE command. Additionally, attackers may be able to access and modify any data stored in the database, like performance profiles (which may contain session cookies), Meshery application data, or any Kubernetes configuration added to the system. The Meshery project exposes the function `GetMeshSyncResourcesKinds` at the API URL `/api/system/meshsync/resources/kinds`. The order query parameter is directly used to build a SQL query in `meshync_handler.go`. Version 0.7.22 fixes this issue. | |||||
| CVE-2024-34994 | 2024-11-21 | N/A | 9.8 CRITICAL | ||
| In the module "Channable" (channable) up to version 3.2.1 from Channable for PrestaShop, a guest can perform SQL injection via `ChannableFeedModuleFrontController::postProcess()`. | |||||
| CVE-2024-34993 | 2024-11-21 | N/A | 6.3 MEDIUM | ||
| In the module "Bulk Export products to Google Merchant-Google Shopping" (bagoogleshopping) up to version 1.0.26 from Buy Addons for PrestaShop, a guest can perform SQL injection via`GenerateCategories::renderCategories(). | |||||