Total
15969 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-24002 | 1 Jishenghua | 1 Jsherp | 2024-11-21 | N/A | 9.8 CRITICAL |
| jshERP v3.3 is vulnerable to SQL Injection. The com.jsh.erp.controller.MaterialController: com.jsh.erp.utils.BaseResponseInfo getListWithStock() function of jshERP does not filter `column` and `order` parameters well enough, and an attacker can construct malicious payload to bypass jshERP's protection mechanism in `safeSqlParse` method for sql injection. | |||||
| CVE-2024-23975 | 2024-11-21 | N/A | 8.8 HIGH | ||
| SQL injection vulnerability exists in GetDIAE_slogListParameters. | |||||
| CVE-2024-23810 | 1 Siemens | 1 Sinec Nms | 2024-11-21 | N/A | 8.8 HIGH |
| A vulnerability has been identified in SINEC NMS (All versions < V2.0 SP1). The affected application is vulnerable to SQL injection. This could allow an unauthenticated remote attacker to execute arbitrary SQL queries on the server database. | |||||
| CVE-2024-23646 | 1 Pimcore | 1 Admin Classic Bundle | 2024-11-21 | N/A | 8.8 HIGH |
| Pimcore's Admin Classic Bundle provides a backend user interface for Pimcore. The application allows users to create zip files from available files on the site. In the 1.x branch prior to version 1.3.2, parameter `selectedIds` is susceptible to SQL Injection. Any backend user with very basic permissions can execute arbitrary SQL statements and thus alter any data or escalate their privileges to at least admin level. Version 1.3.2 contains a fix for this issue. | |||||
| CVE-2024-23507 | 1 Instawp | 1 Instawp Connect | 2024-11-21 | N/A | 8.5 HIGH |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in InstaWP Team InstaWP Connect – 1-click WP Staging & Migration.This issue affects InstaWP Connect – 1-click WP Staging & Migration: from n/a through 0.1.0.9. | |||||
| CVE-2024-23494 | 2024-11-21 | N/A | 8.8 HIGH | ||
| SQL injection vulnerability exists in GetDIAE_unListParameters. | |||||
| CVE-2024-22406 | 1 Shopware | 1 Shopware | 2024-11-21 | N/A | 9.3 CRITICAL |
| Shopware is an open headless commerce platform. The Shopware application API contains a search functionality which enables users to search through information stored within their Shopware instance. The searches performed by this function can be aggregated using the parameters in the “aggregations” object. The ‘name’ field in this “aggregations” object is vulnerable SQL-injection and can be exploited using time-based SQL-queries. This issue has been addressed and users are advised to update to Shopware 6.5.7.4. For older versions of 6.1, 6.2, 6.3 and 6.4 corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopware version. | |||||
| CVE-2024-22283 | 1 Delhivery | 1 Logistics Courier | 2024-11-21 | N/A | 8.5 HIGH |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Delhivery Delhivery Logistics Courier.This issue affects Delhivery Logistics Courier: from n/a through 1.0.107. | |||||
| CVE-2024-22221 | 1 Dell | 1 Unity Operating Environment | 2024-11-21 | N/A | 4.5 MEDIUM |
| Dell Unity, versions prior to 5.4, contains SQL Injection vulnerability. An authenticated attacker could potentially exploit this vulnerability, leading to exposure of sensitive information. | |||||
| CVE-2024-22196 | 1 Nginxui | 1 Nginx Ui | 2024-11-21 | N/A | 7.0 HIGH |
| Nginx-UI is an online statistics for Server Indicators?? Monitor CPU usage, memory usage, load average, and disk usage in real-time. This issue may lead to information disclosure. By using `DefaultQuery`, the `"desc"` and `"id"` values are used as default values if the query parameters are not set. Thus, the `order` and `sort_by` query parameter are user-controlled and are being appended to the `order` variable without any sanitization. This issue has been patched in version 2.0.0.beta.9. | |||||
| CVE-2024-22147 | 1 Wpovernight | 1 Woocommerce Pdf Invoices\& Packing Slips | 2024-11-21 | N/A | 7.6 HIGH |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WP Overnight PDF Invoices & Packing Slips for WooCommerce.This issue affects PDF Invoices & Packing Slips for WooCommerce: from n/a through 3.7.5. | |||||
| CVE-2024-21901 | 1 Qnap | 2 Myqnapcloud, Qts | 2024-11-21 | N/A | 4.7 MEDIUM |
| A SQL injection vulnerability has been reported to affect myQNAPcloud. If exploited, the vulnerability could allow authenticated administrators to inject malicious code via a network. We have already fixed the vulnerability in the following versions: myQNAPcloud 1.0.52 ( 2023/11/24 ) and later QTS 4.5.4.2627 build 20231225 and later | |||||
| CVE-2024-21747 | 1 Wedevs | 1 Wp Erp | 2024-11-21 | N/A | 7.6 HIGH |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in weDevs WP ERP | Complete HR solution with recruitment & job listings | WooCommerce CRM & Accounting.This issue affects WP ERP | Complete HR solution with recruitment & job listings | WooCommerce CRM & Accounting: from n/a through 1.12.8. | |||||
| CVE-2024-21514 | 1 Opencart | 1 Opencart | 2024-11-21 | N/A | 7.4 HIGH |
| This affects versions of the package opencart/opencart from 0.0.0. An SQL Injection issue was identified in the Divido payment extension for OpenCart, which is included by default in version 3.0.3.9. As an anonymous unauthenticated user, if the Divido payment module is installed (it does not have to be enabled), it is possible to exploit SQL injection to gain unauthorised access to the backend database. For any site which is vulnerable, any unauthenticated user could exploit this to dump the entire OpenCart database, including customer PII data. | |||||
| CVE-2024-1839 | 2024-11-21 | N/A | 10.0 CRITICAL | ||
| Intrado 911 Emergency Gateway login form is vulnerable to an unauthenticated blind time-based SQL injection, which may allow an unauthenticated remote attacker to execute malicious code, exfiltrate data, or manipulate the database. | |||||
| CVE-2024-1576 | 1 Megabip | 1 Megabip | 2024-11-21 | N/A | 9.8 CRITICAL |
| SQL Injection vulnerability in MegaBIP software allows attacker to obtain site administrator privileges, including access to the administration panel and the ability to change the administrator password. This issue affects MegaBIP software versions through 5.09. | |||||
| CVE-2024-1530 | 1 Shopex | 1 Ecshop | 2024-11-21 | 6.5 MEDIUM | 6.3 MEDIUM |
| A vulnerability, which was classified as critical, has been found in ECshop 4.1.8. Affected by this issue is some unknown functionality of the file /admin/view_sendlist.php. The manipulation leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-250562 is the identifier assigned to this vulnerability. | |||||
| CVE-2024-1254 | 1 Byzoro | 2 Smart S20, Smart S20 Firmware | 2024-11-21 | 5.8 MEDIUM | 4.7 MEDIUM |
| A vulnerability, which was classified as critical, was found in Byzoro Smart S20 Management Platform up to 20231120. This affects an unknown part of the file /sysmanage/sysmanageajax.php. The manipulation of the argument id leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-252993 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2024-1252 | 1 Tongda2000 | 1 Tongda Office Anywhere | 2024-11-21 | 5.2 MEDIUM | 5.5 MEDIUM |
| A vulnerability classified as critical was found in Tongda OA 2017 up to 11.9. Affected by this vulnerability is an unknown functionality of the file /general/attendance/manage/ask_duty/delete.php. The manipulation of the argument ASK_DUTY_ID leads to sql injection. The exploit has been disclosed to the public and may be used. Upgrading to version 11.10 is able to address this issue. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-252991. | |||||
| CVE-2024-1207 | 1 Wpbookingcalendar | 1 Booking Calendar | 2024-11-21 | N/A | 9.8 CRITICAL |
| The WP Booking Calendar plugin for WordPress is vulnerable to SQL Injection via the 'calendar_request_params[dates_ddmmyy_csv]' parameter in all versions up to, and including, 9.9 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | |||||