Total
15444 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-4328 | 1 Ibm | 1 Financial Transaction Manager For Multiplatform | 2024-11-21 | 6.5 MEDIUM | 6.3 MEDIUM |
| IBM Financial Transaction Manager 3.2.4 is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements, which could allow the attacker to view, add, modify or delete information in the back-end database. IBM X-Force ID: 177839. | |||||
| CVE-2020-4035 | 1 Nozbe | 1 Watermelondb | 2024-11-21 | 5.5 MEDIUM | 5.9 MEDIUM |
| In WatermelonDB (NPM package "@nozbe/watermelondb") before versions 0.15.1 and 0.16.2, a maliciously crafted record ID can exploit a SQL Injection vulnerability in iOS adapter implementation and cause the app to delete all or selected records from the database, generally causing the app to become unusable. This may happen in apps that don't validate IDs (valid IDs are `/^[a-zA-Z0-9_-.]+$/`) and use Watermelon Sync or low-level `database.adapter.destroyDeletedRecords` method. The integrity risk is low due to the fact that maliciously deleted records won't synchronize, so logout-login will restore all data, although some local changes may be lost if the malicious deletion causes the sync process to fail to proceed to push stage. No way to breach confidentiality with this vulnerability is known. Full exploitation of SQL Injection is mitigated, because it's not possible to nest an insert/update query inside a delete query in SQLite, and it's not possible to pass a semicolon-separated second query. There's also no known practicable way to breach confidentiality by selectively deleting records, because those records will not be synchronized. It's theoretically possible that selective record deletion could cause an app to behave insecurely if lack of a record is used to make security decisions by the app. This is patched in versions 0.15.1, 0.16.2, and 0.16.1-fix | |||||
| CVE-2020-4003 | 1 Vmware | 1 Sd-wan Orchestrator | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| VMware SD-WAN Orchestrator 3.3.2 prior to 3.3.2 P3, 3.4.x prior to 3.4.4, and 4.0.x prior to 4.0.1 was found to be vulnerable to SQL-injection attacks allowing for potential information disclosure. An authenticated SD-WAN Orchestrator user may inject code into SQL queries which may lead to information disclosure. | |||||
| CVE-2020-3984 | 1 Vmware | 1 Sd-wan Orchestrator | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| The SD-WAN Orchestrator 3.3.2 prior to 3.3.2 P3 and 3.4.x prior to 3.4.4 does not apply correct input validation which allows for SQL-injection. An authenticated SD-WAN Orchestrator user may exploit a vulnerable API call using specially crafted SQL queries which may lead to unauthorized data access. | |||||
| CVE-2020-3973 | 2 Linux, Vmware | 2 Linux Kernel, Velocloud Orchestrator | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| The VeloCloud Orchestrator does not apply correct input validation which allows for blind SQL-injection. A malicious actor with tenant access to Velocloud Orchestrator could enter specially crafted SQL queries and obtain data to which they are not privileged. | |||||
| CVE-2020-3937 | 1 Sysjust | 1 Syuan-gu-da-shin | 2024-11-21 | 5.0 MEDIUM | 8.1 HIGH |
| SQL Injection in SysJust Syuan-Gu-Da-Shih, versions before 20191223, allowing attackers to perform unwanted SQL queries and access arbitrary file in the database. | |||||
| CVE-2020-3936 | 1 Unisoon | 2 Ultralog Express, Ultralog Express Firmware | 2024-11-21 | 7.5 HIGH | 10.0 CRITICAL |
| UltraLog Express device management interface does not properly filter user inputted string in some specific parameters, attackers can inject arbitrary SQL command. | |||||
| CVE-2020-3934 | 1 Secom | 2 Dr.id Access Control, Dr.id Attendance System | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| TAIWAN SECOM CO., LTD., a Door Access Control and Personnel Attendance Management system, contains a vulnerability of Pre-auth SQL Injection, allowing attackers to inject a specific SQL command. | |||||
| CVE-2020-3922 | 1 Armorx | 1 Lisomail | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| LisoMail, by ArmorX, allows SQL Injections, attackers can access the database without authentication via a URL parameter manipulation. | |||||
| CVE-2020-3719 | 1 Magento | 1 Magento | 2024-11-21 | 7.8 HIGH | 7.5 HIGH |
| Magento versions 2.3.3 and earlier, 2.2.10 and earlier, 1.14.4.3 and earlier, and 1.9.4.3 and earlier have an sql injection vulnerability. Successful exploitation could lead to sensitive information disclosure. | |||||
| CVE-2020-3468 | 1 Cisco | 1 Sd-wan Firmware | 2024-11-21 | 5.5 MEDIUM | 5.4 MEDIUM |
| A vulnerability in the web-based management interface of Cisco SD-WAN vManage Software could allow an authenticated, remote attacker to conduct SQL injection attacks on an affected system. The vulnerability exists because the web-based management interface improperly validates values within SQL queries. An attacker could exploit this vulnerability by authenticating to the application and sending malicious SQL queries to an affected system. A successful exploit could allow the attacker to modify values on or return values from the underlying database or the operating system. | |||||
| CVE-2020-3462 | 1 Cisco | 1 Data Center Network Manager | 2024-11-21 | 6.5 MEDIUM | 6.3 MEDIUM |
| A vulnerability in the web-based management interface of Cisco Data Center Network Manager (DCNM) could allow an authenticated, remote attacker to conduct SQL injection attacks on an affected system. The vulnerability is due to improper validation of user-submitted parameters. An attacker could exploit this vulnerability by authenticating to the application and sending malicious requests to an affected system. A successful exploit could allow the attacker to obtain and modify sensitive information that is stored in the underlying database. | |||||
| CVE-2020-3450 | 1 Cisco | 1 Vision Dynamic Signage Director | 2024-11-21 | 4.0 MEDIUM | 4.9 MEDIUM |
| A vulnerability in the web-based management interface of Cisco Vision Dynamic Signage Director could allow an authenticated, remote attacker with administrative credentials to conduct SQL injection attacks on an affected system. The vulnerability is due to improper validation of user-submitted parameters. An attacker could exploit this vulnerability by authenticating to the web-based management interface and sending malicious requests to an affected system. A successful exploit could allow the attacker to obtain data that is stored in the underlying database, including hashed user credentials. To exploit this vulnerability, an attacker would need valid administrative credentials. | |||||
| CVE-2020-3378 | 1 Cisco | 12 1100-4g Integrated Services Router, 1100-4gltegb Integrated Services Router, 1100-4gltena Integrated Services Router and 9 more | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
| A vulnerability in the web-based management interface for Cisco SD-WAN vManage Software could allow an authenticated, remote attacker to impact the integrity of an affected system by executing arbitrary SQL queries. The vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by sending crafted input that includes SQL statements to an affected system. A successful exploit could allow the attacker to modify entries in some database tables, affecting the integrity of the data. | |||||
| CVE-2020-3339 | 1 Cisco | 1 Prime Infrastructure | 2024-11-21 | 6.4 MEDIUM | 5.4 MEDIUM |
| A vulnerability in the web-based management interface of Cisco Prime Infrastructure could allow an authenticated, remote attacker to conduct SQL injection attacks on an affected system. The vulnerability is due to improper validation of user-submitted parameters. An attacker could exploit this vulnerability by authenticating to the application and sending malicious requests to an affected system. A successful exploit could allow the attacker to obtain and modify sensitive information that is stored in the underlying database. | |||||
| CVE-2020-3184 | 1 Cisco | 1 Prime Collaboration Provisioning | 2024-11-21 | 6.5 MEDIUM | 7.2 HIGH |
| A vulnerability in the web-based management interface of Cisco Prime Collaboration Provisioning Software could allow an authenticated, remote attacker to conduct SQL injection attacks on an affected system. The vulnerability exists because the web-based management interface improperly validates user input for specific SQL queries. An attacker could exploit this vulnerability by authenticating to the application with valid administrative credentials and sending malicious requests to an affected system. A successful exploit could allow the attacker to view information that they are not authorized to view, make changes to the system that they are not authorized to make, or delete information from the database that they are not authorized to delete. | |||||
| CVE-2020-3154 | 1 Cisco | 1 Cloud Web Security | 2024-11-21 | 4.0 MEDIUM | 4.9 MEDIUM |
| A vulnerability in the web UI of Cisco Cloud Web Security (CWS) could allow an authenticated, remote attacker to execute arbitrary SQL queries. The vulnerability exists because the web-based management interface improperly validates SQL values. An authenticated attacker could exploit this vulnerability sending malicious requests to the affected device. An exploit could allow the attacker to modify values on or return values from the underlying database. | |||||
| CVE-2020-36768 | 1 Reiner-lemoine-institut | 1 Nesp2 | 2024-11-21 | 7.5 HIGH | 7.3 HIGH |
| A vulnerability was found in rl-institut NESP2 Initial Release/1.0. It has been classified as critical. Affected is an unknown function of the file app/database.py. The manipulation leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The patch is identified as 07c0cdf36cf6a4345086d07b54423723a496af5e. It is recommended to apply a patch to fix this issue. VDB-246642 is the identifier assigned to this vulnerability. | |||||
| CVE-2020-36648 | 1 Pouet | 1 Pouet2.0 | 2024-11-21 | 5.2 MEDIUM | 5.5 MEDIUM |
| A vulnerability, which was classified as critical, was found in pouetnet pouet 2.0. This affects an unknown part. The manipulation of the argument howmany leads to sql injection. The identifier of the patch is 11d615931352066fb2f6dcb07428277c2cd99baf. It is recommended to apply a patch to fix this issue. The identifier VDB-217641 was assigned to this vulnerability. | |||||
| CVE-2020-36645 | 1 Square | 1 Squalor | 2024-11-21 | 5.2 MEDIUM | 5.5 MEDIUM |
| A vulnerability, which was classified as critical, was found in square squalor. This affects an unknown part. The manipulation leads to sql injection. Upgrading to version v0.0.0 is able to address this issue. The patch is named f6f0a47cc344711042eb0970cb423e6950ba3f93. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-217623. | |||||