Total
15388 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-15468 | 1 Persian Vip Download Script Project | 1 Persian Vip Download Script | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| Persian VIP Download Script 1.0 allows SQL Injection via the cart_edit.php active parameter. | |||||
| CVE-2020-15394 | 1 Zohocorp | 1 Manageengine Applications Manager | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| The REST API in Zoho ManageEngine Applications Manager before build 14740 allows an unauthenticated SQL Injection via a crafted request, leading to Remote Code Execution. | |||||
| CVE-2020-15363 | 1 Nexos Project | 1 Nexos | 2024-11-21 | 5.0 MEDIUM | 9.8 CRITICAL |
| The Nexos theme through 1.7 for WordPress allows side-map/?search_order= SQL Injection. | |||||
| CVE-2020-15333 | 1 Zyxel | 1 Cloudcnm Secumanager | 2024-11-21 | N/A | 5.3 MEDIUM |
| Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 allows attackers to discover accounts via MySQL "select * from Administrator_users" and "select * from Users_users" requests. | |||||
| CVE-2020-15308 | 1 Turnkeylinux | 1 Support Incident Tracker | 2024-11-21 | 6.5 MEDIUM | 7.2 HIGH |
| Support Incident Tracker (aka SiT! or SiTracker) 3.67 p2 allows post-authentication SQL injection via the site_edit.php typeid or site parameter, the search_incidents_advanced.php search_title parameter, or the report_qbe.php criteriafield parameter. | |||||
| CVE-2020-15226 | 1 Glpi-project | 1 Glpi | 2024-11-21 | 5.0 MEDIUM | 5.0 MEDIUM |
| In GLPI before version 9.5.2, there is a SQL Injection in the API's search function. Not only is it possible to break the SQL syntax, but it is also possible to utilise a UNION SELECT query to reflect sensitive information such as the current database version, or database user. The most likely scenario for this vulnerability is with someone who has an API account to the system. The issue is patched in version 9.5.2. A proof-of-concept with technical details is available in the linked advisory. | |||||
| CVE-2020-15176 | 1 Glpi-project | 1 Glpi | 2024-11-21 | 5.0 MEDIUM | 8.7 HIGH |
| In GLPI before version 9.5.2, when supplying a back tick in input that gets put into a SQL query,the application does not escape or sanitize allowing for SQL Injection to occur. Leveraging this vulnerability an attacker is able to exfiltrate sensitive information like passwords, reset tokens, personal details, and more. The issue is patched in version 9.5.2 | |||||
| CVE-2020-15160 | 1 Prestashop | 1 Prestashop | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| PrestaShop from version 1.7.5.0 and before version 1.7.6.8 is vulnerable to a blind SQL Injection attack in the Catalog Product edition page with location parameter. The problem is fixed in 1.7.6.8 | |||||
| CVE-2020-15153 | 1 Ampache | 1 Ampache | 2024-11-21 | 7.5 HIGH | 8.2 HIGH |
| Ampache before version 4.2.2 allows unauthenticated users to perform SQL injection. Refer to the referenced GitHub Security Advisory for details and a workaround. This is fixed in version 4.2.2 and the development branch. | |||||
| CVE-2020-15108 | 1 Glpi-project | 1 Glpi | 2024-11-21 | 4.0 MEDIUM | 7.1 HIGH |
| In glpi before 9.5.1, there is a SQL injection for all usages of "Clone" feature. This has been fixed in 9.5.1. | |||||
| CVE-2020-15072 | 1 Phplist | 1 Phplist | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| An issue was discovered in phpList through 3.5.4. An error-based SQL Injection vulnerability exists via the Import Administrators section. | |||||
| CVE-2020-15052 | 1 Articatech | 1 Artica Proxy | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered in Artica Proxy CE before 4.28.030.418. SQL Injection exists via the Netmask, Hostname, and Alias fields. | |||||
| CVE-2020-15008 | 1 Connectwise | 1 Connectwise Automate | 2024-11-21 | 6.0 MEDIUM | 7.5 HIGH |
| A SQLi exists in the probe code of all Connectwise Automate versions before 2020.7 or 2019.12. A SQL Injection in the probe implementation to save data to a custom table exists due to inadequate server side validation. As the code creates dynamic SQL for the insert statement and utilizes the user supplied table name with little validation, the table name can be modified to allow arbitrary update commands to be run. Usage of other SQL injection techniques such as timing attacks, it is possible to perform full data extraction as well. Patched in 2020.7 and in a hotfix for 2019.12. | |||||
| CVE-2020-14982 | 1 Kronos | 1 Web Time And Attendance | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| A Blind SQL Injection vulnerability in Kronos WebTA 3.8.x and later before 4.0 (affecting the com.threeis.webta.H352premPayRequest servlet's SortBy parameter) allows an attacker with the Employee, Supervisor, or Timekeeper role to read sensitive data from the database. | |||||
| CVE-2020-14972 | 1 Pisay Online E-learning System Project | 1 Pisay Online E-learning System | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| Multiple SQL injection vulnerabilities in Sourcecodester Pisay Online E-Learning System 1.0 allow remote unauthenticated attackers to bypass authentication and achieve Remote Code Execution (RCE) via the user_email, user_pass, and id parameters on the admin login-portal and the edit-lessons webpages. | |||||
| CVE-2020-14960 | 1 Php-fusion | 1 Php-fusion | 2024-11-21 | 6.5 MEDIUM | 7.2 HIGH |
| A SQL injection vulnerability in PHP-Fusion 9.03.50 affects the endpoint administration/comments.php via the ctype parameter, | |||||
| CVE-2020-14497 | 1 Advantech | 1 Iview | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| Advantech iView, versions 5.6 and prior, contains multiple SQL injection vulnerabilities that are vulnerable to the use of an attacker-controlled string in the construction of SQL queries. An attacker could extract user credentials, read or modify information, and remotely execute code. | |||||
| CVE-2020-14443 | 1 Dolibarr | 1 Dolibarr | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| A SQL injection vulnerability in accountancy/customer/card.php in Dolibarr 11.0.3 allows remote authenticated users to execute arbitrary SQL commands via the id parameter. | |||||
| CVE-2020-14349 | 2 Opensuse, Postgresql | 2 Leap, Postgresql | 2024-11-21 | 4.6 MEDIUM | 7.1 HIGH |
| It was found that PostgreSQL versions before 12.4, before 11.9 and before 10.14 did not properly sanitize the search_path during logical replication. An authenticated attacker could use this flaw in an attack similar to CVE-2018-1058, in order to execute arbitrary SQL command in the context of the user used for replication. | |||||
| CVE-2020-14295 | 2 Cacti, Fedoraproject | 2 Cacti, Fedora | 2024-11-21 | 6.5 MEDIUM | 7.2 HIGH |
| A SQL injection issue in color.php in Cacti 1.2.12 allows an admin to inject SQL via the filter parameter. This can lead to remote command execution because the product accepts stacked queries. | |||||