Total
15108 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-9087 | 1 Vehicle Management Project | 1 Vehicle Management | 2024-09-26 | 7.5 HIGH | 9.8 CRITICAL |
| A vulnerability, which was classified as critical, was found in code-projects Vehicle Management 1.0. This affects an unknown part of the file /edit1.php. The manipulation of the argument sno leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2019-25212 | 1 I13websolution | 1 Video Carousel Slider With Lightbox | 2024-09-26 | N/A | 7.2 HIGH |
| The video carousel slider with lightbox plugin for WordPress is vulnerable to SQL Injection via the 'id' parameter in all versions up to, and including, 1.0.6 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | |||||
| CVE-2024-7735 | 2024-09-26 | N/A | N/A | ||
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Exnet Informatics Software Ferry Reservation System allows SQL Injection.This issue affects Ferry Reservation System: before 240805-002. | |||||
| CVE-2024-47062 | 2024-09-26 | N/A | N/A | ||
| Navidrome is an open source web-based music collection server and streamer. Navidrome automatically adds parameters in the URL to SQL queries. This can be exploited to access information by adding parameters like `password=...` in the URL (ORM Leak). Furthermore, the names of the parameters are not properly escaped, leading to SQL Injections. Finally, the username is used in a `LIKE` statement, allowing people to log in with `%` instead of their username. When adding parameters to the URL, they are automatically included in an SQL `LIKE` statement (depending on the parameter's name). This allows attackers to potentially retrieve arbitrary information. For example, attackers can use the following request to test whether some encrypted passwords start with `AAA`. This results in an SQL query like `password LIKE 'AAA%'`, allowing attackers to slowly brute-force passwords. When adding parameters to the URL, they are automatically added to an SQL query. The names of the parameters are not properly escaped. This behavior can be used to inject arbitrary SQL code (SQL Injection). These vulnerabilities can be used to leak information and dump the contents of the database and have been addressed in release version 0.53.0. Users are advised to upgrade. There are no known workarounds for this vulnerability. | |||||
| CVE-2024-8945 | 1 Fairsketch | 1 Rise Ultimate Project Manager | 2024-09-25 | 6.5 MEDIUM | 8.8 HIGH |
| A vulnerability has been found in CodeCanyon RISE Ultimate Project Manager 3.7.0 and classified as critical. This vulnerability affects unknown code of the file /index.php/dashboard/save. The manipulation of the argument id leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. It is recommended to upgrade the affected component. | |||||
| CVE-2024-9011 | 1 Code-projects | 1 Crud Operation System | 2024-09-25 | 6.5 MEDIUM | 9.8 CRITICAL |
| A vulnerability, which was classified as critical, was found in code-projects Crud Operation System 1.0. Affected is an unknown function of the file updata.php. The manipulation of the argument sid leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2024-9009 | 1 Fabianros | 1 Online Quiz Site | 2024-09-25 | 6.5 MEDIUM | 9.8 CRITICAL |
| A vulnerability, which was classified as critical, has been found in code-projects Online Quiz Site 1.0. This issue affects some unknown processing of the file showtest.php. The manipulation of the argument subid leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2024-46382 | 1 Linlinjava | 1 Litemall | 2024-09-25 | N/A | 7.5 HIGH |
| A SQL injection vulnerability in linlinjava litemall 1.8.0 allows a remote attacker to obtain sensitive information via the goodsId, goodsSn, and name parameters in AdminGoodscontroller.java. | |||||
| CVE-2024-44004 | 1 Wptaskforce | 1 Track \& Trace | 2024-09-24 | N/A | 9.8 CRITICAL |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WPTaskForce WPCargo Track & Trace allows SQL Injection.This issue affects WPCargo Track & Trace: from n/a through 7.0.6. | |||||
| CVE-2024-8146 | 1 Pharmacy Management System Project | 1 Pharmacy Management System | 2024-09-24 | 6.5 MEDIUM | 9.8 CRITICAL |
| A vulnerability has been found in code-projects Pharmacy Management System 1.0 and classified as critical. This vulnerability affects unknown code of the file /index.php?action=editSalesman. The manipulation of the argument id leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2024-43978 | 1 Superstorefinder | 1 Super Store Finder | 2024-09-24 | N/A | 9.8 CRITICAL |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in highwarden Super Store Finder allows SQL Injection.This issue affects Super Store Finder: from n/a before 6.9.8. | |||||
| CVE-2024-43976 | 1 Superstorefinder | 1 Super Store Finder | 2024-09-24 | N/A | 9.8 CRITICAL |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in highwarden Super Store Finder allows SQL Injection.This issue affects Super Store Finder: from n/a through 6.9.7. | |||||
| CVE-2022-25775 | 1 Acquia | 1 Mautic | 2024-09-23 | N/A | 7.2 HIGH |
| Prior to the patched version, logged in users of Mautic are vulnerable to an SQL injection vulnerability in the Reports bundle. The user could retrieve and alter data like sensitive data, login, and depending on database permission the attacker can manipulate file systems. | |||||
| CVE-2024-8944 | 1 Fabianros | 1 Hospital Management System | 2024-09-23 | 7.5 HIGH | 9.8 CRITICAL |
| A vulnerability, which was classified as critical, was found in code-projects Hospital Management System 1.0. This affects an unknown part of the file check_availability.php. The manipulation of the argument email leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2024-6401 | 1 Sfs | 1 Insuree Gl | 2024-09-20 | N/A | 9.8 CRITICAL |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in SFS Consulting InsureE GL allows SQL Injection.This issue affects InsureE GL: before 4.6.2. | |||||
| CVE-2024-6795 | 1 Baxter | 1 Connex Health Portal | 2024-09-20 | N/A | 9.8 CRITICAL |
| In Connex health portal released before8/30/2024, SQL injection vulnerabilities were found that could have allowed an unauthenticated attacker to gain unauthorized access to Connex portal's database. An attacker could have submitted a crafted payload to Connex portal that could have resulted in modification and disclosure of database content and/or perform administrative operations including shutting down the database. | |||||
| CVE-2024-43969 | 2024-09-20 | N/A | 7.6 HIGH | ||
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Spiffy Plugins Spiffy Calendar allows SQL Injection.This issue affects Spiffy Calendar: from n/a through 4.9.12. | |||||
| CVE-2024-42404 | 2024-09-20 | N/A | 8.8 HIGH | ||
| SQL injection vulnerability in Welcart e-Commerce prior to 2.11.2 allows an attacker who can login to the product to obtain or alter the information stored in the database. | |||||
| CVE-2024-44542 | 2024-09-20 | N/A | 9.8 CRITICAL | ||
| SQL Injection vulnerability in todesk v.1.1 allows a remote attacker to execute arbitrary code via the /todesk.com/news.html parameter. | |||||
| CVE-2024-7717 | 1 Thimpress | 1 Wp Events Manager | 2024-09-20 | N/A | 8.8 HIGH |
| The WP Events Manager plugin for WordPress is vulnerable to time-based SQL Injection via the ‘order’ parameter in all versions up to, and including, 2.1.11 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | |||||