SQL injection vulnerability in SourceCodester CASAP Automated Enrollment System v 1.0 allows remote attackers to execute arbitrary SQL statements, via the id parameter to edit_class1.php.
Baby Care System v1.0 was discovered to contain a SQL injection vulnerability via /admin/posts.php&action=edit.
A vulnerability has been found in SourceCodester Stock Management System 1.0 and classified as critical. Affected by this vulnerability is an unknown functionality of the file index.php of the component Login. The manipulation of the argument username/password leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-267457 was assigned to this vulnerability.
A vulnerability was found in SourceCodester Employee and Visitor Gate Pass Logging System 1.0. It has been classified as critical. Affected is the function log_employee of the file /classes/Master.php?f=log_employee. The manipulation of the argument employee_code leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-268422 is the identifier assigned to this vulnerability.
The Login Panel of CASAP Automated Enrollment System 1.0 is vulnerable to SQL injection authentication bypass. An attacker can obtain access to the admin panel by injecting a SQL query in the username field of the login page.
The Block Bad Bots WordPress plugin before 6.88 does not properly sanitise and escape the User Agent before using it in a SQL statement to record logs, leading to an SQL Injection issue
The MOLIE WordPress plugin through 0.5 does not validate and escape a post parameter before using in a SQL statement, leading to an SQL Injection
The visitors-online plugin before 0.4 for WordPress has SQL injection.
SQL injection vulnerability in gallery.php in Plogger Beta 2.1 and earlier allows remote attackers to execute arbitrary SQL commands via the id parameter, when the level is set to "slideshow". NOTE: This is a different vulnerability than CVE-2005-4246.
SQL injection vulnerability in PCPIN Chat 5.0.4 and earlier allows remote attackers to execute arbitrary SQL commands via the username field (login parameter) to main.php.
Baby Care System v1.0 was discovered to contain a SQL injection vulnerability via /admin/uesrs.php&action=display&value=Show&userid=.
The WP Data Access WordPress plugin before 5.0.0 does not properly sanitise and escape the backup_date parameter before using it a SQL statement, leading to a SQL injection issue and could allow arbitrary table deletion
Multiple SQL injection vulnerabilities in MvBlog before 1.6 allow remote attackers to execute arbitrary SQL commands via unknown vectors.
The cforms2 plugin before 14.6.10 for WordPress has SQL injection.
SQL injection vulnerability in SourceCodester Travel Management System v 1.0 allows remote attackers to execute arbitrary SQL statements, via the catid parameter to subcat.php.
A vulnerability, which was classified as critical, has been found in Chanjet Smooth T+system 3.5. This issue affects some unknown processing of the file /tplus/UFAQD/keyEdit.aspx. The manipulation of the argument KeyID leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-267185 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
Multiple improper neutralization of special elements used in an SQL command vulnerabilities in FortiWAN before 4.5.9 may allow an unauthenticated attacker to execute unauthorized code or commands via specifically crafted HTTP requests.
SQL injection vulnerability in the Counter module for Drupal allows remote attackers to execute arbitrary SQL commands via unspecified vectors related to "recording visits."
SQL injection vulnerability in SourceCodester Sales and Inventory System v 1.0 allows remote attackers to execute arbitrary SQL statements, via the id parameter to \ahira\admin\inventory.php.
The Registrations for the Events Calendar WordPress plugin before 2.7.6 does not sanitise and escape the event_id in the rtec_send_unregister_link AJAX action (available to both unauthenticated and authenticated users) before using it in a SQL statement, leading to an unauthenticated SQL injection.
SQL injection vulnerability in SourceCodester Alumni Management System v 1.0 allows remote attackers to execute arbitrary SQL statements, via the id parameter to manage_event.php.
The 404-to-301 plugin before 2.0.3 for WordPress has SQL injection.
Online Student Admission v1.0 was discovered to contain a SQL injection vulnerability via the txtapplicationID parameter.
SQL injection vulnerability in SourceCodester Theme Park Ticketing System v 1.0 allows remote attackers to execute arbitrary SQL statements, via the id parameter to view_user.php .
Multiple SQL injection vulnerabilities in Simple Blog 2.1 allow remote attackers to execute arbitrary SQL commands via the month parameter in an archives view operation and possibly certain other parameters in unspecified scripts.
The liveforms plugin before 3.2.0 for WordPress has SQL injection.
The user area for Library System 1.0 is vulnerable to SQL injection where a user can bypass the authentication and login as the admin user.
Multiple SQL injection vulnerabilities in admin/bbcodes.php in Viscacha 0.8.1.1 allow remote attackers to execute arbitrary SQL commands via the (1) bbcodeexample, (2) buttonimage, or (3) bbcodetag parameter.
Multiple SQL injection vulnerabilities in Hinton Design phphg Guestbook 1.2 allow remote attackers to execute arbitrary SQL commands via the (1) username parameter to check.php or the id parameter to (2) admin/edit_smilie.php, (3) admin/add_theme.php, (4) admin/ban_ip.php, (5) admin/add_lang.php, or (6) admin/edit_filter.php.
Multiple SQL injection vulnerabilities in index.php in NewsPHP allow remote attackers to execute arbitrary SQL commands via the (1) discuss, (2) tim, (3) id, (4) last, and (5) limit parameter.
SQL injection vulnerability in news.php4 in Hypermethod eLearning Server 4G allows remote attackers to execute arbitrary SQL commands via the nid parameter.
SQL injection vulnerability in army.php in supersmashbrothers (SSB) Army System 2.1.0 for Invision Power Board (IPB) allows remote attackers to execute arbitrary SQL commands via the userstat parameter in an army action to index.php.
SQL injection vulnerability in SourceCodester CASAP Automated Enrollment System v 1.0 allows remote attackers to execute arbitrary SQL statements, via the id parameter to edit_user.php.
SQL injection vulnerability in misc.php in MyBulletinBoard (MyBB) 1.03, when register_globals is enabled, allows remote attackers to execute arbitrary SQL commands by setting the comma variable value via the comma parameter in a cookie. NOTE: 1.04 has also been reported to be affected.
SQL injection vulnerability in yazdir.asp in Cilem Hiber 1.1 allows remote attackers to execute arbitrary SQL commands via the haber_id parameter. NOTE: this product has also been referred to as "Cilem News," although that does not appear to be the proper name.
Chamilo LMS v1.11.13 was discovered to contain a SQL injection vulnerability via the blog_id parameter at /blog/blog.php.
Multiple SQL injection vulnerabilities in e-moBLOG 1.3 allow remote attackers to execute arbitrary SQL commands via the (1) monthy parameter to index.php or (2) login parameter to admin/index.php. NOTE: some sources have reported item 1 as involving the "monthly" parameter, but this is incorrect.
The newstatpress plugin before 1.0.1 for WordPress has SQL injection.
The Contest Gallery WordPress plugin before 13.1.0.6 does not have capability checks and does not sanitise or escape the cg-search-user-name-original parameter before using it in a SQL statement when exporting users from a gallery, which could allow unauthenticated to perform SQL injections attacks, as well as get the list of all users registered on the blog, including their username and email address
Baby Care System v1.0 is vulnerable to SQL injection via the 'id' parameter on the contentsectionpage.php page.
The "WP Search Filters" widget of The Plus Addons for Elementor - Pro WordPress plugin before 5.0.7 does not sanitise and escape the option parameter before using it in a SQL statement, which could lead to SQL injection
PHP-CMS v1.0 was discovered to contain a SQL injection vulnerability via the category parameter in categorymenu.php.
Multiple SQL injection vulnerabilities in Oracle 10g Release 1 before CPU Jan 2006 allow remote attackers to execute arbitrary SQL commands via multiple parameters in (1) ATTACH_JOB, (2) HAS_PRIVS, and (3) OPEN_JOB functions in the SYS.KUPV$FT package; and (4) UPDATE_JOB, (5) ACTIVE_JOB, (6) ATTACH_POSSIBLE, (7) ATTACH_TO_JOB, (8) CREATE_NEW_JOB, (9) DELETE_JOB, (10) DELETE_MASTER_TABLE, (11) DETACH_JOB, (12) GET_JOB_INFO, (13) GET_JOB_QUEUES, (14) GET_SOLE_JOBNAME, (15) MASTER_TBL_LOCK, and (16) VALID_HANDLE functions in the SYS.KUPV$FT_INT package. NOTE: due to the lack of relevant details from the Oracle advisory, a separate CVE is being created since it cannot be conclusively proven that these issues has been addressed by Oracle. It is unclear which, if any, Oracle Vuln# identifiers apply to these issues.
SQL injection vulnerability in VCS Virtual Program Management Intranet (VPMi) Enterprise 3.3 allows remote attackers to execute arbitrary SQL commands via the UpdateID0 parameter to Service_Requests.asp. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. NOTE: the vendor has disputed this issue, saying that "[we] have a behind the scenes complex state management system that uses a combination of keys placed in JavaScript and Session State (server side) that protects against the type of SQL injection you describe. We have tested for many of the cases and have not found it to be an issue." Further investigation suggests that the original researcher might have triggered errors using invalid field values, which is not proof of SQL injection; however, the vendor did not receive a response from the original researcher
Insurance Management System 1.0 was discovered to contain a SQL injection vulnerability via the username parameter.
Keys of objects in mysql node module v2.0.0-alpha7 and earlier are not escaped with `mysql.escape()` which could lead to SQL Injection.
SQL injection vulnerability in index.php in BlogPHP 1.0, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands and bypass authentication via the username parameter in a login action.
SQL injection vulnerability in userlogin.jsp in Daffodil CRM 1.5 allows remote attackers to execute arbitrary SQL commands via unspecified parameters in a login action.
Multiple SQL injection vulnerabilities in giris.asp in Aspee and Dogantepe Ziyaretci Defteri allow remote attackers to execute arbitrary SQL commands via the (1) kullanici or (2) parola parameter.
The WP Block and Stop Bad Bots Crawlers and Spiders and Anti Spam Protection Plugin StopBadBots WordPress plugin before 6.67 does not sanitise and escape the User Agent before using it in a SQL statement to save it, leading to a SQL injection