The cforms2 plugin before 14.13 for WordPress has SQL injection in the tracking DB GUI via Delete Entries or Download Entries.
An issue was discovered in PvPGN Stats 2.4.6. SQL Injection exists in ladder/stats.php via the GET game parameter.
Readymade Job Site Script has SQL Injection via the location_name array parameter to the /job URI.
PHPSHE 1.7 allows module/index/cart.php pintuan_id SQL Injection to index.php.
SQL injection vulnerability in adherents/subscription/info.php in Dolibarr ERP/CRM version 6.0.4 allows remote attackers to execute arbitrary SQL commands via the rowid parameter.
SQL Injection exists in Kliqqi CMS 3.5.2 via the randkey parameter of a new story at the pligg/story.php?title= URI.
SQL injection vulnerability in CitySoft Community Enterprise 4.x allows remote attackers to execute arbitrary SQL commands via the (1) nodeID, (2) pageID, (3) ID, and (4) parentid parameter to index.cfm; and (5) documentFormatId parameter to document/docWindow.cfm.
Entrepreneur Bus Booking Script 3.0.4 has SQL Injection via the booker_details.php sourcebus parameter.
Professional Service Script 1.0 has SQL Injection via the service-list city parameter.
Entrepreneur Job Portal Script 2.0.6 has SQL Injection via the jobsearch_all.php rid1 parameter.
SQL injection vulnerability in profile.php in PHPenpals allows remote attackers to execute arbitrary SQL commands via the personalID parameter. NOTE: it was later reported that 1.1 and earlier are affected.
Co-work Space Search Script 1.0 has SQL Injection via the /list city parameter.
FS Care Clone 1.0 has SQL Injection via the searchJob.php jobType or jobFrequency parameter.
Posty Readymade Classifieds Script 1.0 allows an attacker to inject SQL commands via a listings.php?catid= or ads-details.php?ID= request.
Multiple SQL injection vulnerabilities in ADN Forum 1.0b allow remote attackers to execute arbitrary SQL commands via the (1) fid parameter in index.php and (2) pagid parameter in verpag.php, and possibly other vectors.
FS Foodpanda Clone 1.0 has SQL Injection via the /food keywords parameter.
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Quest NetVault Backup 11.3.0.12. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of NVBUBackupOptionSet Get method requests. The issue results from the lack of proper validation of a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to execute code in the context of the underlying database. Was ZDI-CAN-4286.
SQL injection vulnerability in comm/multiprix.php in Dolibarr ERP/CRM version 6.0.4 allows remote attackers to execute arbitrary SQL commands via the id parameter.
Multiple SQL injection vulnerabilities in admin.php in ChurchCMS 0.0.1 allow remote attackers to execute arbitrary SQL commands via the (1) uname or (2) pass parameters in a login action.
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Quest NetVault Backup 11.3.0.12. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of NVBUSourceDeviceSet Get method requests. The issue results from the lack of proper validation of a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to execute code in the context of the underlying database. Was ZDI-CAN-4237.
Multiple SQL injection vulnerabilities in Bitweaver 1.1 and 1.1.1 beta allow remote attackers to execute arbitrary SQL commands via the (1) sort_mode parameter to (a) fisheye/list_galleries.php, (b) messages/message_box.php, and (c) users/my.php; the (2) post_id parameter to (d) blogs/view_post.php; and the (3) blog_id parameter to (e) blogs/view.php, which are not properly cleansed by the convert_sortmode function in kernel/BitDb.php.
SQL injection vulnerability in MusicBox 2.3 allows remote attackers to execute arbitrary SQL commands via the (1) show and (2) type parameter. NOTE: the provenance of this information is unknown, although it was later rediscovered.
SQL injection vulnerability in escribir.php in Foro Domus 2.10 allows remote attackers to execute arbitrary SQL commands via the email parameter. NOTE: the provenance of this information is unknown, although it may be based on post-disclosure analysis of CVE-2006-0110; the details are obtained solely from third party information.
FS IMDB Clone 1.0 has SQL Injection via the movie.php f parameter, tvshow.php s parameter, or show_misc_video.php id parameter.
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Quest NetVault Backup 11.3.0.12. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of NVBUBackup TimeRange method requests. The issue results from the lack of proper validation of a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to execute code in the context of the underlying database. Was ZDI-CAN-4294.
E-commerce MLM Software 1.0 has SQL Injection via the service_detail.php pid parameter, event_detail.php eventid parameter, or news_detail.php newid parameter.
An issue was discovered in TONGDA Office Anywhere 10.18.190121. There is a SQL Injection vulnerability via the general/approve_center/list/input_form/work_handle.php run_id parameter.
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Quest NetVault Backup 11.3.0.12. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of GET method requests. The issue results from the lack of proper validation of a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to execute arbitrary code in the context of the underlying database. Was ZDI-CAN-4223.
Contao 3.0.0 to 3.5.30 and 4.0.0 to 4.4.7 contains an SQL injection vulnerability in the back end as well as in the listing module.
A SQL Injection was discovered in PHPSHE 1.7 in include/plugin/payment/alipay/pay.php with the parameter id. The vulnerability does not need any authentication.
Zoho ManageEngine Applications Manager 13 before build 13530 allows SQL injection via the /showresource.do resourceid parameter in a getResourceProfiles action.
Yoga Class Script 1.0 has SQL Injection via the /list city parameter.
Online Exam Test Application Script 1.6 has SQL Injection via the exams.php sort parameter.
Advance Online Learning Management Script 3.1 has SQL Injection via the courselist.php subcatid or popcourseid parameter.
FS Shutterstock Clone 1.0 has SQL Injection via the /Category keywords parameter.
SQL injection vulnerability in tickets.php in cSupport 1.0 and earlier allows remote attackers to execute arbitrary SQL commands via the pg parameter.
Techno Portfolio Management Panel 1.0 allows an attacker to inject SQL commands via a single.php?id= request.
SQL injection vulnerability in viewcat.php in BitDamaged geoBlog MOD_1.0 allows remote attackers to execute arbitrary SQL commands, then steal credentials and upload files, via the cat parameter ($tmpCategory variable).
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Quest NetVault Backup 11.3.0.12. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of NVBUPhaseStatus Get method requests. The issue results from the lack of proper validation of a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to execute code in the context of the underlying database. Was ZDI-CAN-4225.
DomainSale PHP Script 1.0 has SQL Injection via the domain.php id parameter.
Bus Booking Script 1.0 has SQL Injection via the txtname parameter to admin/index.php.
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Quest NetVault Backup 11.3.0.12. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of NVBUPhaseStatus Count method requests. The issue results from the lack of proper validation of a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to execute code in the context of the underlying database. Was ZDI-CAN-4226.
MLM Forced Matrix 2.0.9 has SQL Injection via the news-detail.php newid parameter.
Readymade Video Sharing Script 3.2 has SQL Injection via the single-video-detail.php report_videos array parameter.
Laundry Booking Script 1.0 has SQL Injection via the /list city parameter.
FS Crowdfunding Script 1.0 has SQL Injection via the latest_news_details.php id parameter.
Responsive Events And Movie Ticket Booking Script 3.2.1 has SQL Injection via the findcity.php q parameter.
SQL injection vulnerability in WebCalendar 1.0.1 allows remote attackers to execute arbitrary SQL commands via the time_range parameter to edit_report_handler.php. NOTE: the startid/activity_log.php vector is already covered by CVE-2005-3949.
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Quest NetVault Backup 11.3.0.12. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of NVBUBackupSegment Get method requests. The issue results from the lack of proper validation of a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to execute code in the context of the underlying database. Was ZDI-CAN-4234.
SQL injection vulnerability in body.asp in Web File Explorer 3.1 allows remote attackers to execute arbitrary SQL commands via the id parameter.