A vulnerability was detected in itsourcecode College Management System 1.0. This vulnerability affects unknown code of the file /login/login.php. The manipulation of the argument email results in sql injection. The attack may be performed from remote. The exploit is now public and may be used.
Multiple SQL injection vulnerabilities in the JE FAQ Pro (com_jefaqpro) component 1.5.0 for Joomla! allow remote attackers to execute arbitrary SQL commands via category categorylist operations with (1) the catid parameter or (2) the catid parameter in a lists action.
Multivendor Penny Auction Clone Script 1.0 has SQL Injection via the PATH_INFO to the /detail URI.
IBM Contract Management 10.1.0 through 10.1.3 and IBM Emptoris Spend Analysis 10.1.0 through 10.1.3 is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements, which could allow the attacker to view, add, modify or delete information in the back-end database. IBM X-Force ID: 164064.
The JEXTN Video Gallery extension 3.0.5 for Joomla! has SQL Injection via the id parameter in a view=category action.
SQL Injection exists in Kliqqi CMS 3.5.2 via the randkey parameter of a new story at the pligg/story.php?title= URI.
SQL injection vulnerability in index.php in Freeway CMS 1.4.3.210 allows remote attackers to execute arbitrary SQL commands via the ecPath parameter.
Multiple SQL injection vulnerabilities in 2daybiz Multi Level Marketing (MLM) Software allow remote attackers to execute arbitrary SQL commands via the username parameter to (1) index.php and (2) admin/index.php. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
SQL injection vulnerability in the BookLibrary From Same Author (com_booklibrary) module 1.5 and possibly earlier for Joomla! allows remote attackers to execute arbitrary SQL commands via the id parameter in a view action to index.php.
SQL injection vulnerability in the BF Survey Pro (com_bfsurvey_pro) component before 1.3.1, BF Survey Pro Free (com_bfsurvey_profree) component 1.2.6, and BF Survey Basic component before 1.2 for Joomla! allows remote attackers to execute arbitrary SQL commands via the catid parameter to index.php. NOTE: some of these details are obtained from third party information.
SQL injection vulnerability in adherents/subscription/info.php in Dolibarr ERP/CRM version 6.0.4 allows remote attackers to execute arbitrary SQL commands via the rowid parameter.
SQL injection vulnerability in show_search_result.php in i-netsolution Job Search Engine allows remote attackers to execute arbitrary SQL commands via the keyword parameter.
SQL injection vulnerability in search.aspx in BugTracker.NET 3.4.3 and earlier allows remote attackers to execute arbitrary SQL commands via a custom field to the search page.
Tongda2000 v11.10 was discovered to contain a SQL injection vulnerability in change_box.php via the DELETE_STR parameter.
Readymade Video Sharing Script 3.2 has SQL Injection via the single-video-detail.php report_videos array parameter.
Luocms v2.0 is affected by SQL Injection in /admin/news/news_mod.php.
MLM Forex Market Plan Script 2.0.4 has SQL Injection via the news_detail.php newid parameter or the event_detail.php eventid parameter.
A security flaw has been discovered in itsourcecode News Portal Project 1.0. The affected element is an unknown function of the file /newsportal/admin/edit-category.php. The manipulation of the argument Category results in sql injection. The attack may be performed from remote. The exploit has been released to the public and may be used for attacks.
Advanced Real Estate Script 4.0.7 has SQL Injection via the search-results.php Projectmain, proj_type, searchtext, sell_price, or maxprice parameter.
SQL injection vulnerability in the redSHOP Component (com_redshop) 1.0 for Joomla! allows remote attackers to execute arbitrary SQL commands via the pid parameter to index.php.
SQL injection vulnerability in profile_view.php in Devana 1.6.6 and earlier allows remote attackers to execute arbitrary SQL commands via the id parameter.
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Quest NetVault Backup 11.3.0.12. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of NVBUTransferHistory Get method requests. The issue results from the lack of proper validation of a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to execute code in the context of the underlying database. Was ZDI-CAN-4230.
An issue was discovered in Waimai Super Cms 20150505. web/Lib/Action/ProductAction.class.php allows blind SQL Injection via the id[0] parameter to the /product URI.
Advanced World Database 2.0.5 has SQL Injection via the city.php country or state parameter, or the state.php country parameter.
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Quest NetVault Backup 11.3.0.12. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of NVBUScheduleSet Get method requests. The issue results from the lack of proper validation of a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to execute code in the context of the underlying database. Was ZDI-CAN-4235.
SQL injection vulnerability in index.php in Seagull 0.6.7 and earlier allows remote attackers to execute arbitrary SQL commands via the frmQuestion parameter in a retrieve action, in conjunction with a user/password PATH_INFO.
SQL injection vulnerability in articlesdetails.php in ScriptsFeed and BrotherScripts (BS) Scripts Directory allows remote attackers to execute arbitrary SQL commands via the id parameter, a different vector than CVE-2010-2905.
SQL injection vulnerability in detail.asp in Site2Nite Boat Classifieds allows remote attackers to execute arbitrary SQL commands via the ID parameter.
SQL injection vulnerability in index.php in Edge PHP Clickbank Affiliate Marketplace Script (CBQuick) allows remote attackers to execute arbitrary SQL commands via the search parameter.
IBM BigFix WebUI Profile Management 6 and Software Distribution 23 is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements, which could allow the attacker to view, add, modify or delete information in the back-end database. IBM X-Force ID: 155886.
SQL injection vulnerability in news.php in AJ Square AJ HYIP MERIDIAN allows remote attackers to execute arbitrary SQL commands via the id parameter.
SQL injection vulnerability in index.php in Tycoon Baseball Script 1.0.9 allows remote attackers to execute arbitrary SQL commands via the game_id parameter in a game_player action.
PHP Multivendor Ecommerce 1.0 has SQL Injection via the single_detail.php sid parameter, or the category.php searchcat or chid1 parameter.
FS Freelancer Clone 1.0 has SQL Injection via the profile.php u parameter.
inxedu through 2018-12-24 has a SQL Injection vulnerability that can lead to information disclosure via the deleteFaveorite/ PATH_INFO. The vulnerable code location is com.inxedu.os.edu.controller.user.UserController#deleteFavorite (aka deleteFavorite in com/inxedu/os/edu/controller/user/UserController.java), where courseFavoritesService.deleteCourseFavoritesById is mishandled during use of MyBatis. NOTE: UserController.java has a spelling variation in an annotation: a @RequestMapping("/deleteFaveorite/{ids}") line followed by a "public ModelAndView deleteFavorite" line.
SQL injection vulnerability in the Ozio Gallery (com_oziogallery) component for Joomla! allows remote attackers to execute arbitrary SQL commands via the Itemid parameter to index.php.
SQL injection vulnerability in eWebQuiz.asp in ActiveWebSoftwares.com eWebquiz 8 allows remote attackers to execute arbitrary SQL commands via the QuizType parameter, a different vector than CVE-2007-1706.
A weakness has been identified in CodeAstro Leave Management System 1.0. Affected is an unknown function of the file /login.php. This manipulation of the argument txt_username causes sql injection. The attack can be initiated remotely. The exploit has been made available to the public and could be used for attacks.
E-commerce MLM Software 1.0 has SQL Injection via the service_detail.php pid parameter, event_detail.php eventid parameter, or news_detail.php newid parameter.
Advance B2B Script 2.1.3 has SQL Injection via the tradeshow-list-detail.php show_id or view-product.php pid parameter.
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Quest NetVault Backup 11.3.0.12. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of GET method requests. The issue results from the lack of proper validation of a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to execute arbitrary code in the context of the underlying database. Was ZDI-CAN-4223.
The simple-login-log plugin before 1.1.2 for WordPress has SQL injection.
PHP Scripts Mall Professional Service Script has SQL injection via the admin/review.php id parameter.
AROX School ERP PHP Script 1.0 allows SQL Injection via the office_admin/ id parameter.
The Zh YandexMap (aka com_zhyandexmap) component 6.1.1.0 for Joomla! allows SQL Injection via the placemarklistid parameter to index.php.
Website Broker Script allows SQL Injection via the 'status_id' Parameter to status_list.php.
US Zip Codes Database Script 1.0 allows SQL Injection via the state parameter.
iTech Gigs Script 1.21 allows SQL Injection via the browse-scategory.php sc parameter or the service-provider.php ser parameter.
A flaw has been found in SourceCodester Comment System 1.0. This issue affects some unknown processing of the file post_comment.php. This manipulation of the argument Name causes sql injection. Remote exploitation of the attack is possible. The exploit has been published and may be used.
LimeSurvey before 4.0.0-RC4 allows SQL injection via the participant model.