Multiple SQL injection vulnerabilities in Hinton Design phphg Guestbook 1.2 allow remote attackers to execute arbitrary SQL commands via the (1) username parameter to check.php or the id parameter to (2) admin/edit_smilie.php, (3) admin/add_theme.php, (4) admin/ban_ip.php, (5) admin/add_lang.php, or (6) admin/edit_filter.php.
The wp-statistics plugin before 12.0.8 for WordPress has SQL injection.
An SQL Injection vulnerability exists in Premiumdatingscript 4.2.7.7 via the ip parameter in connect.php. .
SQL injection vulnerability in leaguemanager.php in the LeagueManager plugin before 3.8.1 for WordPress allows remote attackers to execute arbitrary SQL commands via the league_id parameter in the leaguemanager-export page to wp-admin/admin.php.
Multiple SQL injection vulnerabilities in Oracle 10g Release 1 before CPU Jan 2006 allow remote attackers to execute arbitrary SQL commands via multiple parameters in (1) ATTACH_JOB, (2) HAS_PRIVS, and (3) OPEN_JOB functions in the SYS.KUPV$FT package; and (4) UPDATE_JOB, (5) ACTIVE_JOB, (6) ATTACH_POSSIBLE, (7) ATTACH_TO_JOB, (8) CREATE_NEW_JOB, (9) DELETE_JOB, (10) DELETE_MASTER_TABLE, (11) DETACH_JOB, (12) GET_JOB_INFO, (13) GET_JOB_QUEUES, (14) GET_SOLE_JOBNAME, (15) MASTER_TBL_LOCK, and (16) VALID_HANDLE functions in the SYS.KUPV$FT_INT package. NOTE: due to the lack of relevant details from the Oracle advisory, a separate CVE is being created since it cannot be conclusively proven that these issues has been addressed by Oracle. It is unclear which, if any, Oracle Vuln# identifiers apply to these issues.
Multiple SQL injection vulnerabilities in e-moBLOG 1.3 allow remote attackers to execute arbitrary SQL commands via the (1) monthy parameter to index.php or (2) login parameter to admin/index.php. NOTE: some sources have reported item 1 as involving the "monthly" parameter, but this is incorrect.
SQL injection vulnerability in Sourcecodester Simple Membership System v1 by oretnom23, allows attackers to execute arbitrary SQL commands via the username and password parameters.
An SQL Injection vulnerability exists in Sourcecodester E-Negosyo System 1.0 via the user_email parameter in /admin/login.php.
Basic B2B Script allows SQL Injection via the product_view1.php pid or id parameter.
Multiple SQL injection vulnerabilities in Simple Blog 2.1 allow remote attackers to execute arbitrary SQL commands via the month parameter in an archives view operation and possibly certain other parameters in unspecified scripts.
Multiple SQL injection vulnerabilities in the update_counter function in includes/functions.php in ClipBucket 2.6 allow remote attackers to execute arbitrary SQL commands via the time parameter to (1) videos.php or (2) channels.php. NOTE: some of these details are obtained from third party information.
The username and password field of login in Lodging Reservation Management System V1 can give access to any user by using SQL injection to bypass authentication.
SQL injection vulnerability in /wbg/core/_includes/authorization.inc.php in CMS Web-Gooroo through 2013-01-19 allows remote attackers to execute arbitrary SQL commands via the wbg_login parameter.
Multiple SQL injection vulnerabilities in OnePlug Solutions OnePlug CMS allow remote attackers to execute arbitrary SQL commands via the (1) Press_Release_ID parameter in press/details.asp, (2) Service_ID parameter in services/details.asp, and (3) Product_ID parameter in products/details.asp.
SQL injection vulnerability in Hitachi Business Logic - Container 02-03 through 03-00-/B on Windows, and 03-00 through 03-00-/B on Linux, allows remote attackers to execute arbitrary SQL commands via unspecified vectors in the extended receiving box function.
SQL injection vulnerability in add_post.php3 in Venom Board 1.22 allows remote attackers to execute arbitrary SQL commands via the (1) parent, (2) root, and (3) topic_id parameters to post.php3.
A security vulnerability has been detected in Campcodes Grocery Sales and Inventory System 1.0. Impacted is an unknown function of the file /ajax.php?action=delete_sales. The manipulation of the argument ID leads to sql injection. Remote exploitation of the attack is possible. The exploit has been disclosed publicly and may be used.
SQL injection vulnerability in news.asp in Mini-Nuke CMS System 1.8.2 and earlier allows remote attackers to execute arbitrary SQL commands via the hid parameter.
PHP Scripts Mall PHP Multivendor Ecommerce has SQL Injection via the my_wishlist.php fid parameter.
PHP Scripts Mall Resume Clone Script has SQL Injection via the forget.php username parameter.
EgavilanMedia ECM Address Book 1.0 is affected by SQL injection. An attacker can bypass the Admin Login panel through SQLi and get Admin access and add or remove any user.
The "JEXTN Question And Answer" extension 3.1.0 for Joomla! has SQL Injection via the an parameter in a view=tags action, or the ques-srch parameter.
An issue was discovered in PvPGN Stats 2.4.6. SQL Injection exists in ladder/stats.php via the POST user_search parameter.
The server.php test script in ADOdb for PHP before 4.70, as used in multiple products including (1) Mantis, (2) PostNuke, (3) Moodle, (4) Cacti, (5) Xaraya, (6) PHPOpenChat, (7) MAXdev MD-Pro, and (8) MediaBeez, when the MySQL root password is empty, allows remote attackers to execute arbitrary SQL commands via the sql parameter.
SQL injection vulnerability in army.php in supersmashbrothers (SSB) Army System 2.1.0 for Invision Power Board (IPB) allows remote attackers to execute arbitrary SQL commands via the userstat parameter in an army action to index.php.
A vulnerability has been found in itsourcecode Online Discussion Forum 1.0. This affects an unknown function of the file /admin. Such manipulation of the argument Username leads to sql injection. The attack may be performed from remote. The exploit has been disclosed to the public and may be used.
Church Management System version 1.0 is affected by a SQL anjection vulnerability through creating a user with a PHP file as an avatar image, which is accessible through the /uploads directory. This can lead to RCE on the web server by uploading a PHP webshell.
PHP Scripts Mall Car Rental Script has SQL Injection via the admin/carlistedit.php carid parameter.
SQL injection vulnerability in poll_frame.php in Vote! Pro 4.0 and earlier allows remote attackers to execute arbitrary SQL commands via the poll_id parameter.
Multiple SQL injection vulnerabilities in Muviko 1.1 allow remote attackers to execute arbitrary SQL commands via the (1) email parameter to login.php; the (2) season_id parameter to themes/flixer/ajax/load_season.php; the (3) movie_id parameter to themes/flixer/ajax/get_rating.php; the (4) rating or (5) movie_id parameter to themes/flixer/ajax/update_rating.php; or the (6) id parameter to themes/flixer/ajax/set_player_source.php.
Multiple SQL injection vulnerabilities in BOINC allow remote attackers to execute arbitrary SQL commands via unspecified vectors.
PHP Scripts Mall PHP Multivendor Ecommerce has SQL Injection via the seller-view.php usid parameter.
SQL injection vulnerability was discovered in Point of Sales in PHP/PDO 1.0, which can be exploited via the id parameter to edit_category.php.
Multiple SQL injection vulnerabilities in Papoo 2.1.2 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) menuid parameter to (a) index.php and (b) guestbook.php, and the (2) forumid and (3) reporeid_print parameters to (c) print.php.
Flamingo (aka FlamingoIM) through 2020-09-29 has a SQL injection vulnerability in UserManager::updateUserInfoInDb.
An SQL injection vulnerability was discovered in Online Doctor Appointment Booking System PHP and Mysql via the q parameter to getuser.php.
An SQL Injection vulnerability exists in Sourcecodester Engineers Online Portal in PHP via the login form inside of index.php, which can allow an attacker to bypass authentication.
SQL injection vulnerability in view_archive.cfm in CFMagic Magic List Pro 2.5 allows remote attackers to execute arbitrary SQL commands via the ListID parameter.
The JEXTN Video Gallery extension 3.0.5 for Joomla! has SQL Injection via the id parameter in a view=category action.
A weakness has been identified in Campcodes Grocery Sales and Inventory System 1.0. This issue affects some unknown processing of the file /ajax.php?action=save_receiving. Executing manipulation of the argument ID can lead to sql injection. The attack may be launched remotely. The exploit has been made available to the public and could be exploited.
Multiple SQL injection vulnerabilities in MYRE Vacation Rental Software allow remote attackers to execute arbitrary SQL commands via the (1) garage1 or (2) bathrooms1 parameter to vacation/1_mobile/search.php, or (3) unspecified input to vacation/widgate/request_more_information.php.
SQL injection vulnerability in index.php in Jamit Job Board 2.4.1 and earlier allows remote attackers to execute arbitrary SQL commands via the cat parameter. NOTE: the vendor has disputed this issue, saying "The vulnerability is without any basis and did not actually work." CVE has not verified either the vendor or researcher statements, but the original researcher is known to make frequent mistakes when reporting SQL injection
The note-press plugin before 0.1.2 for WordPress has SQL injection.
PHP Scripts Mall PHP Multivendor Ecommerce has SQL Injection via the shopping-cart.php cusid parameter.
An SQL injection vulnerability was discovered in Gym Management System In manage_user.php file, GET parameter 'id' is vulnerable.
Multiple SQL Injection vulnerabilities exist in Sourcecodester Simple Cashiering System (POS) 1.0 via the (1) Product Code in the pos page in cashiering. (2) id parameter in manage_products and the (3) t paramater in actions.php.
SQL injection vulnerability in saralblog 1 and earlier allows remote attackers to execute arbitrary SQL commands via the id parameter to viewprofile.php.
EGavilan Media Under Construction page with cPanel 1.0 contains a SQL injection vulnerability. An attacker can gain Admin Panel access using malicious SQL injection queries to perform remote arbitrary code execution.
SQL injection in the ID parameter of the UploadedImageDisplay.aspx endpoint of SelectSurvey.NET before 5.052.000 allows a remote, unauthenticated attacker to retrieve data from the application's backend database via boolean-based blind and UNION injection.
Multiple SQL injection vulnerabilities in PhpWebGallery 1.5.1 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) since, (2) sort_by, and (3) items_number parameters to comments.php, (4) the search parameter to category.php, and (5) image_id parameter to picture.php. NOTE: it was later reported that the comments.php/sort_by vector also affects 1.7.2 and earlier.