Delta Electronics DIAEnergie (All versions prior to 1.8.02.004) has a blind SQL injection vulnerability exists in DIAE_loopmapHandler.ashx. This allows an attacker to inject arbitrary SQL queries, retrieve and modify database contents, and execute system commands.
A vulnerability has been found in itsourcecode Apartment Management System 1.0. This vulnerability affects unknown code of the file /maintenance/add_maintenance_cost.php. The manipulation of the argument ID leads to sql injection. Remote exploitation of the attack is possible. The exploit has been disclosed to the public and may be used.
EBM Technologies RISWEB's specific query function parameter does not properly restrict user input, and this feature page is accessible without login. This allows remote attackers to inject SQL commands without authentication, enabling them to read, modify, and delete database records.
A vulnerability, which was classified as critical, has been found in Netentsec NS-ASG Application Security Gateway 6.3. This issue affects some unknown processing of the file /admin/singlelogin.php. The manipulation of the argument loginId leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-257285 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
RuvarOA v6.01 and v12.01 were discovered to contain a SQL injection vulnerability via the id parameter at /WorkFlow/wf_office_file_history_show.aspx.
A vulnerability was found in SourceCodester Employee Task Management System 1.0. It has been classified as critical. This affects an unknown part of the file attendance-info.php. The manipulation of the argument user_id leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-257055.
A vulnerability was found in Email Registration 5.x-2.1 on Drupal. It has been declared as critical. This vulnerability affects the function email_registration_user of the file email_registration.module. The manipulation of the argument namenew leads to sql injection. The attack can be initiated remotely. Upgrading to version 6.x-1.0 is able to address this issue. The patch is identified as 126c141b7db038c778a2dc931d38766aad8d1112. It is recommended to upgrade the affected component. VDB-222334 is the identifier assigned to this vulnerability.
A vulnerability was found in SourceCodester Simple Student Information System. It has been rated as critical. This issue affects some unknown processing of the file admin/departments/manage_department.php. The manipulation of the argument id with the input -5756%27%20UNION%20ALL%20SELECT%20NULL,database(),user(),NULL,NULL,NULL,NULL--%20- leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-205829 was assigned to this vulnerability.
bloofox v0.5.2.1 was discovered to contain a SQL injection vulnerability via the lid parameter at admin/index.php?mode=settings&page=lang&action=edit.
An Unauthenticated time-based blind SQL injection vulnerability exists in Forma LMS prior to v.1.4.3.
SQL injection vulnerability exists in GetDIAE_usListParameters.
A vulnerability was found in SourceCodester Employee Management System. It has been classified as critical. Affected is an unknown function of the file /process/eprocess.php. The manipulation of the argument mailuid/pwd leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-205836.
An SQL Injection vulnerability exists in Sourcecodester Computer and Mobile Repair Shop Management system (RSMS) 1.0 via the code parameter in /rsms/ node app.
An SQL Injection vulnerability exists in Sourcecodester Employee and Visitor Gate Pass Logging System 1.0 via the username parameter.
SQL Injection in the Nextcloud Android app prior to version 3.0.0 allows to destroy a local cache when a harmful query is executed requiring to resetup the account.
Employee Managment System v1.0 was discovered to contain a SQL injection vulnerability via the pwd parameter at /aprocess.php.
SQL Injection vulnerability in HiPresta "Gift Wrapping Pro" (hiadvancedgiftwrapping) module for PrestaShop before version 1.4.1, allows remote attackers to escalate privileges and obtain sensitive information via the HiAdvancedGiftWrappingGiftWrappingModuleFrontController::addGiftWrappingCartValue() method.
xmall v1.1 was discovered to contain a SQL injection vulnerability via the orderDir parameter.
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability allows SQL Injection.
Simple Expense Tracker v1.0 was discovered to contain a SQL injection vulnerability via the expense parameter at /endpoint/delete_expense.php.
Code-projects Hotel Managment System 1.0, allows SQL Injection via the 'sid' parameter in Hotel/admin/show.php?sid=2.
A SQL injection vulnerability exists in Novel-Plus v4.3.0-RC1 and prior. An attacker can pass specially crafted offset, limit, and sort parameters to perform SQL injection via /novel/userFeedback/list.
A SQL injection vulnerability exists in Novel-Plus v4.3.0-RC1 and prior versions. An attacker can pass in crafted offset, limit, and sort parameters to perform SQL injection via /system/dataPerm/list
Employee Managment System v1.0 was discovered to contain a SQL injection vulnerability via the mailud parameter at /aprocess.php.
Apache Superset before 1.4.2 is vulnerable to SQL injection in chart data requests. Users should update to 1.4.2 or higher which addresses this issue.
A vulnerability was found in MAGESH-K21 Online-College-Event-Hall-Reservation-System 1.0. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file /admin/bookdate.php. The manipulation of the argument room_id leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-256957 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
Code-projects Cinema Seat Reservation System 1.0 allows SQL Injection via the 'id' parameter at "/Cinema-Reservation/booking.php?id=1."
A SQL injection vulnerability exists in Novel-Plus v4.3.0-RC1 and prior versions. An attacker can pass in crafted offset, limit, and sort parameters to perform SQL injection via /system/roleDataPerm/list
A vulnerability was found in Project Worlds Life Insurance Management System 1.0. It has been declared as critical. This vulnerability affects unknown code of the file /editNominee.php. The manipulation of the argument nominee_id leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.
A vulnerability was found in SourceCodester CRUD without Page Reload 1.0. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file add_user.php. The manipulation of the argument city leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-256453 was assigned to this vulnerability.
Tongda OA v2017 and up to v11.9 was discovered to contain a SQL injection vulnerability via the $AFF_ID parameter at /affair/delete.php.
SQL Injection vulnerability in code-projects Agro-School Management System 1.0 allows attackers to run arbitrary code via the Login page.
Sourcecodester Event Student Attendance System 1.0, allows SQL Injection via the 'student' parameter.
Multiple SQL Injection vulnerabilities exist in bloofoxCMS 0.5.2.1 - 0.5.1 via the (1) URLs, (2) lang_id, (3) tmpl_id, (4) mod_rewrite (5) eta_doctype. (6) meta_charset, (7) default_group, and (8) page group parameters in the settings mode in admin/index.php.
SQL injection bypass authentication vulnerability in PHPGURUKUL Employee Record Management System 1.2 via index.php. An attacker can log in as an admin account of this system and can destroy, change or manipulate all sensitive information on the system.
An SQL Injection vulnerability exists in Sourcecodester Simple Cold Storage Management System using PHP/OOP 1.0 via the username field in login.php.
SQL Injection vulnerability in /app/api/controller/Store.php in Niushop B2B2C V5 allows attackers to run arbitrary SQL commands via latitude and longitude parameters.
jshERP v3.3 is vulnerable to SQL Injection. The com.jsh.erp.controller.DepotHeadController: com.jsh.erp.utils.BaseResponseInfo findInOutDetail() function of jshERP does not filter `column` and `order` parameters well enough, and an attacker can construct malicious payload to bypass jshERP's protection mechanism in `safeSqlParse` method for sql injection.
Sourcecodester School Task Manager 1.0 allows SQL Injection via the 'subject' parameter.
Task Manager App v1.0 was discovered to contain a SQL injection vulnerability via the projectID parameter at /TaskManager/EditProject.php.
Online Shopping Portal v3.1 was discovered to contain multiple time-based SQL injection vulnerabilities via the email and contactno parameters.
SQL Injection vulnerability in Nagios XI 2024R1.01 allows a remote attacker to execute arbitrary code via a crafted payload to the monitoringwizard.php component.
In JeecgBoot 3.0, there is a SQL injection vulnerability that can operate the database with root privileges.
An issue was discovered in Active Intelligent Visualization 5. The Vdc header is used in a SQL query without being sanitized. This causes SQL injection.
Projectworlds online-shopping-webvsite-in-php 1.0 suffers from a SQL Injection vulnerability via the "id" parameter in cart_add.php, No login is required.
jshERP v3.3 is vulnerable to SQL Injection. The com.jsh.erp.controller.MaterialController: com.jsh.erp.utils.BaseResponseInfo getListWithStock() function of jshERP does not filter `column` and `order` parameters well enough, and an attacker can construct malicious payload to bypass jshERP's protection mechanism in `safeSqlParse` method for sql injection.
Sourcecodester School Task Manager App 1.0 allows SQL Injection via the 'task' parameter.
Code-projects Scholars Tracking System 1.0 is vulnerable to SQL Injection via the News Feed.
JFinalCMS 5.0.0 is vulnerable to SQL injection via /admin/content/data.
SQLAlchemyDA is a generic database adapter for ZSQL methods. A vulnerability found in versions prior to 2.2 allows unauthenticated execution of arbitrary SQL statements on the database to which the SQLAlchemyDA instance is connected. All users are affected. The problem has been patched in version 2.2. There is no workaround for the problem.