SAT CFDI 3.3 contains an SQL injection vulnerability that allows attackers to manipulate database queries by injecting SQL code through the 'id' parameter in the signIn endpoint. Attackers can submit POST requests with boolean-based blind, stacked queries, or time-based blind SQL injection payloads to extract sensitive data or compromise the application.
Wecodex Restaurant CMS 1.0 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the username parameter. Attackers can send POST requests to the login endpoint with malicious SQL payloads using boolean-based blind or time-based blind techniques to extract sensitive database information.
School Management System CMS 1.0 contains an SQL injection vulnerability in the admin login functionality that allows attackers to bypass authentication by injecting SQL code through the username parameter. Attackers can submit malicious payloads using boolean-based blind SQL injection techniques to the processlogin endpoint to authenticate as administrator without valid credentials.
Shipping System CMS 1.0 contains an SQL injection vulnerability that allows unauthenticated attackers to bypass authentication by injecting SQL code through the username parameter. Attackers can submit malicious SQL payloads using boolean-based blind techniques in POST requests to the admin login endpoint to authenticate without valid credentials.
Online Store System CMS 1.0 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the email parameter. Attackers can send POST requests to index.php with the action=clientaccess parameter using boolean-based blind or time-based blind SQL injection payloads in the email field to extract sensitive database information.
Wecodex Hotel CMS 1.0 contains an SQL injection vulnerability in the admin login functionality that allows unauthenticated attackers to bypass authentication by injecting SQL code. Attackers can submit malicious SQL payloads through the username parameter in POST requests to index.php with action=processlogin to extract sensitive database information or gain unauthorized administrative access.
Blind SQL injection in api_version parameter in Tyk Gateway version 5.0.3 allows attacker to access and dump the database via a crafted SQL query.
SQL injection vulnerability in Exam Form Submission in PHP with Source Code v.1.0 allows a remote attacker to escalate privileges via the val-username parameter in /index.php.
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Cevik Informatics Online Payment System allows SQL Injection.This issue affects Online Payment System: before 4.09.
A vulnerability was found in PHPGurukul Men Salon Management System 1.0 and classified as critical. This issue affects some unknown processing of the file /admin/view-appointment.php?viewid=11. The manipulation of the argument remark leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. Other parameters might be affected as well.
Borg SPM 2007 (Sales Ended in 2008) developed by BorG Technology Corporation has a SQL Injection vulnerability, allowing unauthenticated remote attackers to inject arbitrary SQL commands to read, modify, and delete database contents.
In the module RSI PDF/HTML catalog evolution (prestapdf) <= 7.0.0 from RSI for PrestaShop, a guest can perform SQL injection via `PrestaPDFProductListModuleFrontController::queryDb().'
A vulnerability was found in xxyopen Novel-Plus 5.1.0. It has been classified as critical. This affects the function searchByPage of the file /book/searchByPage. The manipulation of the argument sort leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
A vulnerability was found in Netentsec NS-ASG Application Security Gateway 6.3. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file /admin/list_ipAddressPolicy.php. The manipulation of the argument GroupId leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-255301 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
eDirectory contains multiple SQL injection vulnerabilities that allow unauthenticated attackers to bypass administrator authentication and disclose sensitive files by injecting SQL code into parameters. Attackers can exploit the key parameter in the login endpoint with union-based SQL injection to authenticate as administrator, then leverage authenticated file disclosure vulnerabilities in language_file.php to read arbitrary PHP files from the server.
SQL injection exists in Scriptzee Hotel Booking Engine 1.0 via the hotels h_room_type parameter.
Point Of Sales 1.0 allows SQL injection via the login screen, related to LoginForm1.vb.
SQL injection vulnerability in FIT2CLOUD RackShift v1.7.1 allows attackers to execute arbitrary code via the `sort` parameter to taskService.list(), bareMetalService.list(), and switchService.list().
A vulnerability was found in SourceCodester Computer Inventory System 1.0. It has been declared as critical. This vulnerability affects unknown code of the file /endpoint/delete-computer.php. The manipulation of the argument computer leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. VDB-255382 is the identifier assigned to this vulnerability.
K-iwi Framework 1775 has SQL Injection via the admin/user/group/update user_group_id parameter or the admin/user/user/update user_id parameter.
A vulnerability has been found in code-projects Accounting System 1.0. This affects an unknown part of the file /view_work.php of the component Parameter Handler. Such manipulation of the argument en_id leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.
A weakness has been identified in itsourcecode Online Enrollment System 1.0. Impacted is an unknown function of the file /enrollment/index.php?view=edit&id=3 of the component Parameter Handler. This manipulation of the argument deptid causes sql injection. The attack is possible to be carried out remotely. The exploit has been made available to the public and could be used for attacks.
A vulnerability was found in opplus springboot-admin 1.0 and classified as critical. This issue affects some unknown processing of the file \src\main\resources\mapper\sys\SysLogDao.xml. The manipulation of the argument order leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.
EasyFlow .NET developed by Digiwin has a SQL Injection vulnerability, allowing unauthenticated remote attackers to inject arbitrary SQL commands to read, modify, and delete database contents.
postgresql before versions 11.1, 10.6 is vulnerable to a to SQL injection in pg_upgrade and pg_dump via CREATE TRIGGER ... REFERENCING. Using a purpose-crafted trigger definition, an attacker can cause arbitrary SQL statements to run, with superuser privileges.
Horus CMS allows SQL Injection, as demonstrated by a request to the /busca or /home URI.
A vulnerability classified as critical has been found in SourceCodester Simple Online Bidding System 1.0. This affects an unknown part of the file index.php. The manipulation of the argument category_id leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-255393 was assigned to this vulnerability.
A security flaw has been discovered in code-projects Simple Food Order System 1.0. This impacts an unknown function of the file /all-tickets.php of the component Parameter Handler. Performing a manipulation of the argument Status results in sql injection. The attack can be initiated remotely. The exploit has been released to the public and may be used for attacks.
EasyFlow .NET developed by Digiwin has a SQL Injection vulnerability, allowing unauthenticated remote attackers to inject arbitrary SQL commands to read, modify, and delete database contents.
The Limit Login Attempts (Spam Protection) WordPress plugin before 5.1 does not sanitise and escape some parameters before using them in SQL statements via AJAX actions (available to unauthenticated users), leading to SQL Injections
A flaw has been found in code-projects Simple Laundry System 1.0. This vulnerability affects unknown code of the file /modify.php of the component Parameter Handler. This manipulation of the argument firstName causes sql injection. Remote exploitation of the attack is possible. The exploit has been published and may be used.
A SQL injection vulnerability in /view/find_friends.php in Campcodes Complete Web-Based School Management System 1.0 allows an attacker to execute arbitrary SQL commands via the my_index parameter.
An issue was discovered in Rausoft ID.prove 2.95. The login page allows SQL injection via Microsoft SQL Server stacked queries in the Username POST parameter. Hypothetically, an attacker can utilize master..xp_cmdshell for the further privilege elevation.
A security vulnerability has been detected in code-projects Simple Food Order System 1.0. Affected by this vulnerability is an unknown functionality of the file all-orders.php of the component Parameter Handler. The manipulation of the argument Status leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used.
A vulnerability was detected in code-projects Accounting System 1.0. Affected by this vulnerability is an unknown functionality of the file /view_costumer.php of the component Parameter Handler. The manipulation of the argument cos_id results in sql injection. The attack may be performed from remote. The exploit is now public and may be used.
A flaw has been found in code-projects Accounting System 1.0. Affected by this issue is some unknown functionality of the file /edit_costumer.php of the component Parameter Handler. This manipulation of the argument cos_id causes sql injection. It is possible to initiate the attack remotely. The exploit has been published and may be used.
A vulnerability was found in SourceCodester College Website Management System 1.0. It has been classified as critical. Affected is the file /cwms/admin/?page=articles/view_article/. The manipulation of the argument id with the input ' and (select * from(select(sleep(10)))Avx) and 'abc' = 'abc with an unknown input leads to sql injection. It is possible to launch the attack remotely and without authentication.
A vulnerability was detected in itsourcecode Online Doctor Appointment System 1.0. This issue affects some unknown processing of the file /admin/appointment_action.php. The manipulation of the argument appointment_id results in sql injection. The attack can be launched remotely. The exploit is now public and may be used.
A security flaw has been discovered in code-projects Simple Laundry System 1.0. This impacts an unknown function of the file /checkupdatestatus.php of the component Parameters Handler. The manipulation of the argument serviceId results in sql injection. The attack can be executed remotely. The exploit has been released to the public and may be used for attacks.
A weakness has been identified in code-projects Simple Laundry System 1.0. Affected is an unknown function of the file /checklogin.php of the component Parameters Handler. This manipulation of the argument Username causes sql injection. The attack is possible to be carried out remotely. The exploit has been made available to the public and could be used for attacks.
A vulnerability classified as critical was found in Panabit Panalog 202103080942. This vulnerability affects unknown code of the file /Maintain/sprog_upstatus.php. The manipulation of the argument id leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-255268. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
FS Crowdfunding Script 1.0 has SQL Injection via the latest_news_details.php id parameter.
SQL injection vulnerability in pub/m_pending_news/delete_pending_news.jsp in Enorth Webpublisher CMS allows remote attackers to execute arbitrary SQL commands via the cbNewsId parameter.
A security vulnerability has been detected in itsourcecode Online Frozen Foods Ordering System 1.0. This vulnerability affects unknown code of the file /admin/admin_edit_supplier.php. The manipulation of the argument Supplier_Name leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed publicly and may be used.
A vulnerability was identified in code-projects Simple Food Order System 1.0. Affected by this vulnerability is an unknown functionality of the file /routers/add-item.php. Such manipulation of the argument price leads to sql injection. The attack can be launched remotely. The exploit is publicly available and might be used.
A security flaw has been discovered in code-projects Simple Laundry System 1.0. This affects an unknown function of the file /modstaffinfo.php of the component Parameter Handler. The manipulation of the argument userid results in sql injection. The attack may be performed from remote. The exploit has been released to the public and may be used for attacks.
A SQL injection vulnerability in Yvan Dotet PostgreSQL Query Deluxe module (aka query_deluxe) 17.x before 17.0.0.4 allows a remote attacker to gain privileges via the query parameter to models/querydeluxe.py:QueryDeluxe::get_result_from_query.
A security flaw has been discovered in itsourcecode Online Frozen Foods Ordering System 1.0. Affected by this issue is some unknown functionality of the file /admin/admin_edit_menu.php. Performing a manipulation of the argument product_name results in sql injection. It is possible to initiate the attack remotely. The exploit has been released to the public and may be used for attacks.
A weakness has been identified in itsourcecode Online Frozen Foods Ordering System 1.0. This affects an unknown part of the file /admin/admin_edit_employee.php. Executing a manipulation of the argument First_Name can lead to sql injection. It is possible to launch the attack remotely. The exploit has been made available to the public and could be used for attacks.
A security flaw has been discovered in code-projects Simple Laundry System 1.0. Affected is an unknown function of the file /checkregisitem.php of the component Parameter Handler. The manipulation of the argument Long-arm-shirtVol results in sql injection. The attack may be launched remotely. The exploit has been released to the public and may be used for attacks.