IdeaTMS 2022 is vulnerable to SQL Injection via the PATH_INFO
In Apache Fineract versions 1.0.0, 0.6.0-incubating, 0.5.0-incubating, 0.4.0-incubating, Using a single quotation escape with two continuous SQL parameters can cause a SQL injection. This could be done in Methods like retrieveAuditEntries of AuditsApiResource Class and retrieveCommands of MakercheckersApiResource Class.
Rescue Dispatch Management System v1.0 is vulnerable to SQL Injection via /rdms/admin/incidents/manage_incident.php?id=.
SQL injection vulnerability in the Calendar Base (cal) extension before 1.3.2 for TYPO3 allows remote attackers to execute arbitrary SQL commands via iCalendar data.
eG Manager 7.1.2 allows SQL Injection via the user parameter to com.eg.LoginHelperServlet (aka the Forgot Password feature).
A SQL injection vulnerability in zzzphp v1.8.0 through /form/index.php?module=getjson may lead to a possible access restriction bypass.
SQL injection vulnerability in index.php in TSOKA:CMS 1.1, 1.9, and 2.0 allows remote attackers to execute arbitrary SQL commands via the id parameter in an articolo action.
The tree list functionality in the photo gallery application in ASUSTOR ADM 3.1.0.RFQ3 has a SQL injection vulnerability that affects the 'album_id' or 'scope' parameter via a photo-gallery/api/album/tree_lists/ URI.
SQL injection vulnerability in index.php in Blue Eye CMS 1.0.0 and earlier allows remote attackers to execute arbitrary SQL commands via the clanek parameter.
Rescue Dispatch Management System v1.0 is vulnerable to SQL Injection via rdms/admin/respondent_types/view_respondent_type.php?id=.
A vulnerability was identified in code-projects Simple Food Ordering System 1.0. Impacted is an unknown function of the file /product.php. Such manipulation of the argument Category leads to sql injection. The attack can be launched remotely. The exploit is publicly available and might be used.
Multiple SQL injection vulnerabilities in GoAutoDial GoAdmin CE before 3.3-1421902800 allow remote attackers to execute arbitrary SQL commands via the (1) user_name or (2) user_pass parameter in go_login.php or the PATH_INFO to (3) go_login/validate_credentials/admin/ or (4) index.php/go_site/go_get_user_info/.
SQL injection vulnerability in Apache Fineract before 1.3.0 allows attackers to execute arbitrary SQL commands via a query on a m_center data related table.
SQL injection vulnerability in detail.asp in Site2Nite Boat Classifieds allows remote attackers to execute arbitrary SQL commands via the ID parameter.
SQL injection vulnerability in frontpage.php in Goople CMS 1.8.2 allows remote attackers to execute arbitrary SQL commands via the password parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
SQL injection vulnerability in user-profile.php in 2daybiz Video Community Portal Script allows remote attackers to execute arbitrary SQL commands via the userid parameter.
SQL injection vulnerability in album.php in Camera Life 2.6.2b4 allows remote attackers to execute arbitrary SQL commands via the id parameter, a different vector than CVE-2008-3355.
SQL injection vulnerability in Apache Fineract before 1.3.0 allows attackers to execute arbitrary SQL commands via a query on the GroupSummaryCounts related table.
SQL injection vulnerability in login.php in Dark Age CMS 0.2c beta allows remote attackers to execute arbitrary SQL commands via the (1) username and (2) password parameters. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
Etere EtereWeb before 28.1.20 has a pre-authentication blind SQL injection in the POST parameters txUserName and txPassword.
kkcms v1.3.7 was discovered to contain a SQL injection vulnerability via the cid parameter at /template/wapian/vlist.php.
SQL injection vulnerability in the Pie Register plugin before 3.0.10 for WordPress allows remote attackers to execute arbitrary SQL commands via the invitation codes grid.
A vulnerability, which was classified as critical, was found in PHPGurukul Student Record System 3.20. Affected is an unknown function of the file /login.php. The manipulation of the argument id/password leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-260616.
IdeaLMS 2022 allows SQL injection via the IdeaLMS/ChatRoom/ClassAccessControl/6?isBigBlueButton=0&ClassID= pathname.
SQL injection vulnerability in the Golf Course Guide (com_golfcourseguide) component 0.9.6.0 beta and 1 beta for Joomla! allows remote attackers to execute arbitrary SQL commands via the id parameter in a golfcourses action to index.php.
PHPRAP 1.0.4 through 1.0.8 has SQL Injection via the application/home/controller/project.php search() function.
WUZHI CMS 4.1.0 has a SQL Injection in api/uc.php via the 'code' parameter, because 'UC_KEY' is hard coded.
An issue was discovered in PbootCMS v1.0.9. There is a SQL Injection that can get important information from the database via the \apps\home\controller\ParserController.php scode parameter.
The 'reportID' parameter received by the '/common/run_report.php' script in the Quest KACE System Management Appliance 8.0.318 is not sanitized, leading to SQL injection (in particular, an error-based type).
A security vulnerability has been detected in Campcodes Online Learning Management System 1.0. Affected by this issue is some unknown functionality of the file /admin/edit_subject.php. The manipulation of the argument subject_code leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed publicly and may be used.
A vulnerability was identified in SourceCodester Online Hotel Reservation System 1.0. The impacted element is an unknown function of the file deleteslide.php. The manipulation of the argument ID leads to sql injection. Remote exploitation of the attack is possible. The exploit is publicly available and might be used.
Multiple SQL injection vulnerabilities in 4Site CMS 2.6 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) login and (2) password parameters to pcgi/4site.pl, (3) page parameter to print/print.shtml, (4) s and (5) i parameters to portfolio/index.shtml, (6) h parameter to hotel/index.php, (7) id parameter to news/news1.shtml, and the (8) th parameter to faq/index.shtml.
Online Ordering System 2.3.2 is vulnerable to SQL Injection via /ordering/admin/stockin/index.php?view=edit&id=.
A SQL injection vulnerability exists in Simple Task Scheduling System 1.0 when MySQL is being used as the application database. An attacker can issue SQL commands to the MySQL database through the vulnerable "id" parameter.
SQL injection vulnerability in video.php in 2daybiz Video Community Portal Script 1.0 allows remote attackers to execute arbitrary SQL commands via the videoid parameter.
SQL injection vulnerability in compte.php in PhpMyShop 1.00 allows remote attackers to execute arbitrary SQL commands via the (1) identifiant and (2) password parameters.
Multiple SQL injection vulnerabilities in Centreon 3.4.6 including Centreon Web 2.8.23 allow attacks via the searchU parameter in viewLogs.php, the id parameter in GetXmlHost.php, the chartId parameter in ExportCSVServiceData.php, the searchCurve parameter in listComponentTemplates.php, or the host_id parameter in makeXML_ListMetrics.php.
Blind SQL injection in coupon_code in the MemberMouse plugin 2.2.8 and prior for WordPress allows an unauthenticated attacker to dump the WordPress MySQL database via an applyCoupon action in an admin-ajax.php request.
The wpForo plugin through 2018-02-05 for WordPress has SQL Injection via a search with the /forum/ wpfo parameter.
Directory Management System v1.0 was discovered to contain a SQL injection vulnerability via the editid parameter in view-directory.php.
SQL injection vulnerability in the WikiWiki module before 6.x-1.2 for Drupal allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
WUZHI CMS 4.1.0 has SQL Injection via an api/sms_check.php?param= URI.
SQL injection vulnerability in the ElearningForce Flash Magazine Deluxe (com_flashmagazinedeluxe) component for Joomla! allows remote attackers to execute arbitrary SQL commands via the mag_id parameter in a magazine action to index.php.
Multiple SQL injection vulnerabilities in the Hotel Booking Reservation System (aka HBS) for Joomla! allow remote attackers to execute arbitrary SQL commands via the id parameter in a showhoteldetails action to index.php in the (1) com_allhotels or (2) com_5starhotels module. NOTE: some of these details are obtained from third party information.
Online Ordering System v2.3.2 was discovered to contain a SQL injection vulnerability via /ordering/index.php?q=category&search=.
Online Car Wash Booking System v1.0 is vulnerable to SQL Injection via /ocwbs/admin/?page=bookings/view_details&id=.
SQL injection vulnerability in Default.asp in LinksPro Standard Edition allows remote attackers to execute arbitrary SQL commands via the OrderDirection parameter.
SQL injection vulnerability in index.php in the Recipes module 1.3, 1.4, and possibly other versions for PHP-Nuke allows remote attackers to execute arbitrary SQL commands via the recipeid parameter.
A flaw was found in Opendaylight's SDNInterfaceapp (SDNI). Attackers can SQL inject the component's database (SQLite) without authenticating to the controller or SDNInterfaceapp. SDNInterface has been deprecated in OpenDayLight since it was last used in the final Carbon series release. In addition to the component not being included in OpenDayLight in newer releases, the SDNInterface component is not packaged in the opendaylight package included in RHEL.
SQL injection vulnerability in includes/content/cart.inc.php in CubeCart PHP Shopping cart 4.3.4 through 4.3.9 allows remote attackers to execute arbitrary SQL commands via the shipKey parameter to index.php.