Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2020-15504

Summary
Assigner-mitre
Assigner Org ID-8254265b-2729-46b6-b9e3-3dfca2d5bfca
Published At-10 Jul, 2020 | 16:55
Updated At-04 Aug, 2024 | 13:15
Rejected At-
Credits

A SQL injection vulnerability in the user and admin web interfaces of Sophos XG Firewall v18.0 MR1 and older potentially allows an attacker to run arbitrary code remotely. The fix is built into the re-release of XG Firewall v18 MR-1 (named MR-1-Build396) and the v17.5 MR13 release. All other versions >= 17.0 have received a hotfix.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:mitre
Assigner Org ID:8254265b-2729-46b6-b9e3-3dfca2d5bfca
Published At:10 Jul, 2020 | 16:55
Updated At:04 Aug, 2024 | 13:15
Rejected At:
▼CVE Numbering Authority (CNA)

A SQL injection vulnerability in the user and admin web interfaces of Sophos XG Firewall v18.0 MR1 and older potentially allows an attacker to run arbitrary code remotely. The fix is built into the re-release of XG Firewall v18 MR-1 (named MR-1-Build396) and the v17.5 MR13 release. All other versions >= 17.0 have received a hotfix.

Affected Products
Vendor
n/a
Product
n/a
Versions
Affected
  • n/a
Problem Types
TypeCWE IDDescription
textN/An/a
Type: text
CWE ID: N/A
Description: n/a
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://community.sophos.com/b/security-blog/posts/advisory-resolved-rce-via-sqli-cve-2020-15504
x_refsource_CONFIRM
Hyperlink: https://community.sophos.com/b/security-blog/posts/advisory-resolved-rce-via-sqli-cve-2020-15504
Resource:
x_refsource_CONFIRM
▼Authorized Data Publishers (ADP)
CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://community.sophos.com/b/security-blog/posts/advisory-resolved-rce-via-sqli-cve-2020-15504
x_refsource_CONFIRM
x_transferred
Hyperlink: https://community.sophos.com/b/security-blog/posts/advisory-resolved-rce-via-sqli-cve-2020-15504
Resource:
x_refsource_CONFIRM
x_transferred
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:cve@mitre.org
Published At:10 Jul, 2020 | 17:15
Updated At:14 Jul, 2020 | 21:04

A SQL injection vulnerability in the user and admin web interfaces of Sophos XG Firewall v18.0 MR1 and older potentially allows an attacker to run arbitrary code remotely. The fix is built into the re-release of XG Firewall v18 MR-1 (named MR-1-Build396) and the v17.5 MR13 release. All other versions >= 17.0 have received a hotfix.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Primary3.19.8CRITICAL
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary2.07.5HIGH
AV:N/AC:L/Au:N/C:P/I:P/A:P
Type: Primary
Version: 3.1
Base score: 9.8
Base severity: CRITICAL
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Type: Primary
Version: 2.0
Base score: 7.5
Base severity: HIGH
Vector:
AV:N/AC:L/Au:N/C:P/I:P/A:P
CPE Matches
Sophos Ltd.
sophos
>>xg_firewall_firmware>>Versions from 17.0(inclusive) to 17.5(inclusive)
cpe:2.3:o:sophos:xg_firewall_firmware:*:*:*:*:*:*:*:*
Sophos Ltd.
sophos
>>xg_firewall_firmware>>17.5
cpe:2.3:o:sophos:xg_firewall_firmware:17.5:maintenance_release1:*:*:*:*:*:*
Sophos Ltd.
sophos
>>xg_firewall_firmware>>17.5
cpe:2.3:o:sophos:xg_firewall_firmware:17.5:maintenance_release10:*:*:*:*:*:*
Sophos Ltd.
sophos
>>xg_firewall_firmware>>17.5
cpe:2.3:o:sophos:xg_firewall_firmware:17.5:maintenance_release11:*:*:*:*:*:*
Sophos Ltd.
sophos
>>xg_firewall_firmware>>17.5
cpe:2.3:o:sophos:xg_firewall_firmware:17.5:maintenance_release12:*:*:*:*:*:*
Sophos Ltd.
sophos
>>xg_firewall_firmware>>17.5
cpe:2.3:o:sophos:xg_firewall_firmware:17.5:maintenance_release3:*:*:*:*:*:*
Sophos Ltd.
sophos
>>xg_firewall_firmware>>17.5
cpe:2.3:o:sophos:xg_firewall_firmware:17.5:maintenance_release4:*:*:*:*:*:*
Sophos Ltd.
sophos
>>xg_firewall_firmware>>17.5
cpe:2.3:o:sophos:xg_firewall_firmware:17.5:maintenance_release5:*:*:*:*:*:*
Sophos Ltd.
sophos
>>xg_firewall_firmware>>17.5
cpe:2.3:o:sophos:xg_firewall_firmware:17.5:maintenance_release6:*:*:*:*:*:*
Sophos Ltd.
sophos
>>xg_firewall_firmware>>17.5
cpe:2.3:o:sophos:xg_firewall_firmware:17.5:maintenance_release7:*:*:*:*:*:*
Sophos Ltd.
sophos
>>xg_firewall_firmware>>17.5
cpe:2.3:o:sophos:xg_firewall_firmware:17.5:maintenance_release8:*:*:*:*:*:*
Sophos Ltd.
sophos
>>xg_firewall_firmware>>17.5
cpe:2.3:o:sophos:xg_firewall_firmware:17.5:maintenance_release9:*:*:*:*:*:*
Sophos Ltd.
sophos
>>xg_firewall_firmware>>18.0
cpe:2.3:o:sophos:xg_firewall_firmware:18.0:-:*:*:*:*:*:*
Sophos Ltd.
sophos
>>xg_firewall_firmware>>18.0
cpe:2.3:o:sophos:xg_firewall_firmware:18.0:maintenance_release1:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-89Primarynvd@nist.gov
CWE ID: CWE-89
Type: Primary
Source: nvd@nist.gov
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://community.sophos.com/b/security-blog/posts/advisory-resolved-rce-via-sqli-cve-2020-15504cve@mitre.org
Vendor Advisory
Hyperlink: https://community.sophos.com/b/security-blog/posts/advisory-resolved-rce-via-sqli-cve-2020-15504
Source: cve@mitre.org
Resource:
Vendor Advisory

Change History

0
Information is not available yet

Similar CVEs

9477Records found
CVE-2020-29574
Matching Score-10
Assigner-MITRE Corporation
ShareView Details
Matching Score-10
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-13.88% / 94.05%
||
7 Day CHG~0.00%
Published-11 Dec, 2020 | 16:03
Updated-30 Jul, 2025 | 01:45
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Known KEV||Action Due Date - 2025-02-27||The impacted product is end-of-life (EoL) and/or end-of-service (EoS). Users should discontinue utilization of the product.

An SQL injection vulnerability in the WebAdmin of Cyberoam OS through 2020-12-04 allows unauthenticated attackers to execute arbitrary SQL statements remotely.

Action-Not Available
Vendor-n/aSophos Ltd.
Product-cyberoamosn/aCyberoamOS
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2020-12271
Matching Score-10
Assigner-MITRE Corporation
ShareView Details
Matching Score-10
Assigner-MITRE Corporation
CVSS Score-10||CRITICAL
EPSS-83.19% / 99.22%
||
7 Day CHG~0.00%
Published-27 Apr, 2020 | 04:00
Updated-30 Jul, 2025 | 01:45
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Known KEV||Action Due Date - 2022-05-03||Apply updates per vendor instructions.

A SQL injection issue was found in SFOS 17.0, 17.1, 17.5, and 18.0 before 2020-04-25 on Sophos XG Firewall devices, as exploited in the wild in April 2020. This affected devices configured with either the administration (HTTPS) service or the User Portal exposed on the WAN zone. A successful attack may have caused remote code execution that exfiltrated usernames and hashed passwords for the local device admin(s), portal admins, and user accounts used for remote access (but not external Active Directory or LDAP passwords)

Action-Not Available
Vendor-n/aSophos Ltd.
Product-sfosxg_firewalln/aSFOS
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2023-1671
Matching Score-8
Assigner-Sophos Limited
ShareView Details
Matching Score-8
Assigner-Sophos Limited
CVSS Score-9.8||CRITICAL
EPSS-94.29% / 99.93%
||
7 Day CHG~0.00%
Published-04 Apr, 2023 | 00:00
Updated-30 Jul, 2025 | 01:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Known KEV||Action Due Date - 2023-12-07||Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

A pre-auth command injection vulnerability in the warn-proceed handler of Sophos Web Appliance older than version 4.3.10.4 allows execution of arbitrary code.

Action-Not Available
Vendor-Sophos Ltd.
Product-web_applianceSophos Web ApplianceWeb Appliance
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CVE-2025-6704
Matching Score-8
Assigner-Sophos Limited
ShareView Details
Matching Score-8
Assigner-Sophos Limited
CVSS Score-9.8||CRITICAL
EPSS-0.19% / 40.87%
||
7 Day CHG+0.02%
Published-21 Jul, 2025 | 13:16
Updated-18 Aug, 2025 | 20:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An arbitrary file writing vulnerability in the Secure PDF eXchange (SPX) feature of Sophos Firewall versions older than 21.0 MR2 (21.0.2) can lead to pre-auth remote code execution, if a specific configuration of SPX is enabled in combination with the firewall running in High Availability (HA) mode.

Action-Not Available
Vendor-Sophos Ltd.
Product-firewall_firmwarefirewallSophos Firewall
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2020-15069
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-66.81% / 98.48%
||
7 Day CHG~0.00%
Published-29 Jun, 2020 | 17:30
Updated-30 Jul, 2025 | 01:45
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Known KEV||Action Due Date - 2025-02-27||Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Sophos XG Firewall 17.x through v17.5 MR12 allows a Buffer Overflow and remote code execution via the HTTP/S Bookmarks feature for clientless access. Hotfix HF062020.1 was published for all firewalls running v17.x.

Action-Not Available
Vendor-n/aSophos Ltd.
Product-xg_firewall_firmwarexg_firewalln/aXG Firewall
CWE ID-CWE-120
Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
CVE-2017-6182
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-14.26% / 94.13%
||
7 Day CHG~0.00%
Published-30 Mar, 2017 | 17:00
Updated-20 Apr, 2025 | 01:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In Sophos Web Appliance (SWA) before 4.3.1.2, a section of the machine's interface responsible for generating reports was vulnerable to remote command injection via functions, aka NSWA-1304.

Action-Not Available
Vendor-n/aSophos Ltd.
Product-web_appliancen/a
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2022-3236
Matching Score-8
Assigner-Sophos Limited
ShareView Details
Matching Score-8
Assigner-Sophos Limited
CVSS Score-9.8||CRITICAL
EPSS-92.73% / 99.74%
||
7 Day CHG~0.00%
Published-23 Sep, 2022 | 12:50
Updated-30 Jul, 2025 | 01:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Known KEV||Action Due Date - 2022-10-14||Apply updates per vendor instructions.

A code injection vulnerability in the User Portal and Webadmin allows a remote attacker to execute code in Sophos Firewall version v19.0 MR1 and older.

Action-Not Available
Vendor-Sophos Ltd.
Product-firewallSophos FirewallFirewall
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2006-0994
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-42.70% / 97.38%
||
7 Day CHG~0.00%
Published-10 May, 2006 | 10:00
Updated-03 Apr, 2025 | 01:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Multiple Sophos Anti-Virus products, including Anti-Virus for Windows 5.x before 5.2.1 and 4.x before 4.05, when cabinet file inspection is enabled, allows remote attackers to execute arbitrary code via a CAB file with "invalid folder count values," which leads to heap corruption.

Action-Not Available
Vendor-n/aSophos Ltd.
Product-sophos_anti-virusn/a
CVE-2022-1040
Matching Score-8
Assigner-Sophos Limited
ShareView Details
Matching Score-8
Assigner-Sophos Limited
CVSS Score-9.8||CRITICAL
EPSS-94.44% / 99.99%
||
7 Day CHG~0.00%
Published-25 Mar, 2022 | 12:10
Updated-30 Jul, 2025 | 01:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Known KEV||Action Due Date - 2022-04-21||Apply updates per vendor instructions.

An authentication bypass vulnerability in the User Portal and Webadmin allows a remote attacker to execute code in Sophos Firewall version v18.5 MR3 and older.

Action-Not Available
Vendor-Sophos Ltd.
Product-sfosSophos FirewallFirewall
CVE-2020-25223
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-94.42% / 99.98%
||
7 Day CHG~0.00%
Published-25 Sep, 2020 | 00:00
Updated-30 Jul, 2025 | 01:45
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Known KEV||Action Due Date - 2022-04-15||Apply updates per vendor instructions.

A remote code execution vulnerability exists in the WebAdmin of Sophos SG UTM before v9.705 MR5, v9.607 MR7, and v9.511 MR11

Action-Not Available
Vendor-n/aSophos Ltd.
Product-unified_threat_managementn/aSG UTM
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2004-0932
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-43.59% / 97.43%
||
7 Day CHG~0.00%
Published-19 Nov, 2004 | 05:00
Updated-03 Apr, 2025 | 01:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

McAfee Anti-Virus Engine DATS drivers before 4398 released on Oct 13th 2004 and DATS Driver before 4397 October 6th 2004 allows remote attackers to bypass antivirus protection via a compressed file with both local and global headers set to zero, which does not prevent the compressed file from being opened on a target system.

Action-Not Available
Vendor-archive_zipeset_softwarerav_antivirusn/aBroadcom Inc.Kaspersky LabCA Technologies (Broadcom Inc.)Gentoo Foundation, Inc.SUSESophos Ltd.McAfee, LLCMandriva (Mandrakesoft)
Product-etrust_secure_content_manageretrust_ez_armornod32_antivirussophos_puremessage_anti-virusrav_antivirus_for_file_serversetrust_ez_antivirusarchive_zipbrightstor_arcserve_backupetrust_intrusion_detectionetrust_antiviruslinuxkaspersky_anti-virussophos_anti-virusrav_antivirus_desktopinoculateitsophos_small_business_suiteetrust_antivirus_gatewayrav_antivirus_for_mail_serverssuse_linuxantivirus_enginemandrake_linuxn/a
CVE-2004-0937
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-13.20% / 93.87%
||
7 Day CHG~0.00%
Published-19 Nov, 2004 | 05:00
Updated-03 Apr, 2025 | 01:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Sophos Anti-Virus before 3.87.0, and Sophos Anti-Virus for Windows 95, 98, and Me before 3.88.0, allows remote attackers to bypass antivirus protection via a compressed file with both local and global headers set to zero, which does not prevent the compressed file from being opened on a target system.

Action-Not Available
Vendor-archive_zipeset_softwarerav_antivirusn/aBroadcom Inc.Kaspersky LabCA Technologies (Broadcom Inc.)Gentoo Foundation, Inc.SUSESophos Ltd.McAfee, LLCMandriva (Mandrakesoft)
Product-etrust_secure_content_manageretrust_ez_armornod32_antivirussophos_puremessage_anti-virusrav_antivirus_for_file_serversetrust_ez_antivirusarchive_zipbrightstor_arcserve_backupetrust_intrusion_detectionetrust_antiviruslinuxkaspersky_anti-virussophos_anti-virusrav_antivirus_desktopinoculateitsophos_small_business_suiteetrust_antivirus_gatewayrav_antivirus_for_mail_serverssuse_linuxantivirus_enginemandrake_linuxn/a
CVE-2004-0936
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-13.20% / 93.87%
||
7 Day CHG~0.00%
Published-19 Nov, 2004 | 05:00
Updated-03 Apr, 2025 | 01:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

RAV antivirus allows remote attackers to bypass antivirus protection via a compressed file with both local and global headers set to zero, which does not prevent the compressed file from being opened on a target system.

Action-Not Available
Vendor-archive_zipeset_softwarerav_antivirusn/aBroadcom Inc.Kaspersky LabCA Technologies (Broadcom Inc.)Gentoo Foundation, Inc.SUSESophos Ltd.McAfee, LLCMandriva (Mandrakesoft)
Product-etrust_secure_content_manageretrust_ez_armornod32_antivirussophos_puremessage_anti-virusrav_antivirus_for_file_serversetrust_ez_antivirusarchive_zipbrightstor_arcserve_backupetrust_intrusion_detectionetrust_antiviruslinuxkaspersky_anti-virussophos_anti-virusrav_antivirus_desktopinoculateitsophos_small_business_suiteetrust_antivirus_gatewayrav_antivirus_for_mail_serverssuse_linuxantivirus_enginemandrake_linuxn/a
CVE-2004-0934
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-39.95% / 97.22%
||
7 Day CHG~0.00%
Published-19 Nov, 2004 | 05:00
Updated-03 Apr, 2025 | 01:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Kaspersky 3.x to 4.x allows remote attackers to bypass antivirus protection via a compressed file with both local and global headers set to zero, which does not prevent the compressed file from being opened on a target system.

Action-Not Available
Vendor-archive_zipeset_softwarerav_antivirusn/aBroadcom Inc.Kaspersky LabCA Technologies (Broadcom Inc.)Gentoo Foundation, Inc.SUSESophos Ltd.McAfee, LLCMandriva (Mandrakesoft)
Product-etrust_secure_content_manageretrust_ez_armornod32_antivirussophos_puremessage_anti-virusrav_antivirus_for_file_serversetrust_ez_antivirusarchive_zipbrightstor_arcserve_backupetrust_intrusion_detectionetrust_antiviruslinuxkaspersky_anti-virussophos_anti-virusrav_antivirus_desktopinoculateitsophos_small_business_suiteetrust_antivirus_gatewayrav_antivirus_for_mail_serverssuse_linuxantivirus_enginemandrake_linuxn/a
CVE-2004-0933
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-30.03% / 96.49%
||
7 Day CHG~0.00%
Published-19 Nov, 2004 | 05:00
Updated-03 Apr, 2025 | 01:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Computer Associates (CA) InoculateIT 6.0, eTrust Antivirus r6.0 through r7.1, eTrust Antivirus for the Gateway r7.0 and r7.1, eTrust Secure Content Manager, eTrust Intrusion Detection, EZ-Armor 2.0 through 2.4, and EZ-Antivirus 6.1 through 6.3 allow remote attackers to bypass antivirus protection via a compressed file with both local and global headers set to zero, which does not prevent the compressed file from being opened on a target system.

Action-Not Available
Vendor-archive_zipeset_softwarerav_antivirusn/aBroadcom Inc.Kaspersky LabCA Technologies (Broadcom Inc.)Gentoo Foundation, Inc.SUSESophos Ltd.McAfee, LLCMandriva (Mandrakesoft)
Product-etrust_secure_content_manageretrust_ez_armornod32_antivirussophos_puremessage_anti-virusrav_antivirus_for_file_serversetrust_ez_antivirusarchive_zipbrightstor_arcserve_backupetrust_intrusion_detectionetrust_antiviruslinuxkaspersky_anti-virussophos_anti-virusrav_antivirus_desktopinoculateitsophos_small_business_suiteetrust_antivirus_gatewayrav_antivirus_for_mail_serverssuse_linuxantivirus_enginemandrake_linuxn/a
CVE-2004-0935
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-13.20% / 93.87%
||
7 Day CHG~0.00%
Published-19 Nov, 2004 | 05:00
Updated-03 Apr, 2025 | 01:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Eset Anti-Virus before 1.020 (16th September 2004) allows remote attackers to bypass antivirus protection via a compressed file with both local and global headers set to zero, which does not prevent the compressed file from being opened on a target system.

Action-Not Available
Vendor-archive_zipeset_softwarerav_antivirusn/aBroadcom Inc.Kaspersky LabCA Technologies (Broadcom Inc.)Gentoo Foundation, Inc.SUSESophos Ltd.McAfee, LLCMandriva (Mandrakesoft)
Product-etrust_secure_content_manageretrust_ez_armornod32_antivirussophos_puremessage_anti-virusrav_antivirus_for_file_serversetrust_ez_antivirusarchive_zipbrightstor_arcserve_backupetrust_intrusion_detectionetrust_antiviruslinuxkaspersky_anti-virussophos_anti-virusrav_antivirus_desktopinoculateitsophos_small_business_suiteetrust_antivirus_gatewayrav_antivirus_for_mail_serverssuse_linuxantivirus_enginemandrake_linuxn/a
CVE-2020-11503
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.29% / 52.02%
||
7 Day CHG~0.00%
Published-18 Jun, 2020 | 15:25
Updated-04 Aug, 2024 | 11:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A heap-based buffer overflow in the awarrensmtp component of Sophos XG Firewall v17.5 MR11 and older potentially allows an attacker to run arbitrary code remotely.

Action-Not Available
Vendor-n/aSophos Ltd.
Product-xg_firewallsfosn/a
CWE ID-CWE-787
Out-of-bounds Write
CVE-2019-17059
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-5.58% / 89.93%
||
7 Day CHG~0.00%
Published-11 Oct, 2019 | 16:45
Updated-05 Aug, 2024 | 01:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A shell injection vulnerability on the Sophos Cyberoam firewall appliance with CyberoamOS before 10.6.6 MR-6 allows remote attackers to execute arbitrary commands via the Web Admin and SSL VPN consoles.

Action-Not Available
Vendor-n/aSophos Ltd.
Product-cyberoamoscyberoamn/a
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2005-2768
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-12.03% / 93.52%
||
7 Day CHG~0.00%
Published-02 Sep, 2005 | 04:00
Updated-03 Apr, 2025 | 01:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Heap-based buffer overflow in the Sophos Antivirus Library, as used by Sophos Antivirus, PureMessage, MailMonitor, and other products, allows remote attackers to execute arbitrary code via a Visio file with a crafted sub record length.

Action-Not Available
Vendor-n/aSophos Ltd.
Product-sophos_anti-virusn/a
CVE-2004-1096
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-20.25% / 95.30%
||
7 Day CHG~0.00%
Published-01 Dec, 2004 | 05:00
Updated-03 Apr, 2025 | 01:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Archive::Zip Perl module before 1.14, when used by antivirus programs such as amavisd-new, allows remote attackers to bypass antivirus protection via a compressed file with both local and global headers set to zero, which does not prevent the compressed file from being opened on a target system.

Action-Not Available
Vendor-eset_softwarerav_antivirusn/aBroadcom Inc.Kaspersky LabCA Technologies (Broadcom Inc.)Gentoo Foundation, Inc.SUSESophos Ltd.McAfee, LLCMandriva (Mandrakesoft)
Product-etrust_secure_content_manageretrust_ez_armornod32_antivirussophos_puremessage_anti-virusrav_antivirus_for_file_serversetrust_ez_antivirusbrightstor_arcserve_backupetrust_intrusion_detectionetrust_antiviruslinuxkaspersky_anti-virussophos_anti-virusrav_antivirus_desktopinoculateitsophos_small_business_suiteetrust_antivirus_gatewayrav_antivirus_for_mail_serverssuse_linuxantivirus_enginemandrake_linuxn/a
CVE-2022-3980
Matching Score-8
Assigner-Sophos Limited
ShareView Details
Matching Score-8
Assigner-Sophos Limited
CVSS Score-9.8||CRITICAL
EPSS-88.02% / 99.45%
||
7 Day CHG~0.00%
Published-16 Nov, 2022 | 00:00
Updated-29 Apr, 2025 | 14:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An XML External Entity (XEE) vulnerability allows server-side request forgery (SSRF) and potential code execution in Sophos Mobile managed on-premises between versions 5.0.0 and 9.7.4.

Action-Not Available
Vendor-Sophos Ltd.
Product-mobileSophos Mobile managed on-premises
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2004-0552
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-16.37% / 94.60%
||
7 Day CHG~0.00%
Published-28 Sep, 2004 | 04:00
Updated-03 Apr, 2025 | 01:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Sophos Small Business Suite 1.00 on Windows does not properly handle files whose names contain reserved MS-DOS device names such as (1) LPT1, (2) COM1, (3) AUX, (4) CON, or (5) PRN, which can allow malicious code to bypass detection when it is installed, copied, or executed.

Action-Not Available
Vendor-n/aSophos Ltd.
Product-small_business_suiten/a
CVE-2021-36807
Matching Score-6
Assigner-Sophos Limited
ShareView Details
Matching Score-6
Assigner-Sophos Limited
CVSS Score-8.8||HIGH
EPSS-0.21% / 42.81%
||
7 Day CHG~0.00%
Published-26 Nov, 2021 | 14:12
Updated-04 Aug, 2024 | 01:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An authenticated user could potentially execute code via an SQLi vulnerability in the user portal of SG UTM before version 9.708 MR8.

Action-Not Available
Vendor-Sophos Ltd.
Product-unified_threat_management_up2dateSG UTM
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2022-3711
Matching Score-6
Assigner-Sophos Limited
ShareView Details
Matching Score-6
Assigner-Sophos Limited
CVSS Score-4.3||MEDIUM
EPSS-0.29% / 52.06%
||
7 Day CHG+0.06%
Published-01 Dec, 2022 | 00:00
Updated-23 Apr, 2025 | 15:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A post-auth read-only SQL injection vulnerability allows users to read non-sensitive configuration database contents in the User Portal of Sophos Firewall releases older than version 19.5 GA.

Action-Not Available
Vendor-Sophos Ltd.
Product-xg_firewall_firmwarexg_firewallSophos Firewall
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2022-3710
Matching Score-6
Assigner-Sophos Limited
ShareView Details
Matching Score-6
Assigner-Sophos Limited
CVSS Score-2.7||LOW
EPSS-0.21% / 44.02%
||
7 Day CHG+0.04%
Published-01 Dec, 2022 | 00:00
Updated-23 Apr, 2025 | 20:23
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A post-auth read-only SQL injection vulnerability allows API clients to read non-sensitive configuration database contents in the API controller of Sophos Firewall releases older than version 19.5 GA.

Action-Not Available
Vendor-Sophos Ltd.
Product-xg_firewall_firmwarexg_firewallSophos Firewall
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2022-1807
Matching Score-6
Assigner-Sophos Limited
ShareView Details
Matching Score-6
Assigner-Sophos Limited
CVSS Score-7.2||HIGH
EPSS-0.15% / 36.16%
||
7 Day CHG~0.00%
Published-07 Sep, 2022 | 18:00
Updated-17 Jun, 2025 | 20:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Multiple SQLi vulnerabilities in Webadmin allow for privilege escalation from admin to super-admin in Sophos Firewall older than version 18.5 MR4 and version 19.0 MR1.

Action-Not Available
Vendor-Sophos Ltd.
Product-firewallSophos Firewall
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2022-0386
Matching Score-6
Assigner-Sophos Limited
ShareView Details
Matching Score-6
Assigner-Sophos Limited
CVSS Score-8.8||HIGH
EPSS-0.34% / 56.12%
||
7 Day CHG~0.00%
Published-21 Mar, 2022 | 23:45
Updated-02 Aug, 2024 | 23:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A post-auth SQL injection vulnerability in the Mail Manager potentially allows an authenticated attacker to execute code in Sophos UTM before version 9.710.

Action-Not Available
Vendor-Sophos Ltd.
Product-unified_threat_managementSophos UTM
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2018-16116
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-0.29% / 51.67%
||
7 Day CHG~0.00%
Published-20 Jun, 2019 | 16:18
Updated-05 Aug, 2024 | 10:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SQL injection vulnerability in AccountStatus.jsp in Admin Portal of Sophos XG firewall 17.0.8 MR-8 allow remote authenticated attackers to execute arbitrary SQL commands via the "username" GET parameter.

Action-Not Available
Vendor-n/aSophos Ltd.
Product-xg_firewallsfosn/a
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2010-2714
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-0.12% / 31.94%
||
7 Day CHG~0.00%
Published-13 Jul, 2010 | 18:00
Updated-11 Apr, 2025 | 00:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SQL injection vulnerability in photos/index.php in TCW PHP Album 1.0 allows remote attackers to execute arbitrary SQL commands via the album parameter.

Action-Not Available
Vendor-tcwonlinen/a
Product-tcw_php_albumn/a
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2010-2926
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-0.10% / 28.76%
||
7 Day CHG~0.00%
Published-30 Jul, 2010 | 20:00
Updated-11 Apr, 2025 | 00:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SQL injection vulnerability in index.php in sNews 1.7 allows remote attackers to execute arbitrary SQL commands via the category parameter.

Action-Not Available
Vendor-solucijan/a
Product-snewsn/a
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2010-5062
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-1.32% / 79.07%
||
7 Day CHG~0.00%
Published-23 Nov, 2011 | 01:00
Updated-11 Apr, 2025 | 00:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SQL injection vulnerability in search.php in MH Products kleinanzeigenmarkt allows remote attackers to execute arbitrary SQL commands via the c parameter.

Action-Not Available
Vendor-mh_productsn/a
Product-kleinanzeigenmarktn/a
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2025-9022
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-0.03% / 7.50%
||
7 Day CHG+0.01%
Published-15 Aug, 2025 | 08:02
Updated-21 Aug, 2025 | 16:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SourceCodester Online Bank Management System statements.php sql injection

A vulnerability was identified in SourceCodester Online Bank Management System up to 1.0. This issue affects some unknown processing of the file /bank/statements.php. The manipulation of the argument email leads to sql injection. The attack may be initiated remotely.

Action-Not Available
Vendor-oretnom23SourceCodester
Product-online_bank_management_systemOnline Bank Management System
CWE ID-CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2010-2609
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-1.42% / 79.79%
||
7 Day CHG~0.00%
Published-01 Jul, 2010 | 21:00
Updated-11 Apr, 2025 | 00:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SQL injection vulnerability in show_search_result.php in 2daybiz Job Search Engine Script allows remote attackers to execute arbitrary SQL commands via the keyword parameter.

Action-Not Available
Vendor-2daybizn/a
Product-job_search_engine_scriptn/a
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2010-2616
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-0.32% / 54.29%
||
7 Day CHG~0.00%
Published-01 Jul, 2010 | 21:00
Updated-11 Apr, 2025 | 00:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SQL injection vulnerability in bible.php in PHP Bible Search, probably 0.99, allows remote attackers to execute arbitrary SQL commands via the chapter parameter.

Action-Not Available
Vendor-paul_mceneryn/a
Product-php_bible_searchn/a
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2010-3428
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-0.11% / 29.54%
||
7 Day CHG~0.00%
Published-16 Sep, 2010 | 21:00
Updated-11 Apr, 2025 | 00:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SQL injection vulnerability in modules/notes/json.php in Intermesh Group-Office 3.5.9 allows remote attackers to execute arbitrary SQL commands via the category_id parameter in a category action.

Action-Not Available
Vendor-intermeshn/a
Product-group-officen/a
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2016-2299
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
ShareView Details
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
CVSS Score-7.3||HIGH
EPSS-1.30% / 78.92%
||
7 Day CHG~0.00%
Published-22 Apr, 2016 | 00:00
Updated-12 Apr, 2025 | 10:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SQL injection vulnerability in Ecava IntegraXor before 5.0 build 4522 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.

Action-Not Available
Vendor-ecavan/a
Product-integraxorn/a
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2011-3989
Matching Score-4
Assigner-JPCERT/CC
ShareView Details
Matching Score-4
Assigner-JPCERT/CC
CVSS Score-7.5||HIGH
EPSS-0.40% / 59.72%
||
7 Day CHG~0.00%
Published-04 Nov, 2011 | 21:00
Updated-11 Apr, 2025 | 00:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SQL injection vulnerability in DBD::mysqlPP 0.04 and earlier allows remote attackers to execute arbitrary SQL commands via unspecified vectors.

Action-Not Available
Vendor-hiroyuki_oyaman/a
Product-dbd\n/a
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2011-1061
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-0.71% / 71.23%
||
7 Day CHG~0.00%
Published-22 Feb, 2011 | 23:00
Updated-11 Apr, 2025 | 00:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SQL injection vulnerability in memberlist.php in WSN Guest 1.24 allows remote attackers to execute arbitrary SQL commands via the time parameter.

Action-Not Available
Vendor-webmastersiten/a
Product-wsn_guestn/a
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2025-9444
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-0.03% / 6.08%
||
7 Day CHG~0.00%
Published-26 Aug, 2025 | 03:02
Updated-26 Aug, 2025 | 14:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
1000projects Online Project Report Submission and Evaluation System delete_group_student.php sql injection

A vulnerability has been found in 1000projects Online Project Report Submission and Evaluation System 1.0. This issue affects some unknown processing of the file /admin/controller/delete_group_student.php. The manipulation of the argument batch_id leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.

Action-Not Available
Vendor-1000 PROJECTS
Product-Online Project Report Submission and Evaluation System
CWE ID-CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2011-4559
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-1.09% / 77.03%
||
7 Day CHG~0.00%
Published-28 Nov, 2011 | 21:00
Updated-11 Apr, 2025 | 00:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SQL injection vulnerability in the Calendar module in vTiger CRM 5.2.1 and earlier allows remote attackers to execute arbitrary SQL commands via the onlyforuser parameter in an index action to index.php.

Action-Not Available
Vendor-vtigern/a
Product-vtiger_crmn/a
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2010-3458
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-0.51% / 65.18%
||
7 Day CHG~0.00%
Published-17 Sep, 2010 | 19:00
Updated-11 Apr, 2025 | 00:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SQL injection vulnerability in lib/toolkit/events/event.section.php in Symphony CMS 2.0.7 and 2.1.1 allows remote attackers to execute arbitrary SQL commands via the send-email[recipient] parameter to about/. NOTE: some of these details are obtained from third party information.

Action-Not Available
Vendor-getsymphonyn/a
Product-symphonyn/a
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2010-3485
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-0.39% / 59.12%
||
7 Day CHG~0.00%
Published-22 Sep, 2010 | 19:00
Updated-11 Apr, 2025 | 00:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SQL injection vulnerability in common.php in LightNEasy 3.2.1 allows remote attackers to execute arbitrary SQL commands via the userhandle cookie to LightNEasy.php, a different vector than CVE-2008-6593. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.

Action-Not Available
Vendor-lightneasyn/a
Product-lightneasyn/a
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2011-4671
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-0.78% / 72.63%
||
7 Day CHG~0.00%
Published-02 Dec, 2011 | 18:00
Updated-11 Apr, 2025 | 00:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SQL injection vulnerability in adrotate/adrotate-out.php in the AdRotate plugin 3.6.6, and other versions before 3.6.8, for WordPress allows remote attackers to execute arbitrary SQL commands via the track parameter (aka redirect URL).

Action-Not Available
Vendor-adrotatepluginn/aWordPress.org
Product-wordpressadrotaten/a
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2011-4847
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-0.17% / 38.49%
||
7 Day CHG~0.00%
Published-16 Dec, 2011 | 11:00
Updated-11 Apr, 2025 | 00:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SQL injection vulnerability in the Control Panel in Parallels Plesk Panel 10.4.4_build20111103.18 allows remote attackers to execute arbitrary SQL commands via a certificateslist cookie to notification@/.

Action-Not Available
Vendor-n/aParallels International GmbhMicrosoft Corporation
Product-windows_server_2008parallels_plesk_panelwindows_2003_servern/a
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2011-4803
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-0.83% / 73.56%
||
7 Day CHG~0.00%
Published-14 Dec, 2011 | 00:00
Updated-11 Apr, 2025 | 00:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SQL injection vulnerability in wptouch/ajax.php in the WPTouch plugin for WordPress allows remote attackers to execute arbitrary SQL commands via the id parameter.

Action-Not Available
Vendor-bravenewcoden/aWordPress.org
Product-wordpresswptouchn/a
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2023-2032
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-9.8||CRITICAL
EPSS-0.20% / 41.77%
||
7 Day CHG~0.00%
Published-27 Jun, 2023 | 13:17
Updated-27 Nov, 2024 | 19:39
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Custom 404 Pro < 3.8.1 - Multiple SQL Injection

The Custom 404 Pro WordPress plugin before 3.8.1 does not properly sanitize database inputs, leading to multiple SQL Injection vulnerabilities.

Action-Not Available
Vendor-kunalnagarUnknown
Product-custom_404_proCustom 404 Pro
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2025-8166
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-0.03% / 7.48%
||
7 Day CHG~0.00%
Published-25 Jul, 2025 | 19:02
Updated-05 Aug, 2025 | 21:04
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
code-projects Church Donation System HTTP POST Request index.php sql injection

A vulnerability was found in code-projects Church Donation System 1.0. It has been classified as critical. Affected is an unknown function of the file /admin/index.php of the component HTTP POST Request Handler. The manipulation of the argument Username leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.

Action-Not Available
Vendor-carmeloSource Code & Projects
Product-church_donation_systemChurch Donation System
CWE ID-CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2016-4999
Matching Score-4
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-4
Assigner-Red Hat, Inc.
CVSS Score-9.8||CRITICAL
EPSS-3.51% / 87.16%
||
7 Day CHG~0.00%
Published-05 Aug, 2016 | 15:00
Updated-12 Apr, 2025 | 10:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SQL injection vulnerability in the getStringParameterSQL method in main/java/org/dashbuilder/dataprovider/sql/dialect/DefaultDialect.java in Dashbuilder before 0.6.0.Beta1 allows remote attackers to execute arbitrary SQL commands via a data set lookup filter in the (1) Data Set Authoring or (2) Displayer editor UI.

Action-Not Available
Vendor-n/aRed Hat, Inc.
Product-jboss_enterprise_brms_platformdashbuilderjboss_bpm_suiten/a
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2011-4026
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-0.45% / 62.53%
||
7 Day CHG~0.00%
Published-21 Oct, 2011 | 18:00
Updated-11 Apr, 2025 | 00:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SQL injection vulnerability in thanks.php in NexusPHP 1.5 allows remote attackers to execute arbitrary SQL commands via the id parameter.

Action-Not Available
Vendor-xia_zuojien/a
Product-nexusphpn/a
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2010-2925
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-0.35% / 56.71%
||
7 Day CHG~0.00%
Published-30 Jul, 2010 | 20:00
Updated-11 Apr, 2025 | 00:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SQL injection vulnerability in index.php in Freeway CMS 1.4.3.210 allows remote attackers to execute arbitrary SQL commands via the ecPath parameter.

Action-Not Available
Vendor-openfreewayn/a
Product-freewayn/a
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
  • Previous
  • 1
  • 2
  • 3
  • ...
  • 189
  • 190
  • Next
Details not found