Schoolmate 1.3 is vulnerable to SQL Injection in the variable $schoolname from Database at ~\header.php.
SQL Injection vulnerability in Dolibarr before version 7.0.2 allows remote attackers to execute arbitrary SQL commands via the sortfield parameter to /accountancy/admin/accountmodel.php, /accountancy/admin/categories_list.php, /accountancy/admin/journals_list.php, /admin/dict.php, /admin/mails_templates.php, or /admin/website.php.
Multiple SQL injection vulnerabilities in MyBB (aka MyBulletinBoard) before 1.6.7 allow remote administrators to execute arbitrary SQL commands via unspecified vectors in the (1) user search or (2) Mail Log in the Admin Control Panel (ACP).
An improper input validation vulnerability in CA Privileged Access Manager 2.x allows remote attackers to conduct SQL injection attacks.
An issue was discovered in idreamsoft iCMS through 7.0.7. SQL injection exists via the pid array parameter in an admincp.php?app=tag&do=save&frame=iPHP request.
A vulnerability classified as critical has been found in Campcodes Beauty Salon Management System 1.0. Affected is an unknown function of the file add-product.php. The manipulation of the argument category leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-234252.
Dell Avamar, versions prior to 19.12 with patch 338905, excluding 19.10 and 19.10SP1 with patch 338869, contains an Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability. An unauthenticated attacker with remote access could potentially exploit this vulnerability, leading to Command execution.
SQL injection vulnerability in BibORB 1.3.2, and possibly earlier versions, allows remote attackers to execute arbitrary SQL commands via the (1) Username or (2) Password.
LyLme Spage <=1.6.0 is vulnerable to SQL Injection via /admin/group.php.
In OpenResty through 1.13.6.1, URI parameters are obtained using the ngx.req.get_uri_args and ngx.req.get_post_args functions that ignore parameters beyond the hundredth one, which might allow remote attackers to bypass intended access restrictions or interfere with certain Web Application Firewall (ngx_lua_waf or X-WAF) products. NOTE: the vendor has reported that 100 parameters is an intentional default setting, but is adjustable within the API. The vendor's position is that a security-relevant misuse of the API by a WAF product is a vulnerability in the WAF product, not a vulnerability in OpenResty
modules/bamegamenu/ajax_phpcode.php in the Responsive Mega Menu (Horizontal+Vertical+Dropdown) Pro module 1.0.32 for PrestaShop 1.5.5.0 through 1.7.2.5 allows remote attackers to execute a SQL Injection through function calls in the code parameter.
Wavelog 1.8.5 allows Activated_gridmap_model.php get_band_confirmed SQL injection via band, sat, propagation, or mode.
An issue was discovered in zzcms 8.2. It allows SQL injection via the id parameter in an adv2.php?action=modify request.
An issue was discovered in Centreon before 2.8.30, 18.10.8, 19.04.5, and 19.10.2. SQL Injection exists via the include/monitoring/status/Hosts/xml/hostXML.php instance parameter.
An issue was discovered in zzcms 8.2. It allows SQL injection via the id parameter in a dl/dl_sendsms.php request.
SQL injection vulnerability in actions/usersettings/usersettings.php in WikkaWiki 1.3.1 and 1.3.2 allows remote attackers to execute arbitrary SQL commands via the default_comment_display parameter in an update action.
SQL injection vulnerability in living-e webEdition CMS allows remote attackers to execute arbitrary SQL commands via the we_objectID parameter.
JeecgBoot v3.7.1 was discovered to contain a SQL injection vulnerability via the component /onlDragDatasetHead/getTotalData.
SQL Injection exists in the File Download Tracker 3.0 component for Joomla! via the dynfield[phone] or sess parameter.
Multiple SQL injections exist in SugarCRM Community Edition 6.5.26 and below via the track parameter to modules\Campaigns\Tracker.php and modules\Campaigns\utils.php, the default_currency_name parameter to modules\Configurator\controller.php and modules\Currencies\Currency.php, the duplicate parameter to modules\Contacts\ShowDuplicates.php, the mergecur parameter to modules\Currencies\index.php and modules\Opportunities\Opportunity.php, and the load_signed_id parameter to modules\Documents\Document.php.
SQL injection vulnerability in product_detail.php in DXShopCart 4.30mc allows remote attackers to execute arbitrary SQL commands via the pid parameter.
The username parameter of the TITool PrintMonitor solution during the login request is vulnerable to and/or time-based blind SQLi.
Library Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /staff/edit_book_details.php.
The upsql function in \Lib\Lib\Action\Admin\DataAction.class.php in Gxlcms QY v1.0.0713 allows remote attackers to execute arbitrary SQL statements via the sql parameter. Consequently, an attacker can execute arbitrary PHP code by placing it after a <?php substring, and then using INTO OUTFILE with a .php filename.
Vulnerability in School ERP Pro+Responsive 1.0 that allows SQL injection through the '/SchoolERP/office_admin/' index in the parameters groups_id, examname, classes_id, es_voucherid, es_class, etc. This vulnerability could allow a remote attacker to send a specially crafted SQL query to the server and retrieve all the information stored in the database.
Funadmin 5.0.2 is vulnerable to SQL Injection in curd/table/savefield.
Funadmin v5.0.2 has a SQL injection vulnerability in /curd/table/list.
SuiteCRM 7.10.x versions prior to 7.10.21 and 7.11.x versions prior to 7.11.9 allow SQL Injection.
Tecnick TCExam – CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
SQL injection vulnerability in main/main.php in QuestCMS allows remote attackers to execute arbitrary SQL commands via the obj parameter.
Cloudlog 2.6.15 allows Oqrs.php delete_oqrs_line id SQL injection.
A vulnerability classified as critical was found in SourceCodester Music Class Enrollment System 1.0. Affected by this vulnerability is an unknown functionality of the file /mces/?p=class/view_class. The manipulation of the argument id leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-268795.
SQL Injection exists in the Smart Shoutbox 3.0.0 component for Joomla! via the shoutauthor parameter to the archive URI.
SQL Injection exists in Flexible Poll 1.2 via the id parameter to mobile_preview.php or index.php.
The Youzify – BuddyPress Community, User Profile, Social Network & Membership Plugin for WordPress plugin for WordPress is vulnerable to SQL Injection via the order_by shortcode attribute in all versions up to, and including, 1.2.5 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
In Joomla! before 3.8.4, the lack of type casting of a variable in a SQL statement leads to a SQL injection vulnerability in the Hathor postinstall message.
SQL injection vulnerability in UPnP DMA in Synology Media Server before 1.7.6-2842 and before 1.4-2654 allows remote attackers to execute arbitrary SQL commands via the ObjectID parameter.
An issue was discovered in YouPHPTube through 7.7. User input passed through the live_stream_code POST parameter to /plugin/LiveChat/getChat.json.php is not properly sanitized (in getFromChat in plugin/LiveChat/Objects/LiveChatObj.php) before being used to construct a SQL query. This can be exploited by malicious users to, e.g., read sensitive data from the database through in-band SQL Injection attacks. Successful exploitation of this vulnerability requires the Live Chat plugin to be enabled.
SQL injection vulnerability in my.activation.php3 in F5 FirePass 6.0.0 through 6.1.0 and 7.0.0 allows remote attackers to execute arbitrary SQL commands via the state parameter.
SQL Injection exists in the DT Register 3.2.7 component for Joomla! via a task=edit&id= request.
Adhouma CMS through 2019-10-09 has SQL Injection via the post.php p_id parameter.
Jepaas v7.2.8 was discovered to contain a SQL injection vulnerability via the orderSQL parameter at /homePortal/loadUserMsg.
SQL injection vulnerability in galerie.php in Galerie 3.2 allows remote attackers to execute arbitrary SQL commands via the pic parameter.
SQL injection in the Spider Event Calendar (aka spider-event-calendar) plugin before 1.5.52 for WordPress is exploitable with the order_by parameter to calendar_functions.php or widget_Theme_functions.php, related to front_end/frontend_functions.php.
An issue was discovered in Textpattern CMS 4.6.2 and earlier. It is possible to inject SQL code in the variable "qty" on the page index.php.
SQL injection vulnerability in cn_users.php in CzarNews 1.20 and earlier allows remote attackers to execute arbitrary SQL commands via a recook cookie.
JFinalOA before v2025.01.01 was discovered to contain a SQL injection vulnerability via the component validRoleKey?sysRole.key.
SQL injection vulnerability in the Xe webtv (com_xewebtv) component for Joomla! allows remote attackers to execute arbitrary SQL commands via the id parameter in a detail action to index.php.
Code-Projects Online Hospital Management System V1.0 is vulnerable to SQL Injection (SQLI) attacks, which allow an attacker to manipulate the SQL queries executed by the application. The application fails to properly validate user-supplied input in the login id and password fields during the login process, enabling an attacker to inject malicious SQL code.
A vulnerability was found in itsourcecode Bakery Online Ordering System 1.0. It has been rated as critical. This issue affects some unknown processing of the file index.php. The manipulation of the argument user_email leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-268793 was assigned to this vulnerability.