A post-auth read-only SQL injection vulnerability allows users to read non-sensitive configuration database contents in the User Portal of Sophos Firewall releases older than version 19.5 GA.
Multiple SQLi vulnerabilities in Webadmin allow for privilege escalation from admin to super-admin in Sophos Firewall older than version 18.5 MR4 and version 19.0 MR1.
A post-auth SQL injection vulnerability in the Mail Manager potentially allows an authenticated attacker to execute code in Sophos UTM before version 9.710.
An authenticated user could potentially execute code via an SQLi vulnerability in the user portal of SG UTM before version 9.708 MR8.
An SQL injection vulnerability in the legacy (transparent) SMTP proxy of Sophos Firewall versions older than 21.0 MR2 (21.0.2) can lead to remote code execution, if a quarantining policy is active for Email and SFOS was upgraded from a version older than 21.0 GA.
An SQL injection vulnerability in the WebAdmin of Cyberoam OS through 2020-12-04 allows unauthenticated attackers to execute arbitrary SQL statements remotely.
A post-auth SQL injection vulnerability in WebAdmin of Sophos Firewall versions older than 21.0 MR1 (21.0.1) can potentially lead to administrators achieving arbitrary code execution.
A pre-auth SQL injection vulnerability in the email protection feature of Sophos Firewall versions older than 21.0 MR1 (21.0.1) allows access to the reporting database and can lead to remote code execution if a specific configuration of Secure PDF eXchange (SPX) is enabled in combination with the firewall running in High Availability (HA) mode.
A SQL injection vulnerability in the user and admin web interfaces of Sophos XG Firewall v18.0 MR1 and older potentially allows an attacker to run arbitrary code remotely. The fix is built into the re-release of XG Firewall v18 MR-1 (named MR-1-Build396) and the v17.5 MR13 release. All other versions >= 17.0 have received a hotfix.
A SQL injection issue was found in SFOS 17.0, 17.1, 17.5, and 18.0 before 2020-04-25 on Sophos XG Firewall devices, as exploited in the wild in April 2020. This affected devices configured with either the administration (HTTPS) service or the User Portal exposed on the WAN zone. A successful attack may have caused remote code execution that exfiltrated usernames and hashed passwords for the local device admin(s), portal admins, and user accounts used for remote access (but not external Active Directory or LDAP passwords)
SQL injection vulnerability in AccountStatus.jsp in Admin Portal of Sophos XG firewall 17.0.8 MR-8 allow remote authenticated attackers to execute arbitrary SQL commands via the "username" GET parameter.
Hospital Management System 1.0 was discovered to contain a SQL injection vulnerability via the doc_number parameter at his_admin_view_single_employee.php.
The Futurio Extra WordPress plugin before 1.6.3 is affected by a SQL Injection vulnerability that could be used by high privilege users to extract data from the database as well as used to perform Cross-Site Scripting (XSS) against logged in admins by making send open a malicious link.
Sourcecodester Basic Library System v1.0 is vulnerable to SQL Injection in /librarysystem/load_admin.php.
Sourcecodester Computer and Mobile Repair Shop Management System v1.0 is vulnerable to SQL injection in the file /rsms/admin/inquiries/view_details.php.
SourceCodester Patient Appointment Scheduler System v1.0 is vulnerable to SQL Injection in the file /scheduler/admin/appointments/view_details.php.
Sourcecodester Online Thesis Archiving System v1.0 is vulnerable to SQL injection in /otas/projects_per_department.php.
Sourcecodester Computer and Mobile Repair Shop Management System v1.0 is vulnerable to SQL injection in the file /rsms/admin/repairs/manage_repair.php.
SourceCodester Online Employees Work From Home Attendance System v1.0 is vulnerable to SQL Injection in the file /wfh_attendance/admin/attendance_list.php.
Sourcecodester Cab Management System 1.0 is vulnerable to SQL Injection in the file /cms/admin/bookings/view_booking.php.
Sourcecodester Storage Unit Rental Management System v1.0 is vulnerable to SQL injection in the file /storage/admin/tenants/view_details.php.
SourceCodester Patient Appointment Scheduler System v1.0 is vulnerable to SQL Injection in the file /scheduler/admin/appointments/manage_appointment.php.
Sourcecodester Cab Management System v1.0 is vulnerable to SQL injection in the file /cms/admin/categories/view_category.php.
SourceCodester Online Employees Work From Home Attendance System v1.0 is vulnerable to SQL Injection in the file /wfh_attendance/admin/manage_employee.php.
Sourcecodester Online Reviewer System v1.0 is vulnerable to SQL Injection in the file /system/system/admins/assessments/examproper/questions-view.php.
Sourcecodester Online Resort Management System v1.0 is vulnerable to SQL Injection in the file /orms/admin/rooms/manage_room.php.
Sourcecodester Storage Unit Rental Management System v1.0 is vulnerable to SQL in the file /storage/admin/maintenance/manage_pricing.php.
SourceCodester Online Employees Work From Home Attendance System v1.0 is vulnerable to SQL Injection in the file /wfh_attendance/admin/manage_department.php.
SourceCodester Patient Appointment Scheduler System v1.0 is vulnerable to SQL Injection in the file /scheduler/admin/user/manage_user.php.
SourceCodester Storage Unit Rental Management System v1.0 is vulnerable to SQL Injection in the file /storage/admin/maintenance/manage_storage_unit.php.
Sourcecodester Computer and Mobile Repair Shop Management System v1.0 is vulnerale to SQL injection in the file/rsms/admin/repairs/view_details.php.
Sourcecodester Basic Library System v1.0 is vulnerable to SQL Injection in /librarysystem/load_student.php.
Sourcecodester Online Resort Management System v1.0 is vulnerable to SQL injection in /orms/admin/reservations/view_details.php.
SourceCodester Online Employees Work From Home Attendance System v1.0 is vulnerable to SQL Injection in the file /wfh_attendance/admin/view_att.php.
Sourcecodester Computer and Mobile Repair Shop Management System v1.0 is vulnerable to SQL injection in the file /rsms/admin/clients/manage_client.php
SourceCodester Online Employees Work From Home Attendance System v1.0 is vulnerable to SQL Injection in the file /wfh_attendance/admin/view_employee.php.
Sourcecodester Online Resort Management System v1.0 is vulnerable to SQL injection in /orms/admin/rooms/view_room.php.
Sourcecodester Online Thesis Archiving System v1.0 is vulnerable to SQL injection in the file /otas/admin/curriculum/manage_curriculum.php.
Sourcecodester Computer and Mobile Repair Shop Management System v1.0 is vulnerable to SQL Injection in the file /rsms/admin/services/view_service.php.
SourceCodester Storage Unit Rental Management System v1.0 is vulnerable to SQL Injection in the file /storage/admin/rents/manage_rent.php.
Sourcecodester Basic Library System v1.0 is vulnerable to SQL Injection in /librarysystem/load_book.php.
SourceCodester Patient Appointment Scheduler System v1.0 is vulnerable to arbitrary code execution (RCE) via /scheduler/classes/SystemSettings.php?f=update_settings.
REDCap 12.0.26 LTS and 12.3.2 Standard allows SQL Injection via scheduling, repeatforms, purpose, app_title, or randomization.
In Carlo Gavazzi UWP3.0 in multiple versions and CPY Car Park Server in Version 2.8.3 the Sentilo Proxy server was discovered to contain a SQL injection vulnerability allowing an attacker to query other tables of the Sentilo service.
A improper neutralization of special elements used in an sql command ('sql injection') in Fortinet FortiWeb versions 6.3.17 through 7.6.1 allows attacker to gain information disclosure via crafted SQL queries
Sourcecodester Online Reviewer System v1.0 is vulnerale to SQL Injection in the file /system/system/admins/assessments/examproper/exam-update.php.
Sourcecodester Pharmacy Point of Sale System v1.0 is vulnerable to SQL Injection in /pharmacy/manage_supplier.php.
Sourcecodester Pharmacy Point of Sale System v1.0 is vulnerable to SQL Injection in /pharmacy/manage_stock.php.
Sourcecodester Online Men's Salon Management System v1.0 is vulnerable to SQL Injection in /msms/classes/Master.php?f=delete_appointment.
Sourcecodester Logistic Hub Parcel's Management System v1.0 is vulnerable to SQL Injection in /manage_parcel_type.php.