A flaw has been found in AMTT Hotel Broadband Operation System 1.0. The impacted element is an unknown function of the file /user/portal/get_firstdate.php. Executing manipulation of the argument uid can lead to sql injection. It is possible to launch the attack remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
A vulnerability was determined in AMTT Hotel Broadband Operation System 1.0. Affected by this vulnerability is an unknown functionality of the file /user/portal/get_expiredtime.php. This manipulation of the argument uid causes sql injection. The attack may be initiated remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.
AMTT Hotel Broadband Operation System (HiBOS) V3.0.3.151204 and before is vulnerable to SQL Injection via /manager/card/card_detail.php.
AMTT Hotel Broadband Operation System (HiBOS) contains an unauthenticated command injection vulnerability in the /manager/radius/server_ping.php endpoint. The application constructs a shell command that includes the user-supplied ip parameter and executes it without proper validation or escaping. An attacker can insert shell metacharacters into the ip parameter to inject and execute arbitrary system commands as the web server user. The initial third-party disclosure in 2016 recommended contacting the vendor for remediation guidance. Additionally, this product may have been rebranded under a different name. VulnCheck has observed this vulnerability being exploited in the wild as of 2025-10-14 at 04:45:53.510819 UTC.
A vulnerability classified as critical was found in AMTT Hotel Broadband Operation System 1.0. This vulnerability affects the function popen of the file /manager/network/port_setup.php. The manipulation of the argument SwitchVersion/SwitchWrite/SwitchIP/SwitchIndex/SwitchState leads to os command injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
A vulnerability was determined in AMTT Hotel Broadband Operation System 1.0. Affected is an unknown function of the file /manager/card/cardhand_submit.php. This manipulation of the argument ID causes sql injection. Remote exploitation of the attack is possible. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.
A security flaw has been discovered in AMTT Hotel Broadband Operation System 1.0. This affects an unknown part of the file /manager/card/cardmake_down.php. Performing manipulation of the argument ID results in sql injection. It is possible to initiate the attack remotely. The exploit has been released to the public and may be exploited. The vendor was contacted early about this disclosure but did not respond in any way.
A vulnerability was found in AMTT Hotel Broadband Operation System up to 3.0.3.151204. It has been classified as critical. Affected is an unknown function of the file /manager/frontdesk/online_status.php. The manipulation of the argument AccountID leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
AMTT Hotel Broadband Operation System (HiBOS) v3.0.3.151204 is vulnerable to SQL injection via manager/conference/calendar_remind.php.
A vulnerability classified as critical has been found in zj1983 zz up to 2024-8. Affected is the function GetDBUser of the file src/main/java/com/futvan/z/system/zorg/ZorgAction.java. The manipulation of the argument user_id leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
SQL Injection vulnerability in Future-Depth Institutional Management Website (IMS) 1.0, allows attackers to execute arbitrary commands via the ad parameter to /admin_area/login_transfer.php.
SQL injection vulnerability in view.php in CoronaMatrix phpAddressBook 2.11 allows remote attackers to execute arbitrary SQL commands via the id parameter.
A flaw has been found in code-projects Simple Stock System 1.0. This affects an unknown function of the file /market/login.php. Executing a manipulation of the argument Username can lead to sql injection. The attack can be launched remotely. The exploit has been published and may be used.
A vulnerability was found in code-projects E-Commerce Website 1.0. It has been rated as critical. Affected by this issue is some unknown functionality of the file user_signup.php. The manipulation of the argument firstname/middlename/email/address/contact/username leads to sql injection. The attack may be launched remotely. VDB-249002 is the identifier assigned to this vulnerability.
SQL Injection exists in PHP Scripts Mall Schools Alert Management Script 2.0.2 via the Login Parameter.
A vulnerability, which was classified as critical, was found in code-projects Library Management System 2.0. Affected is an unknown function of the file index.php. The manipulation of the argument category leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-249006 is the identifier assigned to this vulnerability.
There is SQL Injection vulnerability at Helmet Store Showroom v1.0 Login Page. This vulnerability can be exploited to bypass admin access.
Multiple SQL injection vulnerabilities in doITLive CMS 2.50 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) ID parameter in an USUB action to default.asp and the (2) Licence[SpecialLicenseNumber] (aka LicenceId) cookie to edit/default.asp.
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Ekol Informatics Website Template allows SQL Injection.This issue affects Website Template: through 20231215.
A vulnerability was identified in itsourcecode University Management System 1.0. This affects an unknown function of the file /att_single_view.php. Such manipulation of the argument dt leads to sql injection. The attack can be launched remotely. The exploit is publicly available and might be used.
SQL injection vulnerability in the Docum module in PHP-Nuke allows remote attackers to execute arbitrary SQL commands via the artid parameter in a viewarticle operation.
A vulnerability, which was classified as critical, has been found in Hongjing e-HR 2020. Affected by this issue is some unknown functionality of the file /w_selfservice/oauthservlet/%2e./.%2e/general/inform/org/loadhistroyorgtree of the component Login Interface. The manipulation of the argument parentid leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-247358 is the identifier assigned to this vulnerability.
SQL injection vulnerability in listtest.php in YourFreeWorld Apartment Search Script allows remote attackers to execute arbitrary SQL commands via the r parameter.
SQL injection vulnerability in the blogwriter module 2.0 for Miniweb allows remote attackers to execute arbitrary SQL commands via the historymonth parameter to index.php.
SQL injection vulnerability in EfesTech E-Kontör and earlier allows remote attackers to execute arbitrary SQL commands via the id parameter.
SQL injection vulnerability in wp-uploadfile.php in the Upload File plugin for WordPress allows remote attackers to execute arbitrary SQL commands via the f_id parameter.
SQL injection vulnerability in index.php in the eEmpregos module for XOOPS allows remote attackers to execute arbitrary SQL commands via the cid parameter in a view action.
SQL Injection Vulnerability in tanujpatra228 Tution Management System (TMS) via the email parameter to processes/student_login.process.php.
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in KaizenCoders Short URL allows SQL Injection.This issue affects Short URL: from n/a through 1.6.4.
SQL Injection exists in the Saxum Astro 4.0.14 component for Joomla! via the publicid parameter.
PHP Scripts Mall News Website Script 2.0.4 has SQL Injection via a search term.
SQL injection vulnerability in index.php in Netious CMS 0.4 allows remote attackers to execute arbitrary SQL commands via the pageid parameter, a different vector than CVE-2006-4047.
SQL injection vulnerability in ss_load.php in the Spreadsheet (wpSS) 0.6 and earlier plugin for WordPress allows remote attackers to execute arbitrary SQL commands via the ss_id parameter.
A vulnerability was found in Benner ModernaNet up to 1.1.0 and classified as critical. Affected by this issue is some unknown functionality of the file /Home/JS_CarregaCombo?formName=DADOS_PESSOAIS_PLANO&additionalCondition=&insideParameters=&elementToReturn=DADOS_PESSOAIS_PLANO&ordenarPelaDescricao=true&direcaoOrdenacao=asc&_=1739290047295. The manipulation leads to sql injection. The attack may be launched remotely. Upgrading to version 1.1.1 is able to address this issue. It is recommended to upgrade the affected component.
A vulnerability was identified in code-projects Assessment Management 1.0. This affects an unknown part of the file login.php. Such manipulation of the argument userid leads to sql injection. The attack can be launched remotely. The exploit is publicly available and might be used.
SQL injection vulnerability in index.php in the MyAnnonces 1.7 and earlier module for RunCMS allows remote attackers to execute arbitrary SQL commands via the cid parameter in a view action.
SQL Injection vulnerability in znfit Home improvement ERP management system V50_20220207,v42 allows attackers to execute arbitrary sql commands via the userCode parameter to the wechat applet.
A vulnerability was identified in code-projects Lost and Found Thing Management 1.0. Affected by this issue is some unknown functionality of the file /catageory.php. Such manipulation of the argument cat leads to sql injection. It is possible to launch the attack remotely. The exploit is publicly available and might be used.
A vulnerability was found in DataGear up to 4.60. It has been declared as critical. This vulnerability affects unknown code of the file /dataSet/resolveSql. The manipulation of the argument sql leads to sql injection. The attack can be initiated remotely. Upgrading to version 4.7.0 is able to address this issue. It is recommended to upgrade the affected component.
A vulnerability was found in luckyshot CRMx and classified as critical. This issue affects the function get/save/delete/comment/commentdelete of the file index.php. The manipulation leads to sql injection. The attack may be initiated remotely. The name of the patch is 8c62d274986137d6a1d06958a6f75c3553f45f8f. It is recommended to apply a patch to fix this issue. The identifier VDB-216185 was assigned to this vulnerability.
Accruent LLC Maintenance Connection 2021 (all) & 2022.2 was discovered to contain a SQL injection vulnerability via the E-Mail to Work Order function.
SQL injection vulnerability in getdata.php in PIGMy-SQL 1.4.1 and earlier allows remote attackers to execute arbitrary SQL commands via the id parameter.
Online Student Enrollment System v1.0 was discovered to contain a SQL injection vulnerability via the username parameter at /student_enrollment/admin/login.php.
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Spiffy Plugins Spiffy Calendar spiffy-calendar allows SQL Injection.This issue affects Spiffy Calendar: from n/a through 4.9.1.
The Hide My WP WordPress plugin before 6.2.9 does not properly sanitize and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection.
SQL injection vulnerability in the Jom Comment 2.0 build 345 component for Joomla! allows remote attackers to execute arbitrary SQL commands via unspecified vectors. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
A vulnerability has been found in SourceCodester Engineers Online Portal 1.0 and classified as critical. Affected by this vulnerability is an unknown functionality of the file my_classmates.php. The manipulation of the argument teacher_class_student_id leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-240907.
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Gopi Ramasamy Email posts to subscribers allows SQL Injection.This issue affects Email posts to subscribers: from n/a through 6.2.
Unauth. SQL Injection (SQLi) vulnerability in Advanced Booking Calendar plugin <= 1.7.1 on WordPress.
SQL injection vulnerability in ladder.php in My Gaming Ladder 7.5 and earlier allows remote attackers to execute arbitrary SQL commands via the ladderid parameter.