Multiple SQL injection vulnerabilities in giris.asp in Aspee and Dogantepe Ziyaretci Defteri allow remote attackers to execute arbitrary SQL commands via the (1) kullanici or (2) parola parameter.
The MySQL component in Plixer Scrutinizer (aka Dell SonicWALL Scrutinizer) 9.0.1.19899 and earlier has a default password of admin for the (1) scrutinizer and (2) scrutremote accounts, which allows remote attackers to execute arbitrary SQL commands via a TCP session.
A weakness has been identified in Campcodes Grocery Sales and Inventory System 1.0. This issue affects some unknown processing of the file /ajax.php?action=save_receiving. Executing manipulation of the argument ID can lead to sql injection. The attack may be launched remotely. The exploit has been made available to the public and could be exploited.
A vulnerability was found in SourceCodester Doctors Appointment System 1.0. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file login.php. The manipulation of the argument useremail leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-236365 was assigned to this vulnerability.
Simple Client Management System 1.0 is vulnerable to SQL Injection via /cms/admin/maintenance/manage_service.php?id=.
SQL injection vulnerability in application/controllers/invoice.php in NeoInvoice might allow remote attackers to execute arbitrary SQL commands via vectors involving the sort_col variable in the list_items function, a different vulnerability than CVE-2012-3477.
A vulnerability was found in 1000 Projects Employee Task Management System 1.0. It has been declared as critical. This vulnerability affects unknown code of the file /index.php of the component Login. The manipulation of the argument email leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.
download.php in inoERP 4.15 allows SQL injection through insecure deserialization.
A vulnerability was determined in SiempreCMS up to 1.3.6. This affects an unknown part of the file user_search_ajax.php. This manipulation of the argument name/userName causes sql injection. The attack may be initiated remotely. The exploit has been publicly disclosed and may be utilized.
GoRose v1.0.4 has SQL Injection when the order_by or group_by parameter can be controlled.
OpenEMR through 5.0.2 has SQL Injection in the Lifestyle demographic filter criteria in library/clinical_rules.php that affects library/patient.inc.
MOVEit.DMZ.WebApi.dll in Progress MOVEit Transfer 2018 SP2 before 10.2.4, 2019 before 11.0.2, and 2019.1 before 11.1.1 allows an unauthenticated attacker to gain unauthorized access to the database. Depending on the database engine being used (MySQL, Microsoft SQL Server, or Azure SQL), an attacker may be able to infer information about the structure and contents of the database, or may be able to alter the database via the REST API, aka SQL Injection.
In Escuela de Gestion Publica Plurinacional (EGPP) Sistema Integrado de Gestion Academica (GESAC) v1, the username parameter of the authentication form is vulnerable to SQL injection, allowing attackers to access the database.
A vulnerability, which was classified as critical, was found in SourceCodester Inventory Management System 1.0. This affects an unknown part of the file edit_sell.php. The manipulation of the argument up_pid leads to sql injection. It is possible to initiate the attack remotely. The identifier VDB-236217 was assigned to this vulnerability.
SQL injection in the photo-gallery (10Web Photo Gallery) plugin before 1.5.35 for WordPress exists via the admin/controllers/Albumsgalleries.php album_id parameter.
SQL injection vulnerability in inc_webblogmanager.asp in DMXReady Blog Manager allows remote attackers to execute arbitrary SQL commands via the itemID parameter in a view action.
phpIPAM 1.4 allows SQL injection via the app/admin/custom-fields/order.php table parameter when action=add is used.
phpIPAM 1.4 allows SQL injection via the app/admin/custom-fields/filter.php table parameter when action=add is used.
SQL injection vulnerability in detail.php in MountainGrafix easyLink 1.1.0 allows remote attackers to execute arbitrary SQL commands via the cat parameter in a show action.
SQL injection vulnerabilities in Centreon through 19.04 allow attacks via the svc_id parameter in include/monitoring/status/Services/xml/makeXMLForOneService.php.
SQL injection vulnerability in index.php in One-News Beta 2 allows remote attackers to execute arbitrary SQL commands via the q parameter.
Adobe Experience Manager versions 6.5, 6.4, 6.3, 6.2, 6.1, and 6.0 have an user interface injection vulnerability. Successful exploitation could lead to sensitive information disclosure.
phpIPAM 1.4 allows SQL injection via the app/admin/custom-fields/edit-result.php table parameter when action=add is used.
ws.php in the Facetag extension 0.0.3 for Piwigo allows SQL injection via the imageId parameter in a facetag.changeTag or facetag.listTags action.
A flaw has been found in Tosei Self-service Washing Machine 4.02. Impacted is an unknown function of the file /cgi-bin/tosei_datasend.php. Executing a manipulation of the argument adr_txt_1 can lead to command injection. It is possible to launch the attack remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
The new-contact-form-widget (aka Contact Form Widget - Contact Query, Form Maker) plugin 1.0.9 for WordPress has SQL Injection via all-query-page.php.
SQL injection vulnerability in index.php in SoftComplex PHP Image Gallery 1.0 allows remote attackers to execute arbitrary SQL commands via the Admin field in a login action.
Netreo OmniCenter through 12.1.1 allows unauthenticated SQL Injection (Boolean Based Blind) in the redirect parameters and parameter name of the login page through a GET request. The injection allows an attacker to read sensitive information from the database used by the application.
SQL injection vulnerability in index.php in Bluo CMS 1.2 allows remote attackers to execute arbitrary SQL commands via the id parameter.
In Jobberbase 2.0, the parameter category is not sanitized in public/page_subscribe.php, leading to /subscribe SQL injection.
SQL injection vulnerability in rdr.php in nuevoMailer version 6.0 and earlier allows remote attackers to execute arbitrary SQL commands via the "r" parameter.
An issue was discovered in CSS-TRICKS Chat2 through 2015-05-05. The userid parameter in jumpin.php has a SQL injection vulnerability.
The Reviews Module before 2019-06-14 for OpenSource Table allows SQL injection in database/index.js.
New Relic .NET Agent before 6.3.123.0 adds SQL injection flaws to safe applications via vectors involving failure to escape quotes during use of the Slow Queries feature, as demonstrated by a mishandled quote in a VALUES clause of an INSERT statement, after bypassing a SET SHOWPLAN_ALL ON protection mechanism.
The ICOMMKT connector before 1.0.7 for PrestaShop allows SQL injection in icommktconnector.php.
Atom.CMS 2.0 is vulnerable to SQL Injection via Atom.CMS_admin_uploads.php
SQL injection vulnerability in viewcomments.php in Scripts For Sites (SFS) EZ Hot or Not allows remote attackers to execute arbitrary SQL commands via the phid parameter.
Movie Seat Reservation v1 was discovered to contain a SQL injection vulnerability at /index.php?page=reserve via the id parameter.
The pie-register plugin before 3.1.2 for WordPress has SQL injection, a different issue than CVE-2018-10969.
Pvanloon1983 social_network before 2019-07-03 allows SQL injection in includes/form_handlers/register_handler.php.
SQL injection vulnerability in default.asp in Ocean12 Contact Manager Pro 1.02 allows remote attackers to execute arbitrary SQL commands via the Sort parameter.
SQL injection vulnerability in Fussballtippspiel (toto) 0.1.1 and earlier extension for TYPO3 allows remote attackers to execute arbitrary SQL commands via unknown vectors.
SQL injection vulnerability in LetoDMS_Core/Core/inc.ClassDMS.php in LetoDMS (formerly MyDMS) before 3.3.8 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
An SQL Injection vulnerabilty exists in Kreado Kreasfero 1.5 via the id parameter.
Frappe is a low code web framework written in Python and Javascript. A SQL Injection vulnerability has been identified in the Frappe Framework which could allow a malicious actor to access sensitive information. This issue has been addressed in versions 13.46.1 and 14.20.0. Users are advised to upgrade. There's no workaround to fix this without upgrading.
Dairy Farm Shop Management System Using PHP and MySQL v1.1 was discovered to contain multiple SQL injection vulnerabilities in the Login function via the Username and Password parameters.
Phpipam before v1.5.2 was discovered to contain a LDAP injection vulnerability via the dname parameter at /users/ad-search-result.php. This vulnerability allows attackers to enumerate arbitrary fields in the LDAP server and access sensitive data via a crafted POST request.
Purchase Order Management System v1.0 was discovered to contain a SQL injection vulnerability via /purchase_order/classes/Master.php?f=delete_item.
SQL injection vulnerability in DataEase v.1.18.9 allows a remote attacker to obtain sensitive information via a crafted string outside of the blacklist function.
A vulnerability was found in code-projects Crud Operation System 1.0. It has been rated as critical. This issue affects some unknown processing of the file savedata.php. The manipulation of the argument sname leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.