The Strapi framework before 3.0.0-beta.17.8 is vulnerable to Remote Code Execution in the Install and Uninstall Plugin components of the Admin panel, because it does not sanitize the plugin name, and attackers can inject arbitrary shell commands to be executed by the execa function.
Strapi through 4.5.5 allows authenticated Server-Side Template Injection (SSTI) that can be exploited to execute arbitrary code on the server. A remote attacker with access to the Strapi admin panel can inject a crafted payload that executes code on the server into an email template that bypasses the validation checks that should prevent code execution.
Strapi before 3.6.10 and 4.x before 4.1.10 mishandles hidden attributes within admin API responses.
A vulnerability, which was classified as critical, has been found in PHPGurukul Hospital Management System 1.0. Affected by this issue is some unknown functionality of the component Admin Dashboard. The manipulation leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-249356.
Sourcecodester Simple Social Networking Site v1.0 is vulnerable to SQL Injection via /sns/admin/members/view_member.php?id=.
Merchandise Online Store v1.0 is vulnerable to SQL Injection via /vloggers_merch/admin/?page=orders/view_order&id=.
JFinal CMS 5.1.0 is vulnerable to SQL Injection via /system/role/list.
Covid-19 Travel Pass Management System v1.0 is vulnerable to SQL Injection via ctpms/admin/?page=user/manage_user&id=.
CSCMS Music Portal System v4.2 was discovered to contain a blind SQL injection vulnerability via the id parameter at /admin.php/pic/admin/type/save.
ShopWind <= v3.4.2 has a Sql injection vulnerability in Database.php
CSCMS Music Portal System v4.2 was discovered to contain a SQL injection vulnerability via the id parameter at /admin.php/pic/admin/type/hy.
A vulnerability was found in DedeBIZ 6.2 and classified as critical. This issue affects some unknown processing of the file /src/admin/content_batchup_action.php. The manipulation of the argument endid leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-247883. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
A vulnerability, which was classified as critical, has been found in Campcodes Online College Library System 1.0. This issue affects some unknown processing of the file /admin/book_row.php of the component HTTP POST Request Handler. The manipulation of the argument id leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-249365 was assigned to this vulnerability.
Sourcecodester Simple Social Networking Site v1.0 is vulnerable to SQL Injection via /sns/admin/?page=user/manage_user&id=.
CSCMS Music Portal System v4.2 was discovered to contain a blind SQL injection vulnerability via the id parameter at /admin.php/singer/admin/singer/del.
Covid-19 Travel Pass Management System v1.0 is vulnerable to SQL Injection via /ctpms/admin/applications/update_status.php?id=.
A vulnerability, which was classified as critical, was found in OTCMS 7.01. Affected is an unknown function of the file /admin/ind_backstage.php. The manipulation of the argument sqlContent leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-247908.
Support Incident Tracker (aka SiT! or SiTracker) 3.67 p2 allows post-authentication SQL injection via the site_edit.php typeid or site parameter, the search_incidents_advanced.php search_title parameter, or the report_qbe.php criteriafield parameter.
Merchandise Online Store v1.0 is vulnerable to SQL Injection via /vloggers_merch/admin/?page=maintenance/manage_sub_category&id=.
Merchandise Online Store v1.0 is vulnerable to SQL Injection via /vloggers_merch/?p=products&c=.
A vulnerability has been found in SourceCodester Loan Management System 1.0 and classified as critical. This vulnerability affects the function delete_borrower of the file deleteBorrower.php. The manipulation of the argument borrower_id leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-246136.
Sourcecodester Simple Social Networking Site v1.0 is vulnerable to SQL Injection via /sns/admin/?page=posts/view_post&id=.
In WS_FTP Server versions prior to 8.7.4 and 8.8.2, a SQL injection vulnerability exists in the WS_FTP Server manager interface. An attacker may be able to infer information about the structure and contents of the database and execute SQL statements that alter or delete database elements.
The menu delete functionality of the Side Menu – add fixed side buttons WordPress plugin before 3.1.5, available to Administrator users takes the did GET parameter and uses it into an SQL statement without proper sanitisation, validation or escaping, therefore leading to a SQL Injection issue
Merchandise Online Store v1.0 is vulnerable to SQL Injection via /vloggers_merch/admin/orders/view_order.php?view=user&id=.
Insurance Management System 1.0 is vulnerable to SQL Injection via /insurance/editNominee.php?nominee_id=.
Air Cargo Management System 1.0 is vulnerable to SQL Injection via /acms/classes/Master.php?f=delete_cargo.
A vulnerability, which was classified as critical, was found in Netentsec NS-ASG Application Security Gateway 6.3. This affects an unknown part of the file /admin/list_addr_fwresource_ip.php. The manipulation leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-243057 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
CSCMS Music Portal System v4.2 was discovered to contain a SQL injection vulnerability via the id parameter at /admin.php/news/admin/news/save.
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Eyal Fitoussi GEO my WordPress.This issue affects GEO my WordPress: from n/a through 4.0.2.
A vulnerability classified as critical was found in huakecms 3.0. Affected by this vulnerability is an unknown functionality of the file /admin/cms_content.php. The manipulation of the argument cid leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-240877 was assigned to this vulnerability.
A SQL Injection vulnerability in /admin/sauvegarde/run.php in PMB 7.4.7 and earlier allows remote authenticated attackers to execute arbitrary SQL commands via the sauvegardes variable through the /admin/sauvegarde/run.php endpoint.
Multiple SQL injection vulnerabilities in the Huge-IT Slider (slider-image) plugin before 2.7.0 for WordPress allow remote administrators to execute arbitrary SQL commands via the removeslide parameter in a popup_posts or edit_cat action in the sliders_huge_it_slider page to wp-admin/admin.php.
CSCMS Music Portal System v4.2 was discovered to contain a blind SQL injection vulnerability via the id parameter at /admin.php/vod/admin/topic/del.
CSCMS Music Portal System v4.2 was discovered to contain a blind SQL injection vulnerability via the id parameter at /admin.php/Links/del.
Piwigo is an open source photo gallery application for the web. Prior to version 16.3.0, a SQL Injection vulnerability exists in the pwg.users.getList Web Service API method. The filter parameter is directly concatenated into a SQL query without proper sanitization, allowing authenticated administrators to execute arbitrary SQL commands. This issue has been patched in version 16.3.0.
CSCMS Music Portal System v4.2 was discovered to contain a blind SQL injection vulnerability via the id parameter at /admin.php/Label/page_del.
CSCMS Music Portal System v4.2 was discovered to contain a blind SQL injection vulnerability via the id parameter at /admin.php/singer/admin/singer/hy.
Air Cargo Management System 1.0 is vulnerable to SQL Injection via /acms/admin/cargo_types/view_cargo_type.php?id=.
CSCMS Music Portal System v4.2 was discovered to contain a SQL injection vulnerability via the id parameter at /admin.php/pic/admin/lists/zhuan.
Covid-19 Travel Pass Management System v1.0 is vulnerable to SQL Injection via /ctpms/admin/?page=individuals/view_individual&id=.
SourceCodester Vehicle Parking Area Management System v1.0 is vulnerable to SQL Injection in the file /parking/view_parked_details.php.
Covid-19 Travel Pass Management System v1.0 is vulnerable to SQL Injection via /ctpms/admin/?page=applications/view_application&id=.
Piwigo is an open source photo gallery application for the web. Prior to version 16.3.0, a SQL Injection vulnerability was discovered in Piwigo affecting the Activity List API endpoint. This vulnerability allows an authenticated administrator to extract sensitive data from the database, including user credentials, email addresses, and all stored content. This issue has been patched in version 16.3.0.
JEvents Joomla Component before 3.4.0 RC6 has SQL Injection via evid in a Manage Events action.
Covid-19 Travel Pass Management System v1.0 is vulnerable to SQL Injection via /ctpms/admin/individuals/update_status.php?id=.
Air Cargo Management System 1.0 is vulnerable to SQL Injection via /acms/admin/cargo_types/manage_cargo_type.php?id=.
The History Log by click5 WordPress plugin before 1.0.13 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by admin users when using the Smash Balloon Social Photo Feed plugin alongside it.
Merchandise Online Store v1.0 is vulnerable to SQL Injection via /vloggers_merch/admin/?page=product/manage_product&id=.
Merchandise Online Store v1.0 is vulnerable to SQL Injection via /vloggers_merch/?p=view_product&id=.