Total
18012 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-37361 | 1 Vanderbilt | 1 Redcap | 2024-11-21 | N/A | 2.7 LOW |
|
REDCap 12.0.26 LTS and 12.3.2 Standard allows SQL Injection via scheduling, repeatforms, purpose, app_title, or randomization.
|
|||||
| CVE-2023-37278 | 1 Glpi-project | 1 Glpi | 2024-11-21 | N/A | 6.8 MEDIUM |
|
GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing. An administrator can trigger SQL injection via dashboards administration. This vulnerability has been patched in version 10.0.9.
|
|||||
| CVE-2023-37270 | 1 Piwigo | 1 Piwigo | 2024-11-21 | N/A | 7.6 HIGH |
|
Piwigo is open source photo gallery software. Prior to version 13.8.0, there is a SQL Injection vulnerability in the login of the administrator screen. The SQL statement that acquires the HTTP Header `User-Agent` is vulnerable at the endpoint that records user information when logging in to the administrator screen. It is possible to execute arbitrary SQL statements. Someone who wants to exploit the vulnerability must be log in to the administrator screen, even with low privileges. Any SQL state ...
Show More |
|||||
| CVE-2023-37258 | 1 Dataease | 1 Dataease | 2024-11-21 | N/A | 8.8 HIGH |
|
DataEase is an open source data visualization analysis tool. Prior to version 1.18.9, DataEase has a SQL injection vulnerability that can bypass blacklists. The vulnerability has been fixed in v1.18.9. There are no known workarounds.
|
|||||
| CVE-2023-37197 | 1 Schneider-electric | 1 Struxureware Data Center Expert | 2024-11-21 | N/A | 8.8 HIGH |
|
A CWE-89: Improper Neutralization of Special Elements vulnerability used in an SQL Command
('SQL Injection') vulnerability exists that could allow a user already authenticated on DCE to
access unauthorized content, change, or delete content, or perform unauthorized actions when
tampering with the mass configuration settings of endpoints on DCE.
|
|||||
| CVE-2023-37196 | 1 Schneider-electric | 1 Struxureware Data Center Expert | 2024-11-21 | N/A | 8.8 HIGH |
|
A CWE-89: Improper Neutralization of Special Elements vulnerability used in an SQL Command
('SQL Injection') vulnerability exists that could allow a user already authenticated on DCE to
access unauthorized content, change, or delete content, or perform unauthorized actions when
tampering with the alert settings of endpoints on DCE.
|
|||||
| CVE-2023-37165 | 1 Millhouse-project Project | 1 Millhouse-project | 2024-11-21 | N/A | 9.8 CRITICAL |
|
Millhouse-Project v1.414 was discovered to contain a remote code execution (RCE) vulnerability via the component /add_post_sql.php.
|
|||||
| CVE-2023-37069 | 1 Online Hospital Management System Project | 1 Online Hospital Management System | 2024-11-21 | N/A | 9.8 CRITICAL |
|
Code-Projects Online Hospital Management System V1.0 is vulnerable to SQL Injection (SQLI) attacks, which allow an attacker to manipulate the SQL queries executed by the application. The application fails to properly validate user-supplied input in the login id and password fields during the login process, enabling an attacker to inject malicious SQL code.
|
|||||
| CVE-2023-37068 | 1 Sherlock | 1 Gym Management System | 2024-11-21 | N/A | 9.8 CRITICAL |
|
Code-Projects Gym Management System V1.0 allows remote attackers to execute arbitrary SQL commands via the login form, leading to unauthorized access and potential data manipulation. This vulnerability arises due to insufficient validation of user-supplied input in the username and password fields, enabling SQL Injection attacks.
|
|||||
| CVE-2023-36968 | 1 Food Ordering System Project | 1 Food Ordering System | 2024-11-21 | N/A | 7.2 HIGH |
|
A SQL Injection vulnerability detected in Food Ordering System v1.0 allows attackers to run commands on the database by sending crafted SQL queries to the ID parameter.
|
|||||
| CVE-2023-36934 | 1 Progress | 1 Moveit Transfer | 2024-11-21 | N/A | 9.1 CRITICAL |
|
In Progress MOVEit Transfer before 2020.1.11 (12.1.11), 2021.0.9 (13.0.9), 2021.1.7 (13.1.7), 2022.0.7 (14.0.7), 2022.1.8 (14.1.8), and 2023.0.4 (15.0.4), a SQL injection vulnerability has been identified in the MOVEit Transfer web application that could allow an unauthenticated attacker to gain unauthorized access to the MOVEit Transfer database. An attacker could submit a crafted payload to a MOVEit Transfer application endpoint that could result in modification and disclosure of MOVEit databa ...
Show More |
|||||
| CVE-2023-36932 | 1 Progress | 1 Moveit Transfer | 2024-11-21 | N/A | 8.1 HIGH |
|
In Progress MOVEit Transfer before 2020.1.11 (12.1.11), 2021.0.9 (13.0.9), 2021.1.7 (13.1.7), 2022.0.7 (14.0.7), 2022.1.8 (14.1.8), and 2023.0.4 (15.0.4), multiple SQL injection vulnerabilities have been identified in the MOVEit Transfer web application that could allow an authenticated attacker to gain unauthorized access to the MOVEit Transfer database. An attacker could submit a crafted payload to a MOVEit Transfer application endpoint that could result in modification and disclosure of MOVEi ...
Show More |
|||||
| CVE-2023-36808 | 1 Glpi-project | 1 Glpi | 2024-11-21 | N/A | 8.6 HIGH |
|
GLPI is a free asset and IT management software package. Starting in version 0.80 and prior to version 10.0.8, Computer Virtual Machine form and GLPI inventory request can be used to perform a SQL injection attack. Version 10.0.8 has a patch for this issue. As a workaround, one may disable native inventory.
|
|||||
| CVE-2023-36677 | 1 Smartypantsplugins | 1 Sp Project \& Document Manager | 2024-11-21 | N/A | 8.8 HIGH |
|
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Smartypants SP Project & Document Manager allows SQL Injection.This issue affects SP Project & Document Manager: from n/a through 4.67.
|
|||||
| CVE-2023-36663 | 1 It-novum | 1 Openitcockpit | 2024-11-21 | N/A | 8.8 HIGH |
|
it-novum openITCOCKPIT (aka open IT COCKPIT) 4.6.4 before 4.6.5 allows SQL Injection (by authenticated users) via the sort parameter of the API interface.
|
|||||
| CVE-2023-36311 | 1 Phpjabbers | 1 Document Creator | 2024-11-21 | N/A | 9.8 CRITICAL |
|
There is a SQL injection (SQLi) vulnerability in the "column" parameter of index.php in PHPJabbers Document Creator v1.0.
|
|||||
| CVE-2023-36293 | 1 Wmanager | 1 Wmanager | 2024-11-21 | N/A | 7.5 HIGH |
|
SQL injection vulnerability in wmanager v.1.0.7 and before allows a remote attacker to obtain sensitive information via a crafted script to the company.php component.
|
|||||
| CVE-2023-36284 | 1 Webkul | 1 Qloapps | 2024-11-21 | N/A | 7.5 HIGH |
|
An unauthenticated Time-Based SQL injection found in Webkul QloApps 1.6.0 via GET parameter date_from, date_to, and id_product allows a remote attacker to bypass a web application's authentication and authorization mechanisms and retrieve the contents of an entire database.
|
|||||
| CVE-2023-36263 | 1 Prestashop | 1 Opartlimitquantity | 2024-11-21 | N/A | 9.8 CRITICAL |
|
Prestashop opartlimitquantity 1.4.5 and before is vulnerable to SQL Injection. OpartlimitquantityAlertlimitModuleFrontController::displayAjaxPushAlertMessage()` has sensitive SQL calls that can be executed with a trivial http call and exploited to forge a SQL injection.
|
|||||
| CVE-2023-36213 | 1 Motocms | 1 Motocms | 2024-11-21 | N/A | 9.8 CRITICAL |
|
SQL injection vulnerability in MotoCMS v.3.4.3 allows a remote attacker to gain privileges via the keyword parameter of the search function.
|
|||||
| CVE-2023-36189 | 1 Langchain | 1 Langchain | 2024-11-21 | N/A | 7.5 HIGH |
|
SQL injection vulnerability in langchain before v0.0.247 allows a remote attacker to obtain sensitive information via the SQLDatabaseChain component.
|
|||||
| CVE-2023-36076 | 1 Pocketmanga | 1 Smanga | 2024-11-21 | N/A | 9.8 CRITICAL |
|
SQL Injection vulnerability in smanga version 3.1.9 and earlier, allows remote attackers to execute arbitrary code and gain sensitive information via mediaId, mangaId, and userId parameters in php/history/add.php.
|
|||||
| CVE-2023-35924 | 1 Glpi-project | 1 Glpi | 2024-11-21 | N/A | 8.6 HIGH |
|
GLPI is a free asset and IT management software package. Starting in version 10.0.0 and prior to version 10.0.8, GLPI inventory endpoint can be used to drive a SQL injection attack. By default, GLPI inventory endpoint requires no authentication. Version 10.0.8 has a patch for this issue. As a workaround, one may disable native inventory.
|
|||||
| CVE-2023-35915 | 1 Automattic | 1 Woopayments | 2024-11-21 | N/A | 7.6 HIGH |
|
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Automattic WooPayments – Fully Integrated Solution Built and Supported by Woo.This issue affects WooPayments – Fully Integrated Solution Built and Supported by Woo: from n/a through 5.9.0.
|
|||||
| CVE-2023-35879 | 1 Woo | 1 Product Vendors | 2024-11-21 | N/A | 9.8 CRITICAL |
|
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WooCommerce Product Vendors allows SQL Injection.This issue affects Product Vendors: from n/a through 2.1.78.
|
|||||
| CVE-2023-35851 | 1 Sun.net | 1 Wmpro | 2024-11-21 | N/A | 7.5 HIGH |
|
SUNNET WMPro portal's FAQ function has insufficient validation for user input. An unauthenticated remote attacker can inject arbitrary SQL commands to obtain sensitive information via a database.
|
|||||
| CVE-2023-35811 | 1 Sugarcrm | 1 Sugarcrm | 2024-11-21 | N/A | 8.8 HIGH |
|
An issue was discovered in SugarCRM Enterprise before 11.0.6 and 12.x before 12.0.3. Two SQL Injection vectors have been identified in the REST API. By using crafted requests, custom SQL code can be injected through the REST API because of missing input validation. Regular user privileges can use used for exploitation. Editions other than Enterprise are also affected.
|
|||||
| CVE-2023-35782 | 1 Ipandlanguageredirect Project | 1 Ipandlanguageredirect | 2024-11-21 | N/A | 8.2 HIGH |
|
The ipandlanguageredirect extension before 5.1.2 for TYPO3 allows SQL Injection.
|
|||||
| CVE-2023-35708 | 1 Progress | 1 Moveit Transfer | 2024-11-21 | N/A | 9.8 CRITICAL |
|
In Progress MOVEit Transfer before 2021.0.8 (13.0.8), 2021.1.6 (13.1.6), 2022.0.6 (14.0.6), 2022.1.7 (14.1.7), and 2023.0.3 (15.0.3), a SQL injection vulnerability has been identified in the MOVEit Transfer web application that could allow an unauthenticated attacker to gain unauthorized access to MOVEit Transfer's database. An attacker could submit a crafted payload to a MOVEit Transfer application endpoint that could result in modification and disclosure of MOVEit database content. These are f ...
Show More |
|||||
| CVE-2023-35683 | 1 Google | 1 Android | 2024-11-21 | N/A | 5.5 MEDIUM |
|
In bindSelection of DatabaseUtils.java, there is a possible way to access files from other applications due to SQL injection. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.
|
|||||
| CVE-2023-35188 | 1 Solarwinds | 1 Solarwinds Platform | 2024-11-21 | N/A | 8.0 HIGH |
|
SQL Injection Remote Code Execution Vulnerability was found using a create statement in the SolarWinds Platform. This vulnerability requires user authentication to be exploited.
|
|||||
| CVE-2023-35132 | 1 Moodle | 1 Moodle | 2024-11-21 | N/A | 6.3 MEDIUM |
|
A limited SQL injection risk was identified on the Mnet SSO access control page. This flaw affects Moodle versions 4.2, 4.1 to 4.1.3, 4.0 to 4.0.8, 3.11 to 3.11.14, 3.9 to 3.9.21 and earlier unsupported versions.
|
|||||
| CVE-2023-35072 | 1 Coyavtravel | 1 Proagent | 2024-11-21 | N/A | 9.8 CRITICAL |
|
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Coyav Travel Proagent allows SQL Injection.This issue affects Proagent: before 20230904 .
|
|||||
| CVE-2023-35071 | 1 Mrv | 1 Logging Administration Panel | 2024-11-21 | N/A | 9.8 CRITICAL |
|
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in MRV Tech Logging Administration Panel allows SQL Injection.This issue affects Logging Administration Panel: before 20230915 .
|
|||||
| CVE-2023-35070 | 1 Vegagroup | 1 Web Collection | 2024-11-21 | N/A | 9.8 CRITICAL |
|
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in VegaGroup Web Collection allows SQL Injection.This issue affects Web Collection: before 31197.
|
|||||
| CVE-2023-35068 | 1 Bma | 1 Personnel Tracking System | 2024-11-21 | N/A | 9.8 CRITICAL |
|
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in BMA Personnel Tracking System allows SQL Injection.This issue affects Personnel Tracking System: before 20230904.
|
|||||
| CVE-2023-35066 | 1 Infodrom | 1 E-invoice Approval System | 2024-11-21 | N/A | 9.8 CRITICAL |
|
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Infodrom Software E-Invoice Approval System allows SQL Injection.This issue affects E-Invoice Approval System: before v.20230701.
|
|||||
| CVE-2023-35065 | 1 Osoft | 1 Dyeing - Printing - Finishing Production Management | 2024-11-21 | N/A | 9.8 CRITICAL |
|
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Osoft Paint Production Management allows SQL Injection.This issue affects Paint Production Management: before 2.1.
|
|||||
| CVE-2023-35064 | 1 Satos | 1 Satos Mobile | 2024-11-21 | N/A | 9.8 CRITICAL |
|
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Satos Satos Mobile allows SQL Injection through SOAP Parameter Tampering.This issue affects Satos Mobile: before 20230607.
|
|||||
| CVE-2023-34991 | 1 Fortinet | 1 Fortiwlm | 2024-11-21 | N/A | 9.8 CRITICAL |
|
A improper neutralization of special elements used in an sql command ('sql injection') in Fortinet FortiWLM version 8.6.0 through 8.6.5 and 8.5.0 through 8.5.4 and 8.4.0 through 8.4.2 and 8.3.0 through 8.3.2 and 8.2.2 allows attacker to execute unauthorized code or commands via a crafted http request.
|
|||||