Vulnerabilities (CVE)

Online Ordering System 2.3.2 is vulnerable to SQL Injection via /ordering/admin/category/index.php?view=edit&id=.

Online Ordering System 2.3.2 is vulnerable to SQL Injection via /ordering/admin/stockin/loaddata.php.

Online Ordering System 2.3.2 is vulnerable to SQL Injection via /ordering/admin/stockin/index.php?view=edit&id=.

Online Ordering System By janobe 2.3.2 is vulnerable to SQL Injection via /ordering/admin/orders/loaddata.php.

Online Ordering System By janobe 2.3.2 has SQL Injection via /ordering/admin/products/index.php?view=edit&id=.

Online Ordering System By janobe 2.3.2 is vulneranle to SQL Injection via /ordering/index.php?q=products&id=.

There is a SQL Injection vulnerability in ChurchCRM 4.4.5 via the 'PersonID' field in /churchcrm/WhyCameEditor.php.

Online Discussion Forum Site 1 was discovered to contain a blind SQL injection vulnerability via the component /odfs/posts/view_post.php.

PrestaShop is an Open Source e-commerce platform. In versions from 1.6.0.10 and before 1.7.8.7 PrestaShop is subject to an SQL injection vulnerability which can be chained to call PHP's Eval function on attacker input. The problem is fixed in version 1.7.8.7. Users are advised to upgrade. Users unable to upgrade may delete the MySQL Smarty cache feature.

prestashop/blockwishlist is a prestashop extension which adds a block containing the customer's wishlists. In affected versions an authenticated customer can perform SQL injection. This issue is fixed in version 2.1.1. Users are advised to upgrade. There are no known workarounds for this issue.

Pimcore is an Open Source Data & Experience Management Platform. Pimcore offers developers listing classes to make querying data easier. This listing classes also allow to order or group the results based on one or more columns which should be quoted by default. The actual issue is that quoting is not done properly in both cases, so there's the theoretical possibility to inject custom SQL if the developer is using this methods with input data and not doing proper input validation in advance and ... Pimcore is an Open Source Data & Experience Management Platform. Pimcore offers developers listing classes to make querying data easier. This listing classes also allow to order or group the results based on one or more columns which should be quoted by default. The actual issue is that quoting is not done properly in both cases, so there's the theoretical possibility to inject custom SQL if the developer is using this methods with input data and not doing proper input validation in advance and so relies on the auto-quoting being done by the listing classes. This issue has been resolved in version 10.4.4. Users are advised to upgrade or to apple the patch manually. There are no known workarounds for this issue.

Show More

GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing. glpi-inventory-plugin is a plugin for GLPI to handle inventory management. In affected versions a SQL injection can be made using package deployment tasks. This issue has been resolved in version 1.0.2. Users are advised to upgrade. Users unable to upgrade should delete the `front/deploypackage.public.php` file if they are not using the `deploy tasks` featu ... GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing. glpi-inventory-plugin is a plugin for GLPI to handle inventory management. In affected versions a SQL injection can be made using package deployment tasks. This issue has been resolved in version 1.0.2. Users are advised to upgrade. Users unable to upgrade should delete the `front/deploypackage.public.php` file if they are not using the `deploy tasks` feature.

Show More

GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing. In affected versions there is a SQL injection vulnerability which is possible on login page. No user credentials are required to exploit this vulnerability. Users are advised to upgrade as soon as possible. There are no known workarounds for this issue.

Tuleap is a Free & Open Source Suite to improve management of software developments and collaboration. In versions prior to 13.9.99.95 Tuleap does not sanitize properly user inputs when constructing the SQL query to retrieve data for the tracker reports. An attacker with the capability to create a new tracker can execute arbitrary SQL queries. Users are advised to upgrade. There is no known workaround for this issue.

GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing. In affected versions all assistance forms (Ticket/Change/Problem) permit sql injection on the actor fields. This issue has been resolved in version 10.0.2 and all affected users are advised to upgrade.

Multiple Authenticated (subscriber or higher user role) SQL Injection (SQLi) vulnerabilities in WooPlugins.co's Homepage Product Organizer for WooCommerce plugin <= 1.1 at WordPress.

A SQL injection vulnerability exists in Simple Task Scheduling System 1.0 when MySQL is being used as the application database. An attacker can issue SQL commands to the MySQL database through the vulnerable "id" parameter.

School Dormitory Management System v1.0 was discovered to contain a SQL injection vulnerability via the month parameter at /dms/admin/reports/daily_collection_report.php.

Room-rent-portal-site v1.0 is vulnerable to SQL Injection via /rrps/classes/Master.php?f=delete_category, id.

Covid-19 Travel Pass Management System v1.0 is vulnerable to SQL Injection via /ctpms/classes/Master.php?f=update_application_status

Wedding Management System v1.0 is vulnerable to SQL Injection. via Wedding-Management/admin/select.php.

Wedding Management System v1.0 is vulnerable to SQL Injection. via /Wedding-Management/admin/budget.php?booking_id=.

Wedding Management System v1.0 is vulnerable to SQL Injection via /Wedding-Management/admin/client_manage_account_details.php?booking_id=31&user_id=

Wedding Management System v1.0 is vulnerable to SQL Injection via /Wedding-Management/admin/client_edit.php?booking=31&user_id=.

Wedding Management System v1.0 is vulnerable to SQL Injection via /Wedding-Management/admin/client_assign.php?booking=31&user_id=.

Wedding Management System v1.0 is vulnerable to SQL Injection via Wedding-Management/wedding_details.php.

Wedding Management System v1.0 is vulnerable to SQL Injection via \admin\feature_edit.php.

Wedding Management System v1.0 is vulnerable to SQL Injection via \admin\users_edit.php.

Wedding Management System v1.0 is vulnerable to SQL Injection via \admin\photos_edit.php.

Wedding Management System v1.0 is vulnerable to SQL Injection via \admin\package_edit.php.

Wedding Management System v1.0 is vulnerable to SQL Injection via admin\client_assign.php.

Wedding Management System v1.0 is vulnerable to SQL Injection via \admin\client_edit.php.

Wedding Management System v1.0 is vulnerable to SQL Injection via \admin\blog_events_edit.php.

Wedding Management System v1.0 is vulnerable to SQL injection via /Wedding-Management/admin/blog_events_edit.php?id=31.

Simple Bus Ticket Booking System 1.0 is vulnerable to SQL Injection via /SimpleBusTicket/index.php.

elitecms 1.01 is vulnerable to SQL Injection via /admin/edit_sidebar.php.

elitecms 1.01 is vulnerable to SQL Injection via admin/edit_sidebar.php?page=2&sidebar=

elitecms v1.01 is vulnerable to SQL Injection via /admin/add_sidebar.php.

elitecms 1.01 is vulnerable to SQL Injection via /admin/add_post.php.

elitecms v1.01 is vulnerable to SQL Injection via admin/edit_post.php.