Total
18012 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-44567 | 1 Rosariosis | 1 Rosariosis | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
An unauthenticated SQL Injection vulnerability exists in RosarioSIS before 7.6.1 via the votes parameter in ProgramFunctions/PortalPollsNotes.fnc.php.
|
|||||
| CVE-2021-44427 | 1 Rosariosis | 1 Rosariosis | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
An unauthenticated SQL Injection vulnerability in Rosario Student Information System (aka rosariosis) before 8.1.1 allows remote attackers to execute PostgreSQL statements (e.g., SELECT, INSERT, UPDATE, and DELETE) through /Side.php via the syear parameter.
|
|||||
| CVE-2021-44350 | 1 Thinkphp | 1 Thinkphp | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
SQL Injection vulnerability exists in ThinkPHP5 5.0.x <=5.1.22 via the parseOrder function in Builder.php.
|
|||||
| CVE-2021-44349 | 1 Yejiao | 1 Tuzicms | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
SQL Injection vulnerability exists in TuziCMS v2.0.6 via the id parameter in App\Manage\Controller\DownloadController.class.php.
|
|||||
| CVE-2021-44348 | 1 Yejiao | 1 Tuzicms | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
SQL Injection vulnerability exists in TuziCMS v2.0.6 via the id parameer in App\Manage\Controller\AdvertController.class.php.
|
|||||
| CVE-2021-44347 | 1 Yejiao | 1 Tuzicms | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
SQL Injection vulnerability exists in TuziCMS v2.0.6 in App\Manage\Controller\GuestbookController.class.php.
|
|||||
| CVE-2021-44345 | 1 Wvti | 1 One Card Integrated Management System | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
Beijing Wisdom Vision Technology Industry Co., Ltd One Card Integrated Management System 3.0 is vulnerable to SQL Injection.
|
|||||
| CVE-2021-44302 | 1 Baicloud-cms Project | 1 Baicloud-cms | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
|
BaiCloud-cms v2.5.7 was discovered to contain multiple SQL injection vulnerabilities via the tongji and baidu_map parameters in /user/ztconfig.php.
|
|||||
| CVE-2021-44280 | 1 Attendance Management System Project | 1 Attendance Management System | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
attendance management system 1.0 is affected by a SQL injection vulnerability in admin/incFunctions.php through the makeSafe function.
|
|||||
| CVE-2021-44249 | 1 Online Motorcycle \(bike\) Rental System Project | 1 Online Motorcycle \(bike\) Rental System | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
Online Motorcycle (Bike) Rental System 1.0 is vulnerable to a Blind Time-Based SQL Injection attack within the login portal. This can lead attackers to remotely dump MySQL database credentials.
|
|||||
| CVE-2021-44245 | 1 Covid 19 Testing Management System Project | 1 Covid 19 Testing Management System | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
An SQL Injection vulnerability exists in Courcecodester COVID 19 Testing Management System (CTMS) 1.0 via the (1) username and (2) contactno parameters.
|
|||||
| CVE-2021-44244 | 1 Sourcecodester Logistic Hub Parcel\'s Management System Project | 1 Sourcecodester Logistic Hub Parcel\'s Management System | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
An SQL Injection vulnerabiity exists in Sourcecodester Logistic Hub Parcel's Management System 1.0 via the username parameter in login.php.
|
|||||
| CVE-2021-44161 | 1 Changingtec | 1 Motp | 2024-11-21 | 5.8 MEDIUM | 8.8 HIGH |
|
Changing MOTP (Mobile One Time Password) system’s specific function parameter has insufficient validation for user input. A attacker in local area network can perform SQL injection attack to read, modify or delete backend database without authentication.
|
|||||
| CVE-2021-44135 | 1 Pagekit | 1 Pagekit | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
|
pagekit all versions, as of 15-10-2021, is vulnerable to SQL Injection via Comment listing.
|
|||||
| CVE-2021-44098 | 1 Egavilanmedia | 1 Expense Management System | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
EGavilan Media Expense-Management-System 1.0 is vulnerable to SQL Injection via /expense_action.php. This allows a remote attacker to compromise Application SQL database.
|
|||||
| CVE-2021-44097 | 1 Contact-form-with-messages-entry-management Project | 1 Contact-form-with-messages-entry-management | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
EGavilan Media Contact-Form-With-Messages-Entry-Management 1.0 is vulnerable to SQL Injection via Addmessage.php. This allows a remote attacker to compromise Application SQL database.
|
|||||
| CVE-2021-44096 | 1 Egavilanmedia | 1 User Registration And Login System With Admin Panel | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
EGavilan Media User-Registration-and-Login-System-With-Admin-Panel 1.0 is vulnerable to SQL Injection via profile_action - update_user. This allows a remote attacker to compromise Application SQL database.
|
|||||
| CVE-2021-44095 | 1 Hospital Management System Project | 1 Hospital Management System | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
A SQL injection vulnerability exists in ProjectWorlds Hospital Management System in php 1.0 on login page that allows a remote attacker to compromise Application SQL database.
|
|||||
| CVE-2021-44090 | 1 Sourcecodester Online Reviewer System Project | 1 Sourcecodester Online Reviewer System | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
An SQL Injection vulnerability exists in Sourcecodester Online Reviewer System 1.0 via the password parameter.
|
|||||
| CVE-2021-44088 | 1 Attendance And Payroll System Project | 1 Attendance And Payroll System | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
An SQL Injection vulnerability exists in Sourcecodester Attendance and Payroll System v1.0 which allows a remote attacker to bypass authentication via unsanitized login parameters.
|
|||||
| CVE-2021-44050 | 2 Broadcom, Microsoft | 4 Ca Network Flow Analysis, Windows Server 2012, Windows Server 2016 and 1 more | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
|
CA Network Flow Analysis (NFA) 21.2.1 and earlier contain a SQL injection vulnerability in the NFA web application, due to insufficient input validation, that could potentially allow an authenticated user to access sensitive data.
|
|||||
| CVE-2021-43971 | 1 Sysaid | 1 Sysaid | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
|
A SQL injection vulnerability in /mobile/SelectUsers.jsp in SysAid ITIL 20.4.74 b10 allows a remote authenticated attacker to execute arbitrary SQL commands via the filterText parameter.
|
|||||
| CVE-2021-43969 | 1 Quicklert | 1 Quicklert | 2024-11-21 | 7.8 HIGH | 6.5 MEDIUM |
|
The login.jsp page of Quicklert for Digium 10.0.0 (1043) is affected by both Blind SQL Injection with Out-of-Band Interaction (DNS) and Blind Time-Based SQL Injections. Exploitation can be used to disclose all data within the database (up to and including the administrative accounts' login IDs and passwords) via the login.jsp uname parameter.
|
|||||
| CVE-2021-43863 | 1 Nextcloud | 1 Nextcloud | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
The Nextcloud Android app is the Android client for Nextcloud, a self-hosted productivity platform. The Nextcloud Android app uses content providers to manage its data. Prior to version 3.18.1, the providers `FileContentProvider` and `DiskLruImageCacheFileProvider` have security issues (an SQL injection, and an insufficient permission control, respectively) that allow malicious apps in the same device to access Nextcloud's data bypassing the permission control system. Users should upgrade to ver ...
Show More |
|||||
| CVE-2021-43851 | 1 Anuko | 1 Time Tracker | 2024-11-21 | 6.5 MEDIUM | 8.1 HIGH |
|
Anuko Time Tracker is an open source, web-based time tracking application written in PHP. SQL injection vulnerability exist in multiple files in Time Tracker version 1.19.33.5606 and prior due to not properly checking of the "group" and "status" parameters in POST requests. Group parameter is posted along when navigating between organizational subgroups (groups.php file). Status parameter is used in multiple files to change a status of an entity such as making a project, task, or user inactive. ...
Show More |
|||||
| CVE-2021-43830 | 1 Openproject | 1 Openproject | 2024-11-21 | 6.5 MEDIUM | 7.4 HIGH |
|
OpenProject is a web-based project management software. OpenProject versions >= 12.0.0 are vulnerable to a SQL injection in the budgets module. For authenticated users with the "Edit budgets" permission, the request to reassign work packages to another budget unsufficiently sanitizes user input in the `reassign_to_id` parameter. The vulnerability has been fixed in version 12.0.4. Versions prior to 12.0.0 are not affected. If you're upgrading from an older version, ensure you are upgrading to at ...
Show More |
|||||
| CVE-2021-43822 | 1 Jackalope Doctrine-dbal Project | 1 Jackalope Doctrine-dbal | 2024-11-21 | 6.8 MEDIUM | 8.5 HIGH |
|
Jackalope Doctrine-DBAL is an implementation of the PHP Content Repository API (PHPCR) using a relational database to persist data. In affected versions users can provoke SQL injections if they can specify a node name or query. Upgrade to version 1.7.4 to resolve this issue. If that is not possible, you can escape all places where `$property` is used to filter `sv:name` in the class `Jackalope\Transport\DoctrineDBAL\Query\QOMWalker`: `XPath::escape($property)`. Node names and xpaths can contain ...
Show More |
|||||
| CVE-2021-43806 | 1 Enalean | 1 Tuleap | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
|
Tuleap is a Libre and Open Source tool for end to end traceability of application and system developments. In affected versions Tuleap does not sanitize properly user settings when constructing the SQL query to browse and search commits in the CVS repositories. A authenticated malicious user with read access to a CVS repository could execute arbitrary SQL queries. Tuleap instances without an active CVS repositories are not impacted. The following versions contain the fix: Tuleap Community Editio ...
Show More |
|||||
| CVE-2021-43789 | 1 Prestashop | 1 Prestashop | 2024-11-21 | 7.5 HIGH | 7.5 HIGH |
|
PrestaShop is an Open Source e-commerce web application. Versions of PrestaShop prior to 1.7.8.2 are vulnerable to blind SQL injection using search filters with `orderBy` and `sortOrder` parameters. The problem is fixed in version 1.7.8.2.
|
|||||
| CVE-2021-43766 | 1 Odyssey Project | 1 Odyssey | 2024-11-21 | N/A | 8.1 HIGH |
|
Odyssey passes to server unencrypted bytes from man-in-the-middle When Odyssey is configured to use certificate Common Name for client authentication, a man-in-the-middle attacker can inject arbitrary SQL queries when a connection is first established, despite the use of SSL certificate verification and encryption. This is similar to CVE-2021-23214 for PostgreSQL.
|
|||||
| CVE-2021-43735 | 1 Cmswing | 1 Cmswing | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
CmsWing 1.3.7 is affected by a SQLi vulnerability via parameter: behavior rule.
|
|||||
| CVE-2021-43701 | 1 Cszcms | 1 Csz Cms | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
|
CSZ CMS 1.2.9 has a Time and Boolean-based Blind SQL Injection vulnerability in the endpoint /admin/export/getcsv/article_db, via the fieldS[] and orderby parameters.
|
|||||
| CVE-2021-43700 | 1 Apimanager Project | 1 Apimanager | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
An issue was discovered in ApiManager 1.1. there is sql injection vulnerability that can use in /index.php?act=api&tag=8.
|
|||||
| CVE-2021-43679 | 1 Shopex | 1 Ecshop | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
ecshop v2.7.3 is affected by a SQL injection vulnerability in shopex\ecshop\upload\api\client\api.php.
|
|||||
| CVE-2021-43650 | 1 Softwell | 1 Webrun | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
WebRun 3.6.0.42 is vulnerable to SQL Injection via the P_0 parameter used to set the username during the login process.
|
|||||
| CVE-2021-43631 | 1 Projectworlds | 1 Hospital Management System In Php | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
Projectworlds Hospital Management System v1.0 is vulnerable to SQL injection via the appointment_no parameter in payment.php.
|
|||||
| CVE-2021-43630 | 1 Projectworlds | 1 Hospital Management System In Php | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
|
Projectworlds Hospital Management System v1.0 is vulnerable to SQL injection via multiple parameters in add_patient.php. As a result, an authenticated malicious user can compromise the databases system and in some cases leverage this vulnerability to get remote code execution on the remote web server.
|
|||||
| CVE-2021-43629 | 1 Projectworlds | 1 Hospital Management System In Php | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
Projectworlds Hospital Management System v1.0 is vulnerable to SQL injection via multiple parameters in admin_home.php.
|
|||||
| CVE-2021-43628 | 1 Projectworlds | 1 Hospital Management System In Php | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
Projectworlds Hospital Management System v1.0 is vulnerable to SQL injection via the email parameter in hms-staff.php.
|
|||||
| CVE-2021-43609 | 1 Spiceworks | 1 Help Desk Server | 2024-11-21 | N/A | 9.9 CRITICAL |
|
An issue was discovered in Spiceworks Help Desk Server before 1.3.3. A Blind Boolean SQL injection vulnerability within the order_by_for_ticket function in app/models/reporting/database_query.rb allows an authenticated attacker to execute arbitrary SQL commands via the sort parameter. This can be leveraged to leak local files from the host system, leading to remote code execution (RCE) through deserialization of malicious data.
|
|||||