Total
18012 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-37197 | 1 Siemens | 1 Comos | 2024-11-21 | 6.0 MEDIUM | 8.8 HIGH |
|
A vulnerability has been identified in COMOS V10.2 (All versions only if web components are used), COMOS V10.3 (All versions < V10.3.3.3 only if web components are used), COMOS V10.4 (All versions < V10.4.1 only if web components are used). The COMOS Web component of COMOS is vulnerable to SQL injections. This could allow an attacker to execute arbitrary SQL statements.
|
|||||
| CVE-2021-36916 | 1 Wpwave | 1 Hide My Wp | 2024-11-21 | 7.5 HIGH | 8.6 HIGH |
|
The SQL injection vulnerability in the Hide My WP WordPress plugin (versions <= 6.2.3) is possible because of how the IP address is retrieved and used inside a SQL query. The function "hmwp_get_user_ip" tries to retrieve the IP address from multiple headers, including IP address headers that the user can spoof, such as "X-Forwarded-For." As a result, the malicious payload supplied in one of these IP address headers will be directly inserted into the SQL query, making SQL injection possible.
|
|||||
| CVE-2021-36898 | 1 Expresstech | 1 Quiz And Survey Master | 2024-11-21 | N/A | 9.1 CRITICAL |
|
Auth. SQL Injection (SQLi) vulnerability in Quiz And Survey Master plugin <= 7.3.4 on WordPress.
|
|||||
| CVE-2021-36880 | 1 Stylemixthemes | 1 Ulisting | 2024-11-21 | 7.5 HIGH | 8.6 HIGH |
|
Unauthenticated SQL Injection (SQLi) vulnerability in WordPress uListing plugin (versions <= 2.0.3), vulnerable parameter: custom.
|
|||||
| CVE-2021-36807 | 1 Sophos | 1 Unified Threat Management Up2date | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
|
An authenticated user could potentially execute code via an SQLi vulnerability in the user portal of SG UTM before version 9.708 MR8.
|
|||||
| CVE-2021-36789 | 1 Dated News Project | 1 Dated News | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
The dated_news (aka Dated News) extension through 5.1.1 for TYPO3 allows SQL Injection.
|
|||||
| CVE-2021-36748 | 1 Prestahome | 1 Blog | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
A SQL Injection issue in the list controller of the Prestahome Blog (aka ph_simpleblog) module before 1.7.8 for Prestashop allows a remote attacker to extract data from the database via the sb_category parameter.
|
|||||
| CVE-2021-36722 | 1 Emuse - Eservices \/ Envoice Project | 1 Emuse - Eservices \/ Envoice | 2024-11-21 | 10.0 HIGH | 7.1 HIGH |
|
Emuse - eServices / eNvoice SQL injection can be used in various ways ranging from bypassing login authentication or dumping the whole database to full RCE on the affected endpoints. The SQLi caused by CWE-209: Generation of Error Message Containig Sensetive Information, showing parts of the aspx code and the webroot location , information an attacker can leverage to further compromise the host.
|
|||||
| CVE-2021-36625 | 1 Dolibarr | 1 Dolibarr Erp\/crm | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
|
An SQL Injection vulnerability exists in Dolibarr ERP/CRM 13.0.2 (fixed version is 14.0.0) via a POST request to the country_id parameter in an UPDATE statement.
|
|||||
| CVE-2021-36624 | 1 Phone Shop Sales Management System Project | 1 Phone Shop Sales Management System | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
Sourcecodester Phone Shop Sales Managements System version 1.0 suffers from a remote SQL injection vulnerability that allows for authentication bypass.
|
|||||
| CVE-2021-36621 | 1 Online Covid Vaccination Scheduler System Project | 1 Online Covid Vaccination Scheduler System | 2024-11-21 | 6.8 MEDIUM | 8.1 HIGH |
|
Sourcecodester Online Covid Vaccination Scheduler System 1.0 is vulnerable to SQL Injection. The username parameter is vulnerable to time-based SQL injection. Upon successful dumping the admin password hash, an attacker can decrypt and obtain the plain-text password. Hence, the attacker could authenticate as Administrator.
|
|||||
| CVE-2021-36455 | 1 Naviwebs | 1 Navigate Cms | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
|
SQL Injection vulnerability in Naviwebs Navigate CMS 2.9 via the quicksearch parameter in \lib\packages\comments\comments.php.
|
|||||
| CVE-2021-36393 | 1 Moodle | 1 Moodle | 2024-11-21 | N/A | 9.8 CRITICAL |
|
In Moodle, an SQL injection risk was identified in the library fetching a user's recent courses.
|
|||||
| CVE-2021-36392 | 1 Moodle | 1 Moodle | 2024-11-21 | N/A | 9.8 CRITICAL |
|
In Moodle, an SQL injection risk was identified in the library fetching a user's enrolled courses.
|
|||||
| CVE-2021-36385 | 1 Cerner | 1 Mobile Care | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
|
A SQL Injection vulnerability in Cerner Mobile Care 5.0.0 allows remote unauthenticated attackers to execute arbitrary SQL commands via a Fullwidth Apostrophe (aka U+FF07) in the default.aspx User ID field. Arbitrary system commands can be executed through the use of xp_cmdshell.
|
|||||
| CVE-2021-36351 | 1 Care2x | 1 Hospital Information Management System | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
SQL Injection Vulnerability in Care2x Open Source Hospital Information Management 2.7 Alpha via the (1) pday, (2) pmonth, and (3) pyear parameters in GET requests sent to /modules/nursing/nursing-station.php.
|
|||||
| CVE-2021-36348 | 1 Dell | 2 Integrated Dell Remote Access Controller 9, Integrated Dell Remote Access Controller 9 Firmware | 2024-11-21 | 5.5 MEDIUM | 8.1 HIGH |
|
iDRAC9 versions prior to 5.00.20.00 contain an input injection vulnerability. A remote authenticated malicious user with low privileges may potentially exploit this vulnerability to cause information disclosure or denial of service by supplying specially crafted input data to iDRAC.
|
|||||
| CVE-2021-36328 | 1 Dell | 1 Emc Streaming Data Platform | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
|
Dell EMC Streaming Data Platform versions before 1.3 contain a SQL Injection Vulnerability. A remote malicious user may potentially exploit this vulnerability to execute SQL commands to perform unauthorized actions and retrieve sensitive information from the database.
|
|||||
| CVE-2021-36300 | 1 Dell | 1 Emc Idrac9 Firmware | 2024-11-21 | 6.4 MEDIUM | 6.5 MEDIUM |
|
iDRAC9 versions prior to 5.00.00.00 contain an improper input validation vulnerability. An unauthenticated remote attacker may potentially exploit this vulnerability by sending a specially crafted malicious request to crash the webserver or cause information disclosure.
|
|||||
| CVE-2021-36299 | 1 Dell | 1 Emc Idrac9 Firmware | 2024-11-21 | 5.5 MEDIUM | 7.1 HIGH |
|
Dell iDRAC9 versions 4.40.00.00 and later, but prior to 4.40.29.00 and 5.00.00.00 contain an SQL injection vulnerability. A remote authenticated malicious user with low privileges may potentially exploit this vulnerability to cause information disclosure or denial of service by supplying specially crafted input data to the affected application.
|
|||||
| CVE-2021-36184 | 1 Fortinet | 1 Fortiwlm | 2024-11-21 | 4.0 MEDIUM | 8.8 HIGH |
|
A improper neutralization of Special Elements used in an SQL Command ('SQL Injection') in Fortinet FortiWLM version 8.6.1 and below allows attacker to disclosure device, users and database information via crafted HTTP requests.
|
|||||
| CVE-2021-35487 | 1 Nokia | 1 Broadcast Message Center | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
|
Nokia Broadcast Message Center through 11.1.0 allows an authenticated user to perform a Boolean Blind SQL Injection attack on the endpoint /owui/block/send-receive-updates (for the Manage Alerts page) via the extIdentifier HTTP POST parameter. This allows an attacker to obtain the database user, database name, and database version information, and potentially database data.
|
|||||
| CVE-2021-35458 | 1 Online Pet Shop We App Project | 1 Online Pet Shop We App | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
Online Pet Shop We App 1.0 is vulnerable to Union SQL Injection in products.php (aka p=products) via the c or s parameter.
|
|||||
| CVE-2021-35456 | 1 Online Pet Shop Web Application Project | 1 Online Pet Shop Web Application | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
Online Pet Shop We App 1.0 is vulnerable to remote SQL injection and shell upload
|
|||||
| CVE-2021-35437 | 1 Lmxcms | 1 Lmxcms | 2024-11-21 | N/A | 9.8 CRITICAL |
|
SQL injection vulnerability in LMXCMS v.1.4 allows attacker to execute arbitrary code via the TagsAction.class.
|
|||||
| CVE-2021-35414 | 1 Chamilo | 1 Chamilo Lms | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
Chamilo LMS v1.11.x was discovered to contain a SQL injection via the doc parameter in main/plagiarism/compilatio/upload.php.
|
|||||
| CVE-2021-35283 | 1 Atoms183 Cms Project | 1 Atoms183 Cms | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
SQL Injection vulnerability in product_admin.php in atoms183 CMS 1.0, allows attackers to execute arbitrary commands via the Name, Fname, and ID parameters to search.php.
|
|||||
| CVE-2021-35234 | 1 Solarwinds | 1 Orion Platform | 2024-11-21 | 6.5 MEDIUM | 8.0 HIGH |
|
Numerous exposed dangerous functions within Orion Core has allows for read-only SQL injection leading to privileged escalation. An attacker with low-user privileges may steal password hashes and password salt information.
|
|||||
| CVE-2021-35212 | 1 Solarwinds | 1 Orion Platform | 2024-11-21 | 9.0 HIGH | 8.9 HIGH |
|
An SQL injection Privilege Escalation Vulnerability was discovered in the Orion Platform reported by the ZDI Team. A blind Boolean SQL injection which could lead to full read/write over the Orion database content including the Orion certificate for any authenticated user.
|
|||||
| CVE-2021-35049 | 1 Fidelissecurity | 2 Deception, Network | 2024-11-21 | 6.5 MEDIUM | 9.9 CRITICAL |
|
Vulnerability in Fidelis Network and Deception CommandPost enables authenticated command injection through the web interface. The vulnerability could allow a specially crafted HTTP request to execute system commands on the CommandPost and return results in an HTTP response in an authenticated session. The vulnerability is present in Fidelis Network and Deception versions prior to 9.3.7 and in version 9.4. Patches and updates are available to address this vulnerability.
|
|||||
| CVE-2021-35048 | 1 Fidelissecurity | 2 Deception, Network | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
Vulnerability in Fidelis Network and Deception CommandPost enables unauthenticated SQL injection through the web interface. The vulnerability could lead to exposure of authentication tokens in some versions of Fidelis software. The vulnerability is present in Fidelis Network and Deception versions prior to 9.3.7 and in version 9.4. Patches and updates are available to address this vulnerability.
|
|||||
| CVE-2021-35042 | 2 Djangoproject, Fedoraproject | 2 Django, Fedora | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
Django 3.1.x before 3.1.13 and 3.2.x before 3.2.5 allows QuerySet.order_by SQL injection if order_by is untrusted input from a client of a web application.
|
|||||
| CVE-2021-34684 | 1 Hitachi | 1 Vantara Pentaho | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
Hitachi Vantara Pentaho Business Analytics through 9.1 allows an unauthenticated user to execute arbitrary SQL queries on any Pentaho data source and thus retrieve data from the related databases, as demonstrated by an api/repos/dashboards/editor URI.
|
|||||
| CVE-2021-34609 | 1 Arubanetworks | 1 Clearpass Policy Manager | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
|
A remote SQL injection vulnerability was discovered in Aruba ClearPass Policy Manager version(s): Prior to 6.10.0, 6.9.6 and 6.8.9. Aruba has released updates to ClearPass Policy Manager that address this security vulnerability.
|
|||||
| CVE-2021-34187 | 1 Chamilo | 1 Chamilo | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
main/inc/ajax/model.ajax.php in Chamilo through 1.11.14 allows SQL Injection via the searchField, filters, or filters2 parameter.
|
|||||
| CVE-2021-34166 | 1 Simple Food Website Project | 1 Simple Food Website | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
A SQL INJECTION vulnerability in Sourcecodester Simple Food Website 1.0 allows a remote attacker to Bypass Authentication and become Admin.
|
|||||
| CVE-2021-34165 | 1 Basic Shopping Cart Project | 1 Basic Shopping Cart | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
A SQL Injection vulnerability in Sourcecodester Basic Shopping Cart 1.0 allows a remote attacker to Bypass Authentication and become Admin.
|
|||||
| CVE-2021-33894 | 1 Progress | 1 Moveit Transfer | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
|
In Progress MOVEit Transfer before 2019.0.6 (11.0.6), 2019.1.x before 2019.1.5 (11.1.5), 2019.2.x before 2019.2.2 (11.2.2), 2020.x before 2020.0.5 (12.0.5), 2020.1.x before 2020.1.4 (12.1.4), and 2021.x before 2021.0.1 (13.0.1), a SQL injection vulnerability exists in SILUtility.vb in MOVEit.DMZ.WebApp in the MOVEit Transfer web app. This could allow an authenticated attacker to gain unauthorized access to the database. Depending on the database engine being used (MySQL, Microsoft SQL Server, or ...
Show More |
|||||
| CVE-2021-33736 | 1 Siemens | 1 Sinec Nms | 2024-11-21 | 6.5 MEDIUM | 7.2 HIGH |
|
A vulnerability has been identified in SINEC NMS (All versions < V1.0 SP2 Update 1). A privileged authenticated attacker could execute arbitrary commands in the local database by sending crafted requests to the webserver of the affected application.
|
|||||
| CVE-2021-33735 | 1 Siemens | 1 Sinec Nms | 2024-11-21 | 6.5 MEDIUM | 7.2 HIGH |
|
A vulnerability has been identified in SINEC NMS (All versions < V1.0 SP2 Update 1). A privileged authenticated attacker could execute arbitrary commands in the local database by sending crafted requests to the webserver of the affected application.
|
|||||