Total
18012 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-16277 | 1 Carson-saint | 1 Saint Security Suite | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
|
An SQL injection vulnerability in the Analytics component of SAINT Security Suite 8.0 through 9.8.20 allows a remote, authenticated attacker to gain unauthorized access to the database.
|
|||||
| CVE-2020-16276 | 1 Carson-saint | 1 Saint Security Suite | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
|
An SQL injection vulnerability in the Assets component of SAINT Security Suite 8.0 through 9.8.20 allows a remote, authenticated attacker to gain unauthorized access to the database.
|
|||||
| CVE-2020-16267 | 1 Zohocorp | 1 Manageengine Applications Manager | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
|
Zoho ManageEngine Applications Manager version 14740 and prior allows an authenticated SQL Injection via a crafted jsp request in the RCA module.
|
|||||
| CVE-2020-16104 | 1 Gallagher | 1 Command Centre | 2024-11-21 | 6.5 MEDIUM | 8.2 HIGH |
|
SQL Injection vulnerability in Enterprise Data Interface of Gallagher Command Centre allows a remote attacker with 'Edit Enterprise Data Interfaces' privilege to execute arbitrary SQL against a third party database if EDI is configured to import data from this database. This issue affects: Gallagher Command Centre 8.30 versions prior to 8.30.1236(MR1); 8.20 versions prior to 8.20.1166(MR3); 8.10 versions prior to 8.10.1211(MR5); 8.00 versions prior to 8.00.1228(MR6); version 7.90 and prior versi ...
Show More |
|||||
| CVE-2020-15947 | 1 Loway | 1 Queuemetrics | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
|
A SQL injection vulnerability in the qm_adm/qm_export_stats_run.do endpoint of Loway QueueMetrics before 19.10.21 allows remote authenticated users to execute arbitrary SQL commands via the exportId parameter.
|
|||||
| CVE-2020-15927 | 1 Zohocorp | 1 Manageengine Applications Manager | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
|
Zoho ManageEngine Applications Manager version 14740 and prior allows an authenticated SQL Injection via a crafted jsp request in the SAP module.
|
|||||
| CVE-2020-15925 | 1 Loway | 1 Queuemetrics | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
|
A SQL injection vulnerability at a tpf URI in Loway QueueMetrics before 19.10.21 allows remote authenticated attackers to execute arbitrary SQL commands via the TPF_XPAR1 parameter.
|
|||||
| CVE-2020-15924 | 1 Midasolutions | 1 Eframework | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
There is a SQL Injection in Mida eFramework through 2.9.0 that leads to Information Disclosure. No authentication is required. The injection point resides in one of the authentication parameters.
|
|||||
| CVE-2020-15887 | 1 Softwareupdate Project | 1 Softwareupdate | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
|
A SQL injection vulnerability in softwareupdate_controller.php in the Software Update module before 1.6 for MunkiReport allows attackers to execute arbitrary SQL commands via the last URL parameter of the /module/softwareupdate/get_tab_data/ endpoint.
|
|||||
| CVE-2020-15886 | 1 Reportdata Project | 1 Reportdata | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
|
A SQL injection vulnerability in reportdata_controller.php in the reportdata module before 3.5 for MunkiReport allows attackers to execute arbitrary SQL commands via the req parameter of the /module/reportdata/ip endpoint.
|
|||||
| CVE-2020-15884 | 1 Munkireport Project | 1 Munkireport | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
|
A SQL injection vulnerability in TableQuery.php in MunkiReport before 5.6.3 allows attackers to execute arbitrary SQL commands via the order[0][dir] field on POST requests to /datatables/data.
|
|||||
| CVE-2020-15873 | 1 Librenms | 1 Librenms | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
|
In LibreNMS before 1.65.1, an authenticated attacker can achieve SQL Injection via the customoid.inc.php device_id POST parameter to ajax_form.php.
|
|||||
| CVE-2020-15849 | 1 Re-desk | 1 Re\ | 2024-11-21 | 6.5 MEDIUM | 7.2 HIGH |
|
Re:Desk 2.3 has a blind authenticated SQL injection vulnerability in the SettingsController class, in the actionEmailTemplates() method. A malicious actor with access to an administrative account could abuse this vulnerability to recover sensitive data from the application's database, allowing for authorization bypass and taking over additional accounts by means of modifying password-reset tokens stored in the database. Remote command execution is also possible by leveraging this to abuse the Yi ...
Show More |
|||||
| CVE-2020-15792 | 1 Siemens | 1 Desigo Insight | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
|
A vulnerability has been identified in Desigo Insight (All versions). The web service does not properly apply input validation for some query parameters in a reserved area. This could allow an authenticated attacker to retrieve data via a content-based blind SQL injection attack.
|
|||||
| CVE-2020-15714 | 1 Rconfig | 1 Rconfig | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
|
rConfig 3.9.5 is vulnerable to SQL injection. A remote authenticated attacker could send crafted SQL statements to the devices.crud.php script using the custom_Location parameter, which could allow the attacker to view, add, modify, or delete information in the back-end database.
|
|||||
| CVE-2020-15713 | 1 Rconfig | 1 Rconfig | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
|
rConfig 3.9.5 is vulnerable to SQL injection. A remote authenticated attacker could send crafted SQL statements to the devices.php script using the sortBy parameter, which could allow the attacker to view, add, modify, or delete information in the back-end database.
|
|||||
| CVE-2020-15628 | 1 Control-webpanel | 1 Webpanel | 2024-11-21 | 7.8 HIGH | 7.5 HIGH |
|
This vulnerability allows remote attackers to disclose sensitive information on affected installations of CentOS Web Panel cwp-e17.0.9.8.923. Authentication is not required to exploit this vulnerability. The specific flaw exists within ajax_mail_autoreply.php. When parsing the user parameter, the process does not properly validate a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to disclose information in the context of root. Was ZDI-CA ...
Show More |
|||||
| CVE-2020-15627 | 1 Control-webpanel | 1 Webpanel | 2024-11-21 | 7.8 HIGH | 7.5 HIGH |
|
This vulnerability allows remote attackers to disclose sensitive information on affected installations of CentOS Web Panel cwp-e17.0.9.8.923. Authentication is not required to exploit this vulnerability. The specific flaw exists within ajax_mail_autoreply.php. When parsing the account parameter, the process does not properly validate a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to disclose information in the context of root. Was ZDI ...
Show More |
|||||
| CVE-2020-15626 | 1 Control-webpanel | 1 Webpanel | 2024-11-21 | 7.8 HIGH | 7.5 HIGH |
|
This vulnerability allows remote attackers to disclose sensitive information on affected installations of CentOS Web Panel cwp-e17.0.9.8.923. Authentication is not required to exploit this vulnerability. The specific flaw exists within ajax_dashboard.php. When parsing the term parameter, the process does not properly validate a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to disclose information in the context of root. Was ZDI-CAN-973 ...
Show More |
|||||
| CVE-2020-15625 | 1 Control-webpanel | 1 Webpanel | 2024-11-21 | 7.8 HIGH | 7.5 HIGH |
|
This vulnerability allows remote attackers to disclose sensitive information on affected installations of CentOS Web Panel cwp-e17.0.9.8.923. Authentication is not required to exploit this vulnerability. The specific flaw exists within ajax_add_mailbox.php. When parsing the username parameter, the process does not properly validate a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to disclose information in the context of root. Was ZDI-C ...
Show More |
|||||
| CVE-2020-15624 | 1 Control-webpanel | 1 Webpanel | 2024-11-21 | 7.8 HIGH | 7.5 HIGH |
|
This vulnerability allows remote attackers to disclose sensitive information on affected installations of CentOS Web Panel cwp-e17.0.9.8.923. Authentication is not required to exploit this vulnerability. The specific flaw exists within ajax_new_account.php. When parsing the domain parameter, the process does not properly validate a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to disclose information in the context of root. Was ZDI-CAN ...
Show More |
|||||
| CVE-2020-15622 | 1 Control-webpanel | 1 Webpanel | 2024-11-21 | 7.8 HIGH | 7.5 HIGH |
|
This vulnerability allows remote attackers to disclose sensitive information on affected installations of CentOS Web Panel cwp-e17.0.9.8.923. Authentication is not required to exploit this vulnerability. The specific flaw exists within ajax_mail_autoreply.php. When parsing the search parameter, the process does not properly validate a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to disclose information in the context of root. Was ZDI- ...
Show More |
|||||
| CVE-2020-15621 | 1 Control-webpanel | 1 Webpanel | 2024-11-21 | 7.8 HIGH | 7.5 HIGH |
|
This vulnerability allows remote attackers to disclose sensitive information on affected installations of CentOS Web Panel cwp-e17.0.9.8.923. Authentication is not required to exploit this vulnerability. The specific flaw exists within ajax_mail_autoreply.php. When parsing the email parameter, the process does not properly validate a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to disclose information in the context of root. Was ZDI-C ...
Show More |
|||||
| CVE-2020-15620 | 1 Control-webpanel | 1 Webpanel | 2024-11-21 | 7.8 HIGH | 7.5 HIGH |
|
This vulnerability allows remote attackers to disclose sensitive information on affected installations of CentOS Web Panel cwp-e17.0.9.8.923. Authentication is not required to exploit this vulnerability. The specific flaw exists within ajax_list_accounts.php. When parsing the id parameter, the process does not properly validate a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to disclose information in the context of root. Was ZDI-CAN-9 ...
Show More |
|||||
| CVE-2020-15619 | 1 Control-webpanel | 1 Webpanel | 2024-11-21 | 7.8 HIGH | 7.5 HIGH |
|
This vulnerability allows remote attackers to disclose sensitive information on affected installations of CentOS Web Panel cwp-e17.0.9.8.923. Authentication is not required to exploit this vulnerability. The specific flaw exists within ajax_list_accounts.php. When parsing the type parameter, the process does not properly validate a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to disclose information in the context of root. Was ZDI-CAN ...
Show More |
|||||
| CVE-2020-15618 | 1 Control-webpanel | 1 Webpanel | 2024-11-21 | 7.8 HIGH | 7.5 HIGH |
|
This vulnerability allows remote attackers to disclose sensitive information on affected installations of CentOS Web Panel cwp-e17.0.9.8.923. Authentication is not required to exploit this vulnerability. The specific flaw exists within ajax_list_accounts.php. When parsing the username parameter, the process does not properly validate a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to disclose information in the context of root. Was ZDI ...
Show More |
|||||
| CVE-2020-15617 | 1 Control-webpanel | 1 Webpanel | 2024-11-21 | 7.8 HIGH | 7.5 HIGH |
|
This vulnerability allows remote attackers to disclose sensitive information on affected installations of CentOS Web Panel cwp-e17.0.9.8.923. Authentication is not required to exploit this vulnerability. The specific flaw exists within ajax_list_accounts.php. When parsing the status parameter, the process does not properly validate a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to disclose information in the context of root. Was ZDI-C ...
Show More |
|||||
| CVE-2020-15616 | 1 Control-webpanel | 1 Webpanel | 2024-11-21 | 7.8 HIGH | 7.5 HIGH |
|
This vulnerability allows remote attackers to disclose sensitive information on affected installations of CentOS Web Panel cwp-e17.0.9.8.923. Authentication is not required to exploit this vulnerability. The specific flaw exists within ajax_list_accounts.php. When parsing the package parameter, the process does not properly validate a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to disclose information in the context of root. Was ZDI- ...
Show More |
|||||
| CVE-2020-15540 | 1 We-com | 1 Opendata Cms | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
We-com OpenData CMS 2.0 allows SQL Injection via the username field on the administrator login page.
|
|||||
| CVE-2020-15539 | 1 We-com | 1 Municipality Portal Cms | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
SQL injection can occur in We-com Municipality portal CMS 2.1.x via the cerca/ keywords field.
|
|||||
| CVE-2020-15533 | 1 Zohocorp | 1 Manageengine Applications Manager | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
In Zoho ManageEngine Application Manager 14.7 Build 14730 (before 14684, and between 14689 and 14750), the AlarmEscalation module is vulnerable to unauthenticated SQL Injection attack.
|
|||||
| CVE-2020-15504 | 1 Sophos | 1 Xg Firewall Firmware | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
A SQL injection vulnerability in the user and admin web interfaces of Sophos XG Firewall v18.0 MR1 and older potentially allows an attacker to run arbitrary code remotely. The fix is built into the re-release of XG Firewall v18 MR-1 (named MR-1-Build396) and the v17.5 MR13 release. All other versions >= 17.0 have received a hotfix.
|
|||||
| CVE-2020-15487 | 1 Re-desk | 1 Re\ | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
Re:Desk 2.3 contains a blind unauthenticated SQL injection vulnerability in the getBaseCriteria() function in the protected/models/Ticket.php file. By modifying the folder GET parameter, it is possible to execute arbitrary SQL statements via a crafted URL. Unauthenticated remote command execution is possible by using this SQL injection to update certain database values, which are then executed by a bizRule eval() function in the yii/framework/web/auth/CAuthManager.php file. Resultant authorizati ...
Show More |
|||||
| CVE-2020-15468 | 1 Persian Vip Download Script Project | 1 Persian Vip Download Script | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
Persian VIP Download Script 1.0 allows SQL Injection via the cart_edit.php active parameter.
|
|||||
| CVE-2020-15394 | 1 Zohocorp | 1 Manageengine Applications Manager | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
The REST API in Zoho ManageEngine Applications Manager before build 14740 allows an unauthenticated SQL Injection via a crafted request, leading to Remote Code Execution.
|
|||||
| CVE-2020-15363 | 1 Nexos Project | 1 Nexos | 2024-11-21 | 5.0 MEDIUM | 9.8 CRITICAL |
|
The Nexos theme through 1.7 for WordPress allows side-map/?search_order= SQL Injection.
|
|||||
| CVE-2020-15333 | 1 Zyxel | 1 Cloudcnm Secumanager | 2024-11-21 | N/A | 5.3 MEDIUM |
|
Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 allows attackers to discover accounts via MySQL "select * from Administrator_users" and "select * from Users_users" requests.
|
|||||
| CVE-2020-15308 | 1 Turnkeylinux | 1 Support Incident Tracker | 2024-11-21 | 6.5 MEDIUM | 7.2 HIGH |
|
Support Incident Tracker (aka SiT! or SiTracker) 3.67 p2 allows post-authentication SQL injection via the site_edit.php typeid or site parameter, the search_incidents_advanced.php search_title parameter, or the report_qbe.php criteriafield parameter.
|
|||||
| CVE-2020-15226 | 1 Glpi-project | 1 Glpi | 2024-11-21 | 5.0 MEDIUM | 5.0 MEDIUM |
|
In GLPI before version 9.5.2, there is a SQL Injection in the API's search function. Not only is it possible to break the SQL syntax, but it is also possible to utilise a UNION SELECT query to reflect sensitive information such as the current database version, or database user. The most likely scenario for this vulnerability is with someone who has an API account to the system. The issue is patched in version 9.5.2. A proof-of-concept with technical details is available in the linked advisory.
|
|||||
| CVE-2020-15176 | 1 Glpi-project | 1 Glpi | 2024-11-21 | 5.0 MEDIUM | 8.7 HIGH |
|
In GLPI before version 9.5.2, when supplying a back tick in input that gets put into a SQL query,the application does not escape or sanitize allowing for SQL Injection to occur. Leveraging this vulnerability an attacker is able to exfiltrate sensitive information like passwords, reset tokens, personal details, and more. The issue is patched in version 9.5.2
|
|||||