Total
18012 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2018-1699 | 1 Ibm | 1 Maximo Asset Management | 2024-11-21 | 6.5 MEDIUM | 6.3 MEDIUM |
|
IBM Maximo Asset Management 7.6 through 7.6.3 is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements, which could allow the attacker to view, add, modify or delete information in the back-end database. IBM X-Force ID: 145968.
|
|||||
| CVE-2018-1674 | 1 Ibm | 2 Business Automation Workflow, Business Process Manager | 2024-11-21 | 6.5 MEDIUM | 6.3 MEDIUM |
|
IBM Business Process Manager 8.5 through 8.6 and 18.0.0.0 through 18.0.0.1 are vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements, which could allow the attacker to view, add, modify or delete information in the back-end database. IBM X-Force ID: 145109.
|
|||||
| CVE-2018-1414 | 1 Ibm | 2 Maximo Asset Management, Maximo Asset Management Essentials | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
|
IBM Maximo Asset Management 7.5 and 7.6 is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements, which could allow the attacker to view, add, modify or delete information in the back-end database. IBM X-Force ID: 138820.
|
|||||
| CVE-2018-1292 | 1 Apache | 1 Fineract | 2024-11-21 | 5.5 MEDIUM | 8.1 HIGH |
|
Within the 'getReportType' method in Apache Fineract 1.0.0, 0.6.0-incubating, 0.5.0-incubating, 0.4.0-incubating, a hacker could inject SQL to read/update data for which he doesn't have authorization for by way of the 'reportName' parameter.
|
|||||
| CVE-2018-1291 | 1 Apache | 1 Fineract | 2024-11-21 | 5.5 MEDIUM | 8.1 HIGH |
|
Apache Fineract 1.0.0, 0.6.0-incubating, 0.5.0-incubating, 0.4.0-incubating exposes different REST end points to query domain specific entities with a Query Parameter 'orderBy' which are appended directly with SQL statements. A hacker/user can inject/draft the 'orderBy' query parameter by way of the "order" param in such a way to read/update the data for which he doesn't have authorization.
|
|||||
| CVE-2018-1290 | 1 Apache | 1 Fineract | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
In Apache Fineract versions 1.0.0, 0.6.0-incubating, 0.5.0-incubating, 0.4.0-incubating, Using a single quotation escape with two continuous SQL parameters can cause a SQL injection. This could be done in Methods like retrieveAuditEntries of AuditsApiResource Class and retrieveCommands of MakercheckersApiResource Class.
|
|||||
| CVE-2018-1289 | 1 Apache | 1 Fineract | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
|
In Apache Fineract versions 1.0.0, 0.6.0-incubating, 0.5.0-incubating, 0.4.0-incubating, the system exposes different REST end points to query domain specific entities with a Query Parameter 'orderBy' and 'sortOrder' which are appended directly with SQL statements. A hacker/user can inject/draft the 'orderBy' and 'sortOrder' query parameter in such a way to read/update the data for which he doesn't have authorization.
|
|||||
| CVE-2018-1282 | 1 Apache | 1 Hive | 2024-11-21 | 7.5 HIGH | 9.1 CRITICAL |
|
This vulnerability in Apache Hive JDBC driver 0.7.1 to 2.3.2 allows carefully crafted arguments to be used to bypass the argument escaping/cleanup that JDBC driver does in PreparedStatement implementation.
|
|||||
| CVE-2018-1280 | 1 Pivotal Software | 1 Greenplum Command Center | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
Pivotal Greenplum Command Center versions 2.x prior to 2.5.1 contains a blind SQL injection vulnerability. An unauthenticated user can perform a SQL injection in the command center which results in disclosure of database contents.
|
|||||
| CVE-2018-1252 | 1 Rsa | 1 Web Threat Detection | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
|
RSA Web Threat Detection versions prior to 6.4, contain an SQL injection vulnerability in the Administration and Forensics applications. An authenticated malicious user with low privileges could potentially exploit this vulnerability to execute SQL commands on the back-end database to gain unauthorized access to the tool's monitoring and user information by supplying specially crafted input data to the affected application.
|
|||||
| CVE-2018-1132 | 1 Opendaylight | 1 Sdninterfaceapp | 2024-11-21 | 7.5 HIGH | 7.5 HIGH |
|
A flaw was found in Opendaylight's SDNInterfaceapp (SDNI). Attackers can SQL inject the component's database (SQLite) without authenticating to the controller or SDNInterfaceapp. SDNInterface has been deprecated in OpenDayLight since it was last used in the final Carbon series release. In addition to the component not being included in OpenDayLight in newer releases, the SDNInterface component is not packaged in the opendaylight package included in RHEL.
|
|||||
| CVE-2018-1096 | 2 Redhat, Theforeman | 2 Satellite, Foreman | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
|
An input sanitization flaw was found in the id field in the dashboard controller of Foreman before 1.16.1. A user could use this flaw to perform an SQL injection attack on the back end database.
|
|||||
| CVE-2018-19998 | 1 Dolibarr | 1 Dolibarr Erp\/crm | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
|
SQL injection vulnerability in user/card.php in Dolibarr version 8.0.2 allows remote authenticated users to execute arbitrary SQL commands via the employee parameter.
|
|||||
| CVE-2018-19994 | 1 Dolibarr | 1 Dolibarr Erp\/crm | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
|
An error-based SQL injection vulnerability in product/card.php in Dolibarr version 8.0.2 allows remote authenticated users to execute arbitrary SQL commands via the desiredstock parameter.
|
|||||
| CVE-2018-19952 | 1 Qnap | 2 Music Station, Qts | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
If exploited, this SQL injection vulnerability could allow remote attackers to obtain application information. This issue affects: QNAP Systems Inc. Music Station versions prior to 5.1.13; versions prior to 5.2.9; versions prior to 5.3.11.
|
|||||
| CVE-2018-19925 | 1 Sales \& Company Management System Project | 1 Sales \& Company Management System | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
An issue was discovered in Sales & Company Management System (SCMS) through 2018-06-06. It has SQL injection via the member/member_order.php type parameter, related to the O_state parameter.
|
|||||
| CVE-2018-19898 | 1 Thinkcmf | 1 Thinkcmf | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
|
ThinkCMF X2.2.2 has SQL Injection via the method edit_post in ArticleController.class.php and is exploitable by normal authenticated users via the post[id][1] parameter in an article edit_post action.
|
|||||
| CVE-2018-19897 | 1 Thinkcmf | 1 Thinkcmf | 2024-11-21 | 6.5 MEDIUM | 7.2 HIGH |
|
ThinkCMF X2.2.2 has SQL Injection via the function _listorders() in AdminbaseController.class.php and is exploitable with the manager privilege via the listorders[key][1] parameter in a Link listorders action.
|
|||||
| CVE-2018-19896 | 1 Thinkcmf | 1 Thinkcmf | 2024-11-21 | 6.5 MEDIUM | 7.2 HIGH |
|
ThinkCMF X2.2.2 has SQL Injection via the function delete() in SlideController.class.php and is exploitable with the manager privilege via the ids[] parameter in a slide action.
|
|||||
| CVE-2018-19895 | 1 Thinkcmf | 1 Thinkcmf | 2024-11-21 | 6.5 MEDIUM | 7.2 HIGH |
|
ThinkCMF X2.2.2 has SQL Injection via the function edit_post() in NavController.class.php and is exploitable with the manager privilege via the parentid parameter in a nav action.
|
|||||
| CVE-2018-19894 | 1 Thinkcmf | 1 Thinkcmf | 2024-11-21 | 6.5 MEDIUM | 7.2 HIGH |
|
ThinkCMF X2.2.2 has SQL Injection via the functions check() and delete() in CommentadminController.class.php and is exploitable with the manager privilege via the ids[] parameter in a commentadmin action.
|
|||||
| CVE-2018-19893 | 1 Pbootcms | 1 Pbootcms | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
SearchController.php in PbootCMS 1.2.1 has SQL injection via the index.php/Search/index.html query string.
|
|||||
| CVE-2018-19559 | 1 Cuppacms | 1 Cuppacms | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
CuppaCMS before 2018-11-12 has SQL Injection in administrator/classes/ajax/functions.php via the reference_id parameter.
|
|||||
| CVE-2018-19558 | 1 Arcms Project | 1 Arcms | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
An issue was discovered in arcms through 2018-03-19. SQL injection exists via the json/newslist limit parameter because of ctl/main/Json.php, ctl/main/service/Data.php, and comp/Db/Mysql.php.
|
|||||
| CVE-2018-19557 | 1 Arcms Project | 1 Arcms | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
An issue was discovered in arcms through 2018-03-19. No authentication is required for index/main, user/useradd, or img/images.
|
|||||
| CVE-2018-19553 | 1 Interspire | 1 Email Marketer | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
|
Interspire Email Marketer through 6.1.6 has SQL Injection via an updateblock sortorder request to Dynamiccontenttags.php
|
|||||
| CVE-2018-19552 | 1 Interspire | 1 Email Marketer | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
|
Interspire Email Marketer through 6.1.6 has SQL Injection via a deleteblock blockid[] request to Dynamiccontenttags.php.
|
|||||
| CVE-2018-19551 | 1 Interspire | 1 Email Marketer | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
|
Interspire Email Marketer through 6.1.6 has SQL Injection via a checkduplicatetags tagname request to Dynamiccontenttags.php.
|
|||||
| CVE-2018-19549 | 1 Interspire | 1 Email Marketer | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
|
Interspire Email Marketer through 6.1.6 has SQL Injection via a tagids Delete action to Dynamiccontenttags.php.
|
|||||
| CVE-2018-19510 | 1 Ens | 1 Webgalamb | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
subscriber.php in Webgalamb through 7.0 is vulnerable to SQL injection via the Client-IP HTTP request header.
|
|||||
| CVE-2018-19468 | 1 Hucart | 1 Hucart | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
HuCart 5.7.4 has SQL injection in get_ip() in system/class/helper_class.php via the X-Forwarded-For HTTP header to the user/index.php?load=login&act=act_login URI.
|
|||||
| CVE-2018-19462 | 1 Phome | 1 Empirecms | 2024-11-21 | 6.5 MEDIUM | 7.2 HIGH |
|
admin\db\DoSql.php in EmpireCMS through 7.5 allows remote attackers to execute arbitrary PHP code via SQL injection that uses a .php filename in a SELECT INTO OUTFILE statement to admin/admin.php.
|
|||||
| CVE-2018-19436 | 1 Weberp | 1 Weberp | 2024-11-21 | 6.5 MEDIUM | 7.2 HIGH |
|
An issue was discovered in the Manufacturing component in webERP 4.15. CollectiveWorkOrderCost.php has Blind SQL Injection via the SearchParts parameter.
|
|||||
| CVE-2018-19435 | 1 Weberp | 1 Weberp | 2024-11-21 | 6.5 MEDIUM | 7.2 HIGH |
|
An issue was discovered in the Sales component in webERP 4.15. SalesInquiry.php has SQL Injection via the SortBy parameter.
|
|||||
| CVE-2018-19434 | 1 Weberp | 1 Weberp | 2024-11-21 | 6.5 MEDIUM | 7.2 HIGH |
|
An issue was discovered on the "Bank Account Matching - Receipts" screen of the General Ledger component in webERP 4.15. BankMatching.php has Blind SQL injection via the AmtClear_ parameter.
|
|||||
| CVE-2018-19415 | 1 Plikli | 1 Plikli Cms | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
Multiple SQL injection vulnerabilities in Plikli CMS 4.0.0 allow remote attackers to execute arbitrary SQL commands via the (1) id parameter to join_group.php or (2) comment_id parameter to story.php.
|
|||||
| CVE-2018-19349 | 1 Seacms | 1 Seacms | 2024-11-21 | 6.5 MEDIUM | 7.2 HIGH |
|
In SeaCMS v6.64, there is SQL injection via the admin_makehtml.php topic parameter because of mishandling in include/mkhtml.func.php.
|
|||||
| CVE-2018-19331 | 1 S-cms | 1 S-cms | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
An issue was discovered in S-CMS v1.5. There is a SQL injection vulnerability in search.php via the keyword parameter.
|
|||||
| CVE-2018-19312 | 1 Centreon | 1 Centreon | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
|
Centreon 3.4.x (fixed in Centreon 18.10.0 and Centreon web 2.8.24) allows SQL Injection via the searchVM parameter to the main.php?p=20408 URI.
|
|||||
| CVE-2018-19281 | 1 Centreon | 1 Centreon | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
Centreon 3.4.x (fixed in Centreon 18.10.0 and Centreon web 2.8.27) allows SNMP trap SQL Injection.
|
|||||