| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| Posty Readymade Classifieds Script 1.0 allows an attacker to inject SQL commands via a listings.php?catid= or ads-details.php?ID= request. |
| Multiple SQL injection vulnerabilities in SmartCMS v.2. |
| SQL Injection in Trend Micro Control Manager 6.0 causes Remote Code Execution when executing opcode 0x6b1b due to lack of proper user input validation in cmdHandlerStatusMonitor.dll. Formerly ZDI-CAN-4545. |
| Fiyo CMS 2.0.7 has SQL injection in /apps/app_user/sys_user.php via $_POST[name] or $_POST[email]. This vulnerability can lead to escalation from normal user privileges to administrator privileges. |
| Zoho ManageEngine Applications Manager 13 before build 13530 allows SQL injection via the /MyPage.do widgetid parameter. |
| An issue was discovered in Exponent CMS 2.4.1. This is a blind SQL injection that can be exploited by un-authenticated users via an HTTP GET request and which can be used to dump database data out to a malicious server, using an out-of-band technique, such as select_loadfile(). The vulnerability affects source_selector.php and the following parameter: src. |
| SQL injection vulnerability in the Multi Feed Reader prior to version 2.2.4 allows authenticated attackers to execute arbitrary SQL commands via unspecified vectors. |
| SQL Injection exists in the Loginizer plugin before 1.3.6 for WordPress via the X-Forwarded-For HTTP header. |
| A SQL injection issue was discovered in the Mail Masta (aka mail-masta) plugin 1.0 for WordPress. This affects /inc/campaign_save.php (Requires authentication to Wordpress admin) with the POST Parameter: list_id. |
| SQL injection vulnerability in the WBCE CMS 1.1.10 and earlier allows attacker with administrator rights to execute arbitrary SQL commands via unspecified vectors. |
| SQL injection vulnerability in core\admin\auto-modules\forms\process.php in BigTree 4.2.18 allows remote authenticated users to execute arbitrary SQL commands via the tags array parameter. |
| dayrui FineCms 5.0.9 has SQL Injection via the catid parameter in an action=related request to libraries/Template.php. |
| GLPI before 9.1.5.1 has SQL Injection in the condition rule field, exploitable via front/rulesengine.test.php. |
| IDERA Uptime Monitor 7.8 has SQL injection in /gadgets/definitions/uptime.CapacityWhatIfGadget/getmetrics.php via the element parameter. |
| Multiple SQL injection vulnerabilities in the User Dashboard module 7.x before 7.x-1.4 for Drupal allow remote attackers to execute arbitrary SQL commands via unspecified vectors. |
| SQL injection vulnerability in Sefrengo before 1.6.5 beta2. |
| Mojoomla WPGYM WordPress Gym Management System allows SQL Injection via the id parameter. |
| SQL injection vulnerability in massmail.php in NexusPHP 1.5 allows remote attackers to execute arbitrary SQL commands via the or parameter. |
| An issue was discovered in dotCMS through 3.6.1. The findChildrenByFilter() function which is called by the web accessible path /categoriesServlet performs string interpolation and direct SQL query execution. SQL quote escaping and a keyword blacklist were implemented in a new class, SQLUtil (main/java/com/dotmarketing/common/util/SQLUtil.java), as part of the remediation of CVE-2016-8902; however, these can be overcome in the case of the q and inode parameters to the /categoriesServlet path. Overcoming these controls permits a number of blind boolean SQL injection vectors in either parameter. The /categoriesServlet web path can be accessed remotely and without authentication in a default dotCMS deployment. |
| SQL injection vulnerability in phpMyBackupPro when run in multi-user mode before 2.5 allows remote attackers to execute arbitrary SQL commands via the username and password parameters. |
