Search Results (37290 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2025-1189 1 1000projects 1 Attendance Tracking Management System 2025-02-20 6.3 Medium
A vulnerability, which was classified as critical, was found in 1000 Projects Attendance Tracking Management System 1.0. This affects an unknown part of the file /admin/chart1.php. The manipulation of the argument course_id leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.
CVE-2023-35093 1 Stylemixthemes 1 Masterstudy Lms 2025-02-19 6.5 Medium
Broken Access Control vulnerability in StylemixThemes MasterStudy LMS WordPress Plugin – for Online Courses and Education plugin <= 3.0.8 versions allows any logged-in users, such as subscribers to view the "Orders" of the plugin and get the data related to the order like email, username, and more.
CVE-2023-0335 1 Wpvar 1 Wp Shamsi 2025-02-19 6.5 Medium
The WP Shamsi WordPress plugin through 4.3.3 has CSRF and broken access control vulnerabilities which leads user with role as low as subscriber delete attachment.
CVE-2023-1589 1 Online Tours \& Travels Management System Project 1 Online Tours \& Travels Management System 2025-02-19 6.3 Medium
A vulnerability has been found in SourceCodester Online Tours & Travels Management System 1.0 and classified as critical. This vulnerability affects the function exec of the file admin/operations/approve_delete.php. The manipulation of the argument id leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. VDB-223654 is the identifier assigned to this vulnerability.
CVE-2023-28437 1 Dataease 1 Dataease 2025-02-19 9.8 Critical
Dataease is an open source data visualization and analysis tool. The blacklist for SQL injection protection is missing entries. This vulnerability has been fixed in version 1.18.5. There are no known workarounds.
CVE-2023-0336 1 Ooohboi Steroids For Elementor Project 1 Ooohboi Steroids For Elementor 2025-02-19 6.5 Medium
The OoohBoi Steroids for Elementor WordPress plugin before 2.1.5 has CSRF and broken access control vulnerabilities which leads user with role as low as subscriber to delete attachment.
CVE-2025-1210 1 Anisha 1 Wazifa System 2025-02-19 6.3 Medium
A vulnerability classified as critical was found in code-projects Wazifa System 1.0. Affected by this vulnerability is an unknown functionality of the file /controllers/control.php. The manipulation of the argument to leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.
CVE-2023-28883 1 Cerebrate-project 1 Cerebrate 2025-02-19 9.8 Critical
In Cerebrate 1.13, a blind SQL injection exists in the searchAll API endpoint.
CVE-2023-24840 1 Hgiga 1 Oaklouds Mailsherlock 2025-02-19 7.2 High
HGiga MailSherlock mail query function has vulnerability of insufficient validation for user input. An authenticated remote attacker with administrator privilege can exploit this vulnerability to inject SQL commands to read, modify, and delete the database.
CVE-2023-25017 1 Rifartek 1 Iot Wall 2025-02-19 8.1 High
RIFARTEK IOT Wall has a vulnerability of incorrect authorization. An authenticated remote attacker with general user privilege is allowed to perform specific privileged function to access and modify all sensitive data.
CVE-2023-27847 1 Xipblog Project 1 Xipblog 2025-02-19 9.8 Critical
SQL injection vulnerability found in PrestaShop xipblog v.2.0.1 and before allow a remote attacker to gain privileges via the xipcategoryclass and xippostsclass components.
CVE-2023-28640 1 Apiman 1 Apiman 2025-02-19 6.4 Medium
Apiman is a flexible and open source API Management platform. Due to a missing permissions check, an attacker with an authenticated Apiman Manager account may be able to gain access to API keys they do not have permission for if they correctly guess the URL, which includes Organisation ID, Client ID, and Client Version of the targeted non-permitted resource. While not trivial to exploit, it could be achieved by brute-forcing or guessing common names. Access to the non-permitted API Keys could allow use of other users' resources without their permission (depending on the specifics of configuration, such as whether an API key is the only form of security). Apiman 3.1.0.Final resolved this issue. Users are advised to upgrade. The only known workaround is to restrict account access.
CVE-2023-27701 1 Muyucms 1 Muyucms 2025-02-18 8.1 High
MuYuCMS v2.2 was discovered to contain an arbitrary file deletion vulnerability via the component /database/sqldel.html.
CVE-2022-36979 1 Ivanti 1 Avalanche 2025-02-18 9.8 Critical
This vulnerability allows remote attackers to bypass authentication on affected installations of Ivanti Avalanche 6.3.2.3490. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the AvalancheDaoSupport class. A crafted request can trigger execution of SQL queries composed from a user-supplied string. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-15493.
CVE-2022-36976 1 Ivanti 1 Avalanche 2025-02-18 9.8 Critical
This vulnerability allows remote attackers to bypass authentication on affected installations of Ivanti Avalanche 6.3.2.3490. The specific flaw exists within the GroupDaoImpl class. A crafted request can trigger execution of SQL queries composed from a user-supplied string. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-15333.
CVE-2022-36975 1 Ivanti 1 Avalanche 2025-02-18 9.8 Critical
This vulnerability allows remote attackers to bypass authentication on affected installations of Ivanti Avalanche 6.3.2.3490. The specific flaw exists within the ProfileDaoImpl class. A crafted request can trigger execution of SQL queries composed from a user-supplied string. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-15332.
CVE-2022-36973 1 Ivanti 1 Avalanche 2025-02-18 8.8 High
This vulnerability allows remote attackers to bypass authentication on affected installations of Ivanti Avalanche 6.3.2.3490. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the ProfileDaoImpl class. A crafted request can trigger execution of SQL queries composed from a user-supplied string. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-15329.
CVE-2022-36972 1 Ivanti 1 Avalanche 2025-02-18 9.8 Critical
This vulnerability allows remote attackers to bypass authentication on affected installations of Ivanti Avalanche 6.3.2.3490. The specific flaw exists within the ProfileDaoImpl class. A crafted request can trigger execution of SQL queries composed from a user-supplied string. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-15328.
CVE-2022-37013 1 Unified-automation 1 Opc Ua C\+\+ Demo Server 2025-02-18 7.5 High
This vulnerability allows remote attackers to create a denial-of-service condition on affected installations of Unified Automation OPC UA C++ Demo Server 1.7.6-537 [with vendor rollup]. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of certificates. A crafted certificate can force the server into an infinite loop. An attacker can leverage this vulnerability to create a denial-of-service condition on the system. Was ZDI-CAN-17203.
CVE-2022-46021 1 X-man Project 1 X-man 2025-02-18 7.5 High
X-Man 1.0 has a SQL injection vulnerability, which can cause data leakage.