Search Results (37221 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2025-0846 1 1000projects 1 Employee Task Management System 2025-02-04 7.3 High
A vulnerability was found in 1000 Projects Employee Task Management System 1.0. It has been classified as critical. This affects an unknown part of the file /admin/AdminLogin.php. The manipulation of the argument email leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.
CVE-2025-0847 1 1000projects 1 Employee Task Management System 2025-02-04 7.3 High
A vulnerability was found in 1000 Projects Employee Task Management System 1.0. It has been declared as critical. This vulnerability affects unknown code of the file /index.php of the component Login. The manipulation of the argument email leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.
CVE-2023-2257 3 Apple, Devolutions, Microsoft 3 Macos, Workspace, Windows 2025-02-04 6.1 Medium
Authentication Bypass in Hub Business integration in Devolutions Workspace Desktop 2023.1.1.3 and earlier on Windows and macOS allows an attacker with access to the user interface to unlock a Hub Business space without being prompted to enter the password via an unimplemented "Force Login" security feature. This vulnerability occurs only if "Force Login" feature is enabled on the Hub Business instance and that an attacker has access to a locked Workspace desktop application configured with a Hub Business space.
CVE-2023-29849 1 Hockeycomputindo 1 Bang Resto 2025-02-04 8.8 High
Bang Resto 1.0 was discovered to contain multiple SQL injection vulnerabilities via the btnMenuItemID, itemID, itemPrice, menuID, staffID, or itemqty parameter.
CVE-2023-1414 1 Rextheme 1 Wp Vr 2025-02-04 4.3 Medium
The WP VR WordPress plugin before 8.3.0 does not have authorisation and CSRF checks in various AJAX actions, one in particular could allow any authenticated users, such as subscriber to update arbitrary tours
CVE-2024-12539 1 Elastic 1 Elasticsearch 2025-02-04 6.5 Medium
An issue was discovered where improper authorization controls affected certain queries that could allow a malicious actor to circumvent Document Level Security in Elasticsearch and get access to documents that their roles would normally not allow.
CVE-2024-23451 1 Elastic 1 Elasticsearch 2025-02-04 4.4 Medium
Incorrect Authorization issue exists in the API key based security model for Remote Cluster Security, which is currently in Beta, in Elasticsearch 8.10.0 and before 8.13.0. This allows a malicious user with a valid API key for a remote cluster configured to use the new Remote Cluster Security to read arbitrary documents from any index on the remote cluster, and only if they use the Elasticsearch custom transport protocol to issue requests with the target index ID, the shard ID and the document ID. None of Elasticsearch REST API endpoints are affected by this issue.
CVE-2024-55593 1 Fortinet 1 Fortiweb 2025-02-03 2.6 Low
A improper neutralization of special elements used in an sql command ('sql injection') in Fortinet FortiWeb versions 6.3.17 through 7.6.1 allows attacker to gain information disclosure via crafted SQL queries
CVE-2024-52969 1 Fortinet 1 Fortisiem 2025-02-03 3.7 Low
An Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability [CWE-89] in FortiSIEM ersion 7.1.7 and below, version 7.1.0, version 7.0.3 and below, version 6.7.9 and below, 6.7.8, version 6.6.5 and below, version 6.5.3 and below, version 6.4.4 and below Update/Create Case feature may allow an authenticated attacker to extract database information via crafted requests.
CVE-2024-52967 1 Fortinet 1 Fortiportal 2025-02-03 3.3 Low
An improper neutralization of script-related html tags in a web page (basic xss) in Fortinet FortiPortal 6.0.0 through 6.0.14 allows attacker to execute unauthorized code or commands via html injection.
CVE-2012-5872 1 Arc2 Project 1 Arc2 2025-02-03 9.8 Critical
ARC (aka ARC2) through 2011-12-01 allows blind SQL Injection in getTriplePatternSQL in ARC2_StoreSelectQueryHandler.php via comments in a SPARQL WHERE clause.
CVE-2023-27843 1 Ask For A Quote Project 1 Ask For A Quote 2025-02-03 9.8 Critical
SQL injection vulnerability found in PrestaShop askforaquote v.5.4.2 and before allow a remote attacker to gain privileges via the QuotesProduct::deleteProduct component.
CVE-2023-30545 1 Prestashop 1 Prestashop 2025-02-03 7.7 High
PrestaShop is an Open Source e-commerce web application. Prior to versions 8.0.4 and 1.7.8.9, it is possible for a user with access to the SQL Manager (Advanced Options -> Database) to arbitrarily read any file on the operating system when using SQL function `LOAD_FILE` in a `SELECT` request. This gives the user access to critical information. A patch is available in PrestaShop 8.0.4 and PS 1.7.8.9
CVE-2023-24512 1 Arista 110 32qd, 48ehs, 48lbas and 107 more 2025-02-03 8.8 High
On affected platforms running Arista EOS, an authorized attacker with permissions to perform gNMI requests could craft a request allowing it to update arbitrary configurations in the switch. This situation occurs only when the Streaming Telemetry Agent (referred to as the TerminAttr agent) is enabled and gNMI access is configured on the agent. Note: This gNMI over the Streaming Telemetry Agent scenario is mostly commonly used when streaming to a 3rd party system and is not used by default when streaming to CloudVision
CVE-2023-30211 1 Ourphp 1 Ourphp 2025-02-03 9.8 Critical
OURPHP <= 7.2.0 is vulnerable to SQL Injection.
CVE-2022-25274 1 Drupal 1 Drupal 2025-02-03 5.4 Medium
Drupal 9.3 implemented a generic entity access API for entity revisions. However, this API was not completely integrated with existing permissions, resulting in some possible access bypass for users who have access to use revisions of content generally, but who do not have access to individual items of node and media content. This vulnerability only affects sites using Drupal's revision system.
CVE-2023-30112 1 Medicine Tracker System Project 1 Medicine Tracker System 2025-02-03 7.5 High
Medicine Tracker System in PHP 1.0.0 is vulnerable to SQL Injection.
CVE-2023-27107 1 Myq-solution 2 Central Server, Print Server 2025-02-03 8.8 High
Incorrect access control in the runReport function of MyQ Solution Print Server before 8.2 Patch 32 and Central Server before 8.2 Patch 22 allows users who do not have appropriate access rights to generate internal reports using a direct URL.
CVE-2022-25091 1 Infopop 1 Ultimate Bulletin Board 2025-02-03 5.3 Medium
Infopop Ultimate Bulletin Board up to v5.47a was discovered to allow all messages posted inside private forums to be disclosed by unauthenticated users via the quote reply feature.
CVE-2021-44465 1 Odoo 1 Odoo 2025-02-03 4.3 Medium
Improper access control in Odoo Community 13.0 and earlier and Odoo Enterprise 13.0 and earlier allows authenticated attackers to subscribe to receive future notifications and comments related to arbitrary business records in the system, via crafted RPC requests.