Search Results (37221 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2021-23203 1 Odoo 1 Odoo 2025-02-03 7.5 High
Improper access control in reporting engine of Odoo Community 14.0 through 15.0, and Odoo Enterprise 14.0 through 15.0, allows remote attackers to download PDF reports for arbitrary documents, via crafted requests.
CVE-2023-30839 1 Prestashop 1 Prestashop 2025-02-03 10 Critical
PrestaShop is an Open Source e-commerce web application. Versions prior to 8.0.4 and 1.7.8.9 contain a SQL filtering vulnerability. A BO user can write, update, and delete in the database, even without having specific rights. PrestaShop 8.0.4 and 1.7.8.9 contain a patch for this issue. There are no known workarounds.
CVE-2023-31250 1 Drupal 1 Drupal 2025-02-03 6.5 Medium
The file download facility doesn't sufficiently sanitize file paths in certain situations. This may result in users gaining access to private files that they should not have access to. Some sites may require configuration changes following this security release. Review the release notes for your Drupal version if you have issues accessing private files after updating.
CVE-2023-2338 1 Pimcore 1 Pimcore 2025-02-03 8.8 High
SQL Injection in GitHub repository pimcore/pimcore prior to 10.5.21.
CVE-2023-33321 1 Metagauss 1 Eventprime 2025-02-03 5.3 Medium
Missing Authorization vulnerability in Metagauss EventPrime allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects EventPrime: from n/a through 2.8.6.
CVE-2019-19245 1 Napc 1 Xinet Elegant 6 Asset Library 2025-02-02 9.8 Critical
NAPC Xinet Elegant 6 Asset Library 6.1.655 allows Pre-Authentication SQL Injection via the /elegant6/login LoginForm[username] field when double quotes are used.
CVE-2022-4118 1 Coinmarketstats 1 Bitcoin \/ Altcoin Payment Gateway For Woocommerce 2025-01-31 9.8 Critical
The Bitcoin / AltCoin Payment Gateway for WooCommerce & Multivendor store / shop WordPress plugin through 1.7.1 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by authenticated users
CVE-2024-57775 1 Jfinaloa Project 1 Jfinaloa 2025-01-31 8.8 High
JFinalOA before v2025.01.01 was discovered to contain a SQL injection vulnerability via the component getWorkFlowHis?insid.
CVE-2018-9406 1 Google 1 Android 2025-01-31 5.5 Medium
In NlpService, there is a possible way to obtain location information due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
CVE-2022-37326 1 Docker 1 Desktop 2025-01-31 7.8 High
Docker Desktop for Windows before 4.6.0 allows attackers to delete (or create) any file through the dockerBackendV2 windowscontainers/start API by controlling the pidfile field inside the DaemonJSON field in the WindowsContainerStartRequest class. This can indirectly lead to privilege escalation.
CVE-2021-4134 1 Radykal 1 Fancy Product Designer 2025-01-31 7.2 High
The Fancy Product Designer WordPress plugin is vulnerable to SQL Injection due to insufficient escaping and parameterization of the ID parameter found in the ~/inc/api/class-view.php file which allows attackers with administrative level permissions to inject arbitrary SQL queries to obtain sensitive information, in versions up to and including 4.7.4.
CVE-2022-0651 1 Veronalabs 1 Wp Statistics 2025-01-31 9.8 Critical
The WP Statistics WordPress plugin is vulnerable to SQL Injection due to insufficient escaping and parameterization of the current_page_type parameter found in the ~/includes/class-wp-statistics-hits.php file which allows attackers without authentication to inject arbitrary SQL queries to obtain sensitive information, in versions up to and including 13.1.5.
CVE-2022-0236 1 Vjinfotech 2 Wp Import Export, Wp Import Export Lite 2025-01-31 7.5 High
The WP Import Export WordPress plugin (both free and premium versions) is vulnerable to unauthenticated sensitive data disclosure due to a missing capability check on the download function wpie_process_file_download found in the ~/includes/classes/class-wpie-general.php file. This made it possible for unauthenticated attackers to download any imported or exported information from a vulnerable site which can contain sensitive information like user data. This affects versions up to, and including, 3.9.15.
CVE-2022-25149 1 Veronalabs 1 Wp Statistics 2025-01-31 9.8 Critical
The WP Statistics WordPress plugin is vulnerable to SQL Injection due to insufficient escaping and parameterization of the IP parameter found in the ~/includes/class-wp-statistics-hits.php file which allows attackers without authentication to inject arbitrary SQL queries to obtain sensitive information, in versions up to and including 13.1.5.
CVE-2022-3400 1 Bricksbuilder 1 Bricks 2025-01-31 6.5 Medium
The Bricks theme for WordPress is vulnerable to authorization bypass due to a missing capability check on the bricks_save_post AJAX action in versions 1.0 to 1.5.3. This makes it possible for authenticated attackers with minimal permissions, such as a subscriber, to edit any page, post, or template on the vulnerable WordPress website.
CVE-2023-30849 1 Pimcore 1 Pimcore 2025-01-31 8.8 High
Pimcore is an open source data and experience management platform. Prior to version 10.5.21, A SQL injection vulnerability exists in the translation export API. Users should update to version 10.5.21 to receive a patch or, as a workaround, or apply the patch manually.
CVE-2023-30024 1 Magicjack 2 A921, A921 Firmware 2025-01-31 6.6 Medium
The MagicJack device, a VoIP solution for internet phone calls, contains a hidden NAND flash memory partition allowing unauthorized read/write access. Attackers can exploit this by replacing the original software with a malicious version, leading to ransomware deployment on the host computer. Affected devices have firmware versions prior to magicJack A921 USB Phone Jack Rev 3.0 V1.4.
CVE-2023-26781 1 Chshcms 1 Mccms 2025-01-31 9.8 Critical
SQL injection vulnerability in mccms 2.6 allows remote attackers to run arbitrary SQL commands via Author Center ->Reader Comments ->Search.
CVE-2024-35278 1 Fortinet 1 Fortiportal 2025-01-31 4.1 Medium
A improper neutralization of special elements used in an sql command ('sql injection') in Fortinet FortiPortal versions 7.2.4 through 7.2.0 and 7.0.0 through 7.2.8 may allow an authenticated attacker to view the SQL query being run server-side when submitting an HTTP request, via including special elements in said request.
CVE-2025-24793 2025-01-31 7 High
The Snowflake Connector for Python provides an interface for developing Python applications that can connect to Snowflake and perform all standard operations. Snowflake discovered and remediated a vulnerability in the Snowflake Connector for Python. A function from the snowflake.connector.pandas_tools module is vulnerable to SQL injection. This vulnerability affects versions 2.2.5 through 3.13.0. Snowflake fixed the issue in version 3.13.1.