Search Results (37096 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2024-41551 1 Campcodes 1 Supplier Management System 2024-11-21 7.3 High
CampCodes Supplier Management System v1.0 is vulnerable to SQL injection via Supply_Management_System/admin/view_order_items.php?id= .
CVE-2024-40689 1 Ibm 2 Infosphere Information Server, Infosphere Information Server On Cloud 2024-11-21 6 Medium
IBM InfoSphere Information Server 11.7 is vulnerable to SQL injection. A remote attacker could send specially crafted SQL statements, which could allow the attacker to view, add, modify, or delete information in the back-end database. IBM X-Force ID: 297719.
CVE-2024-40637 1 Getdbt 1 Dbt Core 2024-11-21 4.2 Medium
dbt enables data analysts and engineers to transform their data using the same practices that software engineers use to build applications. When a user installs a package in dbt, it has the ability to override macros, materializations, and other core components of dbt. This is by design, as it allows packages to extend and customize dbt's functionality. However, this also means that a malicious package could potentially override these components with harmful code. This issue has been fixed in versions 1.8.0, 1.6.14 and 1.7.14. Users are advised to upgrade. There are no kn own workarounds for this vulnerability. Users updating to either 1.6.14 or 1.7.14 will need to set `flags.require_explicit_package_overrides_for_builtin_materializations: False` in their configuration in `dbt_project.yml`.
CVE-2024-40542 2 Codermy, Witmy 2 My-springsecurity-plus, My-springsecurity-plus 2024-11-21 6.3 Medium
my-springsecurity-plus before v2024.07.03 was discovered to contain a SQL injection vulnerability via the dataScope parameter at /api/role?offset.
CVE-2024-40541 2 Codermy, Witmy 2 My-springsecurity-plus, My-springsecurity-plus 2024-11-21 6.2 Medium
my-springsecurity-plus before v2024.07.03 was discovered to contain a SQL injection vulnerability via the dataScope parameter at /api/dept/build.
CVE-2024-40540 1 Codermy 1 My-springsecurity-plus 2024-11-21 6.2 Medium
my-springsecurity-plus before v2024.07.03 was discovered to contain a SQL injection vulnerability via the dataScope parameter at /api/dept.
CVE-2024-40539 2 Codermy, Witmy 2 My-springsecurity-plus, My-springsecurity-plus 2024-11-21 6.2 Medium
my-springsecurity-plus before v2024.07.03 was discovered to contain a SQL injection vulnerability via the dataScope parameter at /api/user.
CVE-2024-40322 1 Jfinalcms Project 1 Jfinalcms 2024-11-21 6.3 Medium
An issue was discovered in JFinalCMS v.5.0.0. There is a SQL injection vulnerablity via /admin/div_data/data
CVE-2024-40060 1 Wcharczuk 1 Go-chart 2024-11-21 7.5 High
go-chart v2.1.1 was discovered to contain an infinite loop via the drawCanvas() function.
CVE-2024-3816 1 Conceptintermedia 1 S\@m Cms 2024-11-21 9.8 Critical
Sites managed in S@M CMS (Concept Intermedia) might be vulnerable to a blind SQL Injection executed using the search bar.  Only a part of observed services is vulnerable, but since vendor has not investigated the root problem, it is hard to determine when the issue appears.
CVE-2024-3223 2024-11-21 6.3 Medium
A vulnerability, which was classified as critical, was found in SourceCodester PHP Task Management System 1.0. Affected is an unknown function of the file admin-manage-user.php. The manipulation of the argument admin_id leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-259068.
CVE-2024-3222 2024-11-21 6.3 Medium
A vulnerability, which was classified as critical, has been found in SourceCodester PHP Task Management System 1.0. This issue affects some unknown processing of the file admin-password-change.php. The manipulation of the argument admin_id leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-259067.
CVE-2024-3115 1 Gitlab 1 Gitlab 2024-11-21 4.3 Medium
An issue was discovered in GitLab EE affecting all versions starting from 16.0 prior to 16.11.5, starting from 17.0 prior to 17.0.3, and starting from 17.1 prior to 17.1.1, which allows an attacker to access issues and epics without having an SSO session using Duo Chat.
CVE-2024-3033 1 Mintplexlabs 1 Anythingllm 2024-11-21 9.4 Critical
An improper authorization vulnerability exists in the mintplex-labs/anything-llm application, specifically within the '/api/v/' endpoint and its sub-routes. This flaw allows unauthenticated users to perform destructive actions on the VectorDB, including resetting the database and deleting specific namespaces, without requiring any authorization or permissions. The issue affects all versions up to and including the latest version, with a fix introduced in version 1.0.0. Exploitation of this vulnerability can lead to complete data loss of document embeddings across all workspaces, rendering workspace chats and embeddable chat widgets non-functional. Additionally, attackers can list all namespaces, potentially exposing private workspace names.
CVE-2024-3002 2024-11-21 6.3 Medium
A vulnerability, which was classified as critical, was found in code-projects Online Book System 1.0. Affected is an unknown function of the file /description.php. The manipulation of the argument ID leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-258204.
CVE-2024-39907 1 Fit2cloud 1 1panel 2024-11-21 9.8 Critical
1Panel is a web-based linux server management control panel. There are many sql injections in the project, and some of them are not well filtered, leading to arbitrary file writes, and ultimately leading to RCEs. These sql injections have been resolved in version 1.10.12-tls. Users are advised to upgrade. There are no known workarounds for these issues.
CVE-2024-39677 1 Nhibernate 1 Nhibernate-core 2024-11-21 5.9 Medium
NHibernate is an object-relational mapper for the .NET framework. A SQL injection vulnerability exists in some types implementing ILiteralType.ObjectToSQLString. Callers of these methods are exposed to the vulnerability, which includes mappings using inheritance with discriminator values; HQL queries referencing a static field of the application; users of the SqlInsertBuilder and SqlUpdateBuilder utilities, calling their AddColumn overload taking a literal value; and any direct use of the ObjectToSQLString methods for building SQL queries on the user side. This vulnerability is fixed in 5.4.9 and 5.5.2.
CVE-2024-39671 1 Huawei 2 Emui, Harmonyos 2024-11-21 9.3 Critical
Access control vulnerability in the security verification module. Impact: Successful exploitation of this vulnerability may affect service confidentiality.
CVE-2024-39592 2 Sap, Sap Se 3 S4core, S4coreop, Sap Pdce 2024-11-21 7.7 High
Elements of PDCE does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. This allows an attacker to read sensitive information causing high impact on the confidentiality of the application.
CVE-2024-39325 1 Aimeos 1 Aimeos Frontend Controller 2024-11-21 5.3 Medium
aimeos/ai-controller-frontend is the Aimeos frontend controller. Prior to versions 2024.04.2, 2023.10.9, 2022.10.8, 2021.10.8, and 2020.10.15, aimeos/ai-controller-frontend doesn't reset the payment status of a user's basket after the user completes a purchase. Versions 2024.04.2, 2023.10.9, 2022.10.8, 2021.10.8, and 2020.10.15 fix this issue.