Search Results (36911 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2022-0434 1 A3rev 1 Page View Count 2024-11-21 9.8 Critical
The Page View Count WordPress plugin before 2.4.15 does not sanitise and escape the post_ids parameter before using it in a SQL statement via a REST endpoint, available to both unauthenticated and authenticated users. As a result, unauthenticated attackers could perform SQL injection attacks
CVE-2022-0420 1 Metagauss 1 Registrationmagic 2024-11-21 7.2 High
The RegistrationMagic WordPress plugin before 5.0.2.2 does not sanitise and escape the rm_form_id parameter before using it in a SQL statement in the Automation admin dashboard, allowing high privilege users to perform SQL injection attacks
CVE-2022-0412 1 Templateinvaders 1 Ti Woocommerce Wishlist 2024-11-21 9.8 Critical
The TI WooCommerce Wishlist WordPress plugin before 1.40.1, TI WooCommerce Wishlist Pro WordPress plugin before 1.40.1 do not sanitise and escape the item_id parameter before using it in a SQL statement via the wishlist/remove_product REST endpoint, allowing unauthenticated attackers to perform SQL injection attacks
CVE-2022-0411 1 Asgaros 1 Asgaros Forum 2024-11-21 8.8 High
The Asgaros Forum WordPress plugin before 2.0.0 does not sanitise and escape the post_id parameter before using it in a SQL statement via a REST route of the plugin (accessible to any authenticated user), leading to a SQL injection
CVE-2022-0406 1 Janeczku 1 Calibre-web 2024-11-21 4.3 Medium
Improper Authorization in GitHub repository janeczku/calibre-web prior to 0.6.16.
CVE-2022-0404 1 Material Design For Contact Form 7 Project 1 Material Design For Contact Form 7 2024-11-21 6.5 Medium
The Material Design for Contact Form 7 WordPress plugin through 2.6.4 does not check authorization or that the option mentioned in the notice param belongs to the plugin when processing requests to the cf7md_dismiss_notice action, allowing any logged in user (with roles as low as Subscriber) to set arbitrary options to true, potentially leading to Denial of Service by breaking the site.
CVE-2022-0398 1 Caseproof 1 Thirstyaffiliates Affiliate Link Manager 2024-11-21 5.4 Medium
The ThirstyAffiliates Affiliate Link Manager WordPress plugin before 3.10.5 does not have authorisation and CSRF checks when creating affiliate links, which could allow any authenticated user, such as subscriber to create arbitrary affiliate links, which could then be used to redirect users to an arbitrary website
CVE-2022-0390 1 Gitlab 1 Gitlab 2024-11-21 4.3 Medium
Improper access control in Gitlab CE/EE versions 12.7 to 14.5.4, 14.6 to 14.6.4, and 14.7 to 14.7.1 allowed for project non-members to retrieve issue details when it was linked to an item from the vulnerability dashboard.
CVE-2022-0386 1 Sophos 1 Unified Threat Management 2024-11-21 8.8 High
A post-auth SQL injection vulnerability in the Mail Manager potentially allows an authenticated attacker to execute code in Sophos UTM before version 9.710.
CVE-2022-0383 1 Ljapps 1 Wp Review Slider 2024-11-21 7.2 High
The WP Review Slider WordPress plugin before 11.0 does not sanitise and escape the pid parameter when copying a Twitter source, which could allow a high privilege users to perform SQL Injections attacks
CVE-2022-0366 1 Capsule8 1 Capsule8 2024-11-21 8.8 High
An authenticated and authorized agent user could potentially gain administrative access via an SQLi vulnerability to Capsule8 Console between versions 4.6.0 and 4.9.1.
CVE-2022-0362 1 Showdoc 1 Showdoc 2024-11-21 9.8 Critical
SQL Injection in Packagist showdoc/showdoc prior to 2.10.3.
CVE-2022-0349 1 Wpdeveloper 1 Notificationx 2024-11-21 9.8 Critical
The NotificationX WordPress plugin before 2.3.9 does not sanitise and escape the nx_id parameter before using it in a SQL statement, leading to an Unauthenticated Blind SQL Injection
CVE-2022-0345 1 Madewithfuel 1 Customize Wordpress Emails And Alerts 2024-11-21 4.3 Medium
The Customize WordPress Emails and Alerts WordPress plugin before 1.8.7 does not have authorisation and CSRF check in its bnfw_search_users AJAX action, allowing any authenticated users to call it and query for user e-mail prefixes (finding the first letter, then the second one, then the third one etc.).
CVE-2022-0334 1 Moodle 1 Moodle 2024-11-21 4.3 Medium
A flaw was found in Moodle in versions 3.11 to 3.11.4, 3.10 to 3.10.8, 3.9 to 3.9.11 and earlier unsupported versions. Insufficient capability checks could lead to users accessing their grade report for courses where they did not have the required gradereport/user:view capability.
CVE-2022-0333 1 Moodle 1 Moodle 2024-11-21 3.8 Low
A flaw was found in Moodle in versions 3.11 to 3.11.4, 3.10 to 3.10.8, 3.9 to 3.9.11 and earlier unsupported versions. The calendar:manageentries capability allowed managers to access or modify any calendar event, but should have been restricted from accessing user level events.
CVE-2022-0332 1 Moodle 1 Moodle 2024-11-21 9.8 Critical
A flaw was found in Moodle in versions 3.11 to 3.11.4. An SQL injection risk was identified in the h5p activity web service responsible for fetching user attempt data.
CVE-2022-0309 1 Google 1 Chrome 2024-11-21 6.5 Medium
Inappropriate implementation in Autofill in Google Chrome prior to 97.0.4692.99 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page.
CVE-2022-0273 1 Janeczku 1 Calibre-web 2024-11-21 6.5 Medium
Improper Access Control in Pypi calibreweb prior to 0.6.16.
CVE-2022-0267 1 Adrotate Project 1 Adrotate 2024-11-21 7.2 High
The AdRotate WordPress plugin before 5.8.22 does not sanitise and escape the adrotate_action before using it in a SQL statement via the adrotate_request_action function available to admins, leading to a SQL injection