Total
13008 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2023-23163 | 1 Phpgurukul | 1 Art Gallery Management System | 2024-08-02 | 9.8 Critical |
| Art Gallery Management System Project v1.0 was discovered to contain a SQL injection vulnerability via the editid parameter. | ||||
| CVE-2023-23007 | 1 Ecisp | 1 Espcms | 2024-08-02 | 7.2 High |
| An issue was discovered in ESPCMS P8.21120101 after logging in to the background, there is a SQL injection vulnerability in the function node where members are added. | ||||
| CVE-2023-23331 | 1 Amano | 1 Xoffice | 2024-08-02 | 9.8 Critical |
| Amano Xoffice parking solutions 7.1.3879 is vulnerable to SQL Injection. | ||||
| CVE-2023-23162 | 1 Phpgurukul | 1 Art Gallery Management System | 2024-08-02 | 9.8 Critical |
| Art Gallery Management System Project v1.0 was discovered to contain a SQL injection vulnerability via the cid parameter at product.php. | ||||
| CVE-2023-23155 | 1 Phpgurukul | 1 Art Gallery Management System | 2024-08-02 | 9.8 Critical |
| Art Gallery Management System Project in PHP 1.0 was discovered to contain a SQL injection vulnerability via the username parameter in the Admin Login. | ||||
| CVE-2023-23156 | 1 Phpgurukul | 1 Art Gallery Management System | 2024-08-02 | 9.8 Critical |
| Art Gallery Management System Project in PHP 1.0 was discovered to contain a SQL injection vulnerability via the pid parameter in the single-product page. | ||||
| CVE-2023-22959 | 1 Webchess Project | 1 Webchess | 2024-08-02 | 8.8 High |
| WebChess through 0.9.0 and 1.0.0.rc2 allows SQL injection: mainmenu.php, chess.php, and opponentspassword.php (txtFirstName, txtLastName). | ||||
| CVE-2023-22900 | 1 Thinkingsoftware | 1 Efence | 2024-08-02 | 9.8 Critical |
| Efence login function has insufficient validation for user input. An unauthenticated remote attacker can exploit this vulnerability to inject arbitrary SQL commands to access, modify or delete database. | ||||
| CVE-2023-22794 | 2 Activerecord Project, Redhat | 2 Activerecord, Satellite | 2024-08-02 | 8.8 High |
| A vulnerability in ActiveRecord <6.0.6.1, v6.1.7.1 and v7.0.4.1 related to the sanitization of comments. If malicious user input is passed to either the `annotate` query method, the `optimizer_hints` query method, or through the QueryLogs interface which automatically adds annotations, it may be sent to the database withinsufficient sanitization and be able to inject SQL outside of the comment. | ||||
| CVE-2023-22727 | 1 Cakephp | 1 Cakephp | 2024-08-02 | 9.8 Critical |
| CakePHP is a development framework for PHP web apps. In affected versions the `Cake\Database\Query::limit()` and `Cake\Database\Query::offset()` methods are vulnerable to SQL injection if passed un-sanitized user request data. This issue has been fixed in 4.2.12, 4.3.11, 4.4.10. Users are advised to upgrade. Users unable to upgrade may mitigate this issue by using CakePHP's Pagination library. Manually validating or casting parameters to these methods will also mitigate the issue. | ||||
| CVE-2023-22630 | 1 Izybat | 1 Orange Casiers | 2024-08-02 | 4.3 Medium |
| IzyBat Orange casiers before 20221102_1 allows SQL Injection via a getCasier.php?taille= URI. | ||||
| CVE-2023-22491 | 1 Gatsbyjs | 1 Gatsby | 2024-08-02 | 8.1 High |
| Gatsby is a free and open source framework based on React that helps developers build websites and apps. The gatsby-transformer-remark plugin prior to versions 5.25.1 and 6.3.2 passes input through to the `gray-matter` npm package, which is vulnerable to JavaScript injection in its default configuration, unless input is sanitized. The vulnerability is present in gatsby-transformer-remark when passing input in data mode (querying MarkdownRemark nodes via GraphQL). Injected JavaScript executes in the context of the build server. To exploit this vulnerability untrusted/unsanitized input would need to be sourced by or added into a file processed by gatsby-transformer-remark. A patch has been introduced in `gatsby-transformer-remark@5.25.1` and `gatsby-transformer-remark@6.3.2` which mitigates the issue by disabling the `gray-matter` JavaScript Frontmatter engine. As a workaround, if an older version of `gatsby-transformer-remark` must be used, input passed into the plugin should be sanitized ahead of processing. It is encouraged for projects to upgrade to the latest major release branch for all Gatsby plugins to ensure the latest security updates and bug fixes are received in a timely manner. | ||||
| CVE-2023-22324 | 1 Contec | 1 Conprosys Hmi System | 2024-08-02 | 6.5 Medium |
| SQL injection vulnerability in the CONPROSYS HMI System (CHS) Ver.3.5.0 and earlier allows a remote authenticated attacker to execute an arbitrary SQL command. As a result, information stored in the database may be obtained. | ||||
| CVE-2023-20271 | 1 Cisco | 2 Evolved Programmable Network Manager, Prime Infrastructure | 2024-08-02 | 6.5 Medium |
| A vulnerability in the web-based management interface of Cisco Prime Infrastructure and Cisco Evolved Programmable Network Manager (EPNM) could allow an authenticated, remote attacker to conduct SQL injection attacks on an affected system. This vulnerability is due to improper validation of user-submitted parameters. An attacker could exploit this vulnerability by authenticating to the application and sending malicious requests to an affected system. A successful exploit could allow the attacker to obtain and modify sensitive information that is stored in the underlying database. | ||||
| CVE-2023-20211 | 1 Cisco | 1 Unified Communications Manager | 2024-08-02 | 8.1 High |
| A vulnerability in the web-based management interface of Cisco Unified Communications Manager (Unified CM) and Cisco Unified Communications Manager Session Management Edition (Unified CM SME) could allow an authenticated, remote attacker to conduct SQL injection attacks on an affected system. This vulnerability is due to improper validation of user-supplied input. An attacker could exploit this vulnerability by authenticating to the application as a user with read-only or higher privileges and sending crafted HTTP requests to an affected system. A successful exploit could allow the attacker to read or modify data in the underlying database or elevate their privileges. | ||||
| CVE-2023-20010 | 1 Cisco | 1 Unified Communications Manager | 2024-08-02 | 8.1 High |
| A vulnerability in the web-based management interface of Cisco Unified Communications Manager (Unified CM) and Cisco Unified Communications Manager Session Management Edition (Unified CM SME) could allow an authenticated, remote attacker to conduct SQL injection attacks on an affected system. This vulnerability exists because the web-based management interface inadequately validates user input. An attacker could exploit this vulnerability by authenticating to the application as a low-privileged user and sending crafted SQL queries to an affected system. A successful exploit could allow the attacker to read or modify any data on the underlying database or elevate their privileges. | ||||
| CVE-2023-7190 | 1 S-cms | 1 S-cms | 2024-08-02 | 5.5 Medium |
| A vulnerability, which was classified as critical, has been found in S-CMS up to 2.0_build20220529-20231006. Affected by this issue is some unknown functionality of the file /member/ad.php?action=ad. The manipulation of the argument A_text/A_url/A_contact leads to sql injection. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-249392. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2023-7185 | 1 7-card | 1 Fakabao | 2024-08-02 | 5.5 Medium |
| A vulnerability was found in 7-card Fakabao up to 1.0_build20230805. It has been classified as critical. This affects an unknown part of the file shop/wxpay_notify.php. The manipulation of the argument out_trade_no leads to sql injection. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-249387. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2023-7184 | 1 7-card | 1 Fakabao | 2024-08-02 | 5.5 Medium |
| A vulnerability was found in 7-card Fakabao up to 1.0_build20230805 and classified as critical. Affected by this issue is some unknown functionality of the file shop/notify.php. The manipulation of the argument out_trade_no leads to sql injection. The exploit has been disclosed to the public and may be used. VDB-249386 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2023-7189 | 1 S-cms | 1 S-cms | 2024-08-02 | 5.5 Medium |
| A vulnerability classified as critical was found in S-CMS up to 2.0_build20220529-20231006. Affected by this vulnerability is an unknown functionality of the file /s/index.php?action=statistics. The manipulation of the argument lid leads to sql injection. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-249391. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | ||||