Total
12892 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-7099 | 2024-10-15 | N/A | 9.8 CRITICAL | ||
| netease-youdao/qanything version 1.4.1 contains a vulnerability where unsafe data obtained from user input is concatenated in SQL queries, leading to SQL injection. The affected functions include `get_knowledge_base_name`, `from_status_to_status`, `delete_files`, and `get_file_by_status`. An attacker can exploit this vulnerability to execute arbitrary SQL queries, potentially stealing information from the database. The issue is fixed in version 1.4.2. | |||||
| CVE-2024-5329 | 1 Unlimited-elements | 1 Unlimited Elements For Elementor | 2024-10-14 | N/A | 8.8 HIGH |
| The Unlimited Elements For Elementor (Free Widgets, Addons, Templates) plugin for WordPress is vulnerable to blind SQL Injection via the ‘data[addonID]’ parameter in all versions up to, and including, 1.5.109 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | |||||
| CVE-2023-49030 | 1 32ns | 1 Klive | 2024-10-11 | N/A | 7.5 HIGH |
| SQL Injection vulnerability in32ns KLive v.2019-1-19 and before allows a remote attacker to obtain sensitive information via a crafted script to the web/user.php component. | |||||
| CVE-2024-4890 | 1 Litellm | 1 Litellm | 2024-10-10 | N/A | 4.9 MEDIUM |
| A blind SQL injection vulnerability exists in the berriai/litellm application, specifically within the '/team/update' process. The vulnerability arises due to the improper handling of the 'user_id' parameter in the raw SQL query used for deleting users. An attacker can exploit this vulnerability by injecting malicious SQL commands through the 'user_id' parameter, leading to potential unauthorized access to sensitive information such as API keys, user information, and tokens stored in the database. The affected version is 1.27.14. | |||||
| CVE-2024-9379 | 1 Ivanti | 1 Endpoint Manager Cloud Services Appliance | 2024-10-10 | N/A | 7.2 HIGH |
| SQL injection in the admin web console of Ivanti CSA before version 5.0.2 allows a remote authenticated attacker with admin privileges to run arbitrary SQL statements. | |||||
| CVE-2024-44349 | 2024-10-10 | N/A | 9.8 CRITICAL | ||
| A SQL injection vulnerability in login portal in AnteeoWMS before v4.7.34 allows unauthenticated attackers to execute arbitrary SQL commands via the username parameter and disclosure of some data in the underlying DB. | |||||
| CVE-2024-43918 | 1 Woobewoo | 1 Product Table | 2024-10-10 | N/A | 9.8 CRITICAL |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WBW WBW Product Table PRO allows SQL Injection.This issue affects WBW Product Table PRO: from n/a through 1.9.4. | |||||
| CVE-2024-43468 | 2024-10-10 | N/A | 9.8 CRITICAL | ||
| Microsoft Configuration Manager Remote Code Execution Vulnerability | |||||
| CVE-2024-8911 | 2024-10-10 | N/A | 9.8 CRITICAL | ||
| The LatePoint plugin for WordPress is vulnerable to Arbitrary User Password Change via SQL Injection in versions up to, and including, 5.0.11. This is due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to change user passwords and potentially take over administrator accounts. Note that changing a WordPress user's password is only possible if the "Use WordPress users as customers" setting is enabled, which is disabled by default. Without this setting enabled, only the passwords of plugin customers, which are stored and managed in a separate database table, can be modified. | |||||
| CVE-2024-9286 | 2024-10-10 | N/A | N/A | ||
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'), Improper Input Validation vulnerability in TRtek Software Distant Education Platform allows SQL Injection, Parameter Injection.This issue affects Distant Education Platform: before 3.2024.11. | |||||
| CVE-2024-47334 | 2024-10-10 | N/A | 7.6 HIGH | ||
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Zoho Flow Zoho Flow for WordPress allows SQL Injection.This issue affects Zoho Flow for WordPress: from n/a through 2.7.1. | |||||
| CVE-2024-38348 | 1 Health Care Hospital Management System Project | 1 Health Care Hospital Management System | 2024-10-10 | N/A | 8.8 HIGH |
| CodeProjects Health Care hospital Management System v1.0 was discovered to contain a SQL injection vulnerability in the Staff Info module via the searvalu parameter. | |||||
| CVE-2023-39292 | 1 Mitel | 3 Mivoice Office 400, Mivoice Office 400 Smb Controller, Mivoice Office 400 Smb Controller Firmware | 2024-10-09 | N/A | 9.8 CRITICAL |
| A SQL Injection vulnerability has been identified in the MiVoice Office 400 SMB Controller through 1.2.5.23 which could allow a malicious actor to access sensitive information and execute arbitrary database and management operations. | |||||
| CVE-2024-5984 | 1 Itsourcecode | 1 Online Book Store Project | 2024-10-09 | 7.5 HIGH | 9.8 CRITICAL |
| A vulnerability was found in itsourcecode Online Bookstore 1.0. It has been rated as critical. Affected by this issue is some unknown functionality of the file book.php. The manipulation of the argument bookisbn leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-268460. | |||||
| CVE-2024-0566 | 1 Storeapps | 1 Smart Manager | 2024-10-09 | N/A | 7.2 HIGH |
| The Smart Manager WordPress plugin before 8.28.0 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admin. | |||||
| CVE-2024-9574 | 1 Soplanning | 1 Soplanning | 2024-10-08 | N/A | 6.5 MEDIUM |
| SQL injection vulnerability in SOPlanning <1.45, via /soplanning/www/user_groupes.php in the by parameter, which could allow a remote user to submit a specially crafted query, allowing an attacker to retrieve all the information stored in the DB. | |||||
| CVE-2024-9573 | 1 Soplanning | 1 Soplanning | 2024-10-08 | N/A | 6.5 MEDIUM |
| SQL injection vulnerability in SOPlanning <1.45, through /soplanning/www/groupe_list.php, in the by parameter, which could allow a remote user to send a specially crafted query and extract all the information stored on the server. | |||||
| CVE-2021-1636 | 1 Microsoft | 1 Sql Server | 2024-10-08 | 6.5 MEDIUM | 8.8 HIGH |
| Microsoft SQL Elevation of Privilege Vulnerability | |||||
| CVE-2024-43699 | 1 Deltaww | 1 Diaenergie | 2024-10-08 | N/A | 9.8 CRITICAL |
| Delta Electronics DIAEnergie is vulnerable to an SQL injection in the script AM_RegReport.aspx. An unauthenticated attacker may be able to exploit this issue to obtain records contained in the targeted product. | |||||
| CVE-2024-42417 | 1 Deltaww | 1 Diaenergie | 2024-10-08 | N/A | 8.8 HIGH |
| Delta Electronics DIAEnergie is vulnerable to an SQL injection in the script Handler_CFG.ashx. An authenticated attacker may be able to exploit this issue to cause delay in the targeted product. | |||||