Security
Headlines
HeadlinesLatestCVEs

Tag

#sql

CVE-2023-39651: [CVE-2023-39651] Improper neutralization of SQL parameter in Theme Volty CMS BrandList module for PrestaShop

Improper neutralization of SQL parameter in Theme Volty CMS BrandList module for PrestaShop In the module “Theme Volty CMS BrandList” (tvcmsbrandlist) up to version 4.0.1 from Theme Volty for PrestaShop, a guest can perform SQL injection in affected versions.

CVE
#sql#vulnerability#web#php#perl#auth
GHSA-xm7x-f3w2-4hjm: Presto JDBC Server-Side Request Forgery by redirect

### Summary Presto JDBC is vulnerable to Server-Side Request Forgery (SSRF) when connecting a remote Presto server. An attacker can construct a redirect response that Presto JDBC client will follow and view sensitive information from highly sensitive internal servers or perform a local port scan. ### Details Presto JDBC client uses OkHttp to send `POST /v1/statement` and `GET /v1/info` requests to the remote Presto server. And OkHttp will follow 301 and 302 redirect by default. In addition, JDBC will manually follow 307 and 308 redirect. Therefore, if a malicious server returns a 30x redirect, JDBC client will follow the redirect and cause SSRF. For unexpected responses, JDBC will put the response body into the error. So the response of the internal server will be leaked if the server also returns the error directly to the user. The relevant code is in file path `/presto-client/src/main/java/com/facebook/presto/client/StatementClientV1.java` and function `StatementClientV1` . T...

CVE-2023-39645: [CVE-2023-39645] Improper neutralization of SQL parameter in Theme Volty CMS Payment Icon module for PrestaShop

Theme volty tvcmspaymenticon up to v4.0.1 was discovered to contain a SQL injection vulnerability via the component /tvcmspaymenticon/ajax.php?action=update_position&recordsArray.

CVE-2023-3349: Multiple Vulnerabilities Ibermatica Rps 2019 | INCIBE-CERT

Information exposure vulnerability in IBERMATICA RPS 2019, which exploitation could allow an unauthenticated user to retrieve sensitive information, such as usernames, IP addresses or SQL queries sent to the application. By accessing the URL /RPS2019Service/status.html, the application enables the logging mechanism by generating the log file, which can be downloaded.

CVE-2023-2681: Jorani Sql Injection | INCIBE-CERT

An SQL Injection vulnerability has been found on Jorani version 1.0.0. This vulnerability allows an authenticated remote user, with low privileges, to send queries with malicious SQL code on the "/leaves/validate" path and the “id” parameter, managing to extract arbritary information from the database.

Protecting your IT infrastructure with Security Configuration Assessment (SCA)

Security Configuration Assessment (SCA) is critical to an organization's cybersecurity strategy. SCA aims to discover vulnerabilities and misconfigurations that malicious actors exploit to gain unauthorized access to systems and data. Regular security configuration assessments are essential in maintaining a secure and compliant environment, as this minimizes the risk of cyber attacks. The

CVE-2023-4097: Multiple Vulnerabilities Idm Sistemas Qsige | INCIBE-CERT

The file upload functionality is not implemented correctly and allows uploading of any type of file. As a prerequisite, it is necessary for the attacker to log into the application with a valid username.

CVE-2023-3440: hitachi-sec-2023-145: File and Directory Permissions Vulnerability in JP1/Performance Management

Incorrect Default Permissions vulnerability in Hitachi JP1/Performance Management on Windows allows File Manipulation.This issue affects JP1/Performance Management - Manager: from 09-00 before 12-50-07; JP1/Performance Management - Base: from 09-00 through 10-50-*; JP1/Performance Management - Agent Option for Application Server: from 11-00 before 11-50-16; JP1/Performance Management - Agent Option for Enterprise Applications: from 09-00 before 12-00-14; JP1/Performance Management - Agent Option for HiRDB: from 09-00 before 12-00-14; JP1/Performance Management - Agent Option for IBM Lotus Domino: from 10-00 before 11-50-16; JP1/Performance Management - Agent Option for Microsoft(R) Exchange Server: from 09-00 before  12-00-14; JP1/Performance Management - Agent Option for Microsoft(R) Internet Information Server: from 09-00 before 12-00-14; JP1/Performance Management - Agent Option for Microsoft(R) SQL Server: from 09-00 before 12-50-07; JP1/Performance Management - Agent Option for Or...

CVE-2023-43980: [CVE-2023-43980] Improper neutralization of SQL parameter in Presto Changeo - Test Site Creator module for PrestaShop

Presto Changeo testsitecreator up to v1.1.1 was discovered to contain a SQL injection vulnerability via the component disable_json.php.

CVE-2023-43836: CVE-2023-43836

There is a SQL injection vulnerability in the Jizhicms 2.4.9 backend, which users can use to obtain database information