Security
Headlines
HeadlinesLatestCVEs

Tag

#sql

CVE-2023-5002: Remote command Execution by an Authenticated user in pgAdmin 4 · Issue #6763 · pgadmin-org/pgadmin4

A flaw was found in pgAdmin. This issue occurs when the pgAdmin server HTTP API validates the path a user selects to external PostgreSQL utilities such as pg_dump and pg_restore. Versions of pgAdmin prior to 7.6 failed to properly control the server code executed on this API, allowing an authenticated user to run arbitrary commands on the server.

CVE
#sql#perl#auth#postgres
CVE-2023-4716: class-mla-shortcode-support.php in media-library-assistant/trunk/includes – WordPress Plugin Repository

The Media Library Assistant plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'mla_gallery' shortcode in versions up to, and including, 3.10 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

GHSA-p46g-8c3q-89p2: FUXA SQL Injection vulnerability

FUXA <= 1.1.12 is vulnerable to SQL Injection via `/api/signin`.

GHSA-v9q5-9crp-92f9: FUXA SQL Injection vulnerability

A SQL Injection attack in FUXA <= 1.1.12 allows exfiltration of confidential information from the database.

CVE-2023-31719: GitHub - MateusTesser/CVE-2023-31719

FUXA <= 1.1.12 is vulnerable to SQL Injection via /api/signin.

CVE-2023-31717

A SQL Injection attack in FUXA <= 1.1.12 allows exfiltration of confidential information from the database.

CVE-2023-34576: [CVE-2023-34576] Improper neutralization of SQL parameter in Opart Faq for PrestaShop

SQL injection vulnerability in updatepos.php in PrestaShop opartfaq through 1.0.3 allows remote attackers to run arbitrary SQL commands via unspedified vector.

CVE-2023-34577: [CVE-2023-34577] Improper neutralization of SQL parameter in Opart Planned popup for PrestaShop

SQL injection vulnerability in Prestashop opartplannedpopup 1.4.11 and earlier allows remote attackers to run arbitrary SQL commands via OpartPlannedPopupModuleFrontController::prepareHook() method.

CVE-2023-42807: Frappe LMS SQL Injection Issue on People Page

Frappe LMS is an open source learning management system. In versions 1.0.0 and prior, on the People Page of LMS, there was an SQL Injection vulnerability. The issue has been fixed in the `main` branch. Users won't face this issue if they are using the latest main branch of the app.