#sql

A vulnerability has been found in IBOS OA 4.5.5 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /?r=recruit/resume/edit&op=status of the component Interview Handler. The manipulation of the argument resumeid leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-235147. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

### Impact Using some SQL exploitation tools such as sqlmap, an attacker can enumerate all information in the database, alter data or perform dos on the backend database. ### Patches Update to version 10.6.5 or apply this patch manually https://github.com/pimcore/pimcore/commit/e641968979d4a2377bbea5e2a76bdede040d0b97.patch ### Workarounds Apply patch https://github.com/pimcore/pimcore/commit/e641968979d4a2377bbea5e2a76bdede040d0b97.patch manually. ### References https://huntr.dev/bounties/b00a38b6-d040-494d-bf46-38f46ac1a1db/

SQL Injection in GitHub repository pimcore/pimcore prior to 10.6.4.

WordPress ChurcHope Responsive Themes version 4.7.x suffers from a directory traversal vulnerability.

CMS TSS-EST version 1.0.0 from a remote SQL injection vulnerability that allows for authentication bypass.

Wifi Soft Unibox Administration versions 3.0 and 3.1 suffer from a remote SQL injection vulnerability.

CMS SAUDI SOFTECH version 5.0.2 suffers from a remote SQL injection vulnerability.

CMS NEXIN version 2.0 appears to leave default credentials installed after installation.

Buzzy News Viral Lists Polls and Videos version 2.0 appears to leave default credentials installed after installation.

A vulnerability was found in Hospital Management System 1.0. It has been rated as critical. This issue affects some unknown processing of the file patientprofile.php. The manipulation of the argument address leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-235079.