Security
Headlines
HeadlinesLatestCVEs

Tag

#sql

CVE-2019-12351: zzcms 2019 dl/dl_print.php SQL injection · Issue #3 · cby234/zzcms

An issue was discovered in zzcms 2019. SQL Injection exists in dl/dl_print.php via an id parameter value with a trailing comma.

CVE
Open in Source
#sql#vulnerability#php
CVE-2021-26633: KISA 인터넷 보호나라&KrCERT

SQL injection and Local File Inclusion (LFI) vulnerabilities in MaxBoard can cause information leakage and privilege escalation. This vulnerabilities can be exploited by manipulating a variable with a desired value and inserting and arbitrary file.

CVE-2021-26634: KISA 인터넷 보호나라&KrCERT

SQL injection and file upload attacks are possible due to insufficient validation of input values in some parameters and variables of files compromising Maxboard, which may lead to arbitrary code execution or privilege escalation. Attackers can use these vulnerabilities to perform attacks such as stealing server management rights using a web shell.

CVE-2021-32546: Releases · gogs/gogs

Missing input validation in internal/db/repo_editor.go in Gogs before 0.12.8 allows an attacker to execute code remotely. An unprivileged attacker (registered user) can overwrite the Git configuration in his repository. This leads to Remote Command Execution, because that configuration can contain an option such as sshCommand, which is executed when a master branch is a remote branch (using an ssh:// URI). The remote branch can also be configured by editing the Git configuration file. One can create a new file in a new repository, using the GUI, with "\" as its name, and then rename this file to .git/config with the custom configuration content (and then save it).

CVE-2021-44095: GitHub - projectworldsofficial/hospital-management-system-in-php: This is Hospital Management System Hospital management system is one of the best software that manages various activities in hospital

A SQL injection vulnerability exists in ProjectWorlds Hospital Management System in php 1.0 on login page that allows a remote attacker to compromise Application SQL database.

CVE-2021-44096: Vulnerability/BUG - SQL Injection on "profile_action - update_user" · Issue #2 · EGavilan-Media/User-Registration-and-Login-System-With-Admin-Panel

EGavilan Media User-Registration-and-Login-System-With-Admin-Panel 1.0 is vulnerable to SQL Injection via profile_action - update_user. This allows a remote attacker to compromise Application SQL database.

CVE-2021-44097: CVE-2021–44097 - Shubham pandey - Medium

EGavilan Media Contact-Form-With-Messages-Entry-Management 1.0 is vulnerable to SQL Injection via Addmessage.php. This allows a remote attacker to compromise Application SQL database.

CVE-2021-44098: CVE-2021–44098 - Shubham pandey - Medium

EGavilan Media Expense-Management-System 1.0 is vulnerable to SQL Injection via /expense_action.php. This allows a remote attacker to compromise Application SQL database.

CVE-2022-29627: OpenSource/exploit_idor.md at main · nsparker1337/OpenSource

An insecure direct object reference (IDOR) in Online Market Place Site v1.0 allows attackers to modify products that are owned by other sellers.

CVE-2022-29628: OpenSource/exploit_rxss.md at main · nsparker1337/OpenSource

A cross-site scripting (XSS) vulnerability in /omps/seller of Online Market Place Site v1.0 allows attackers to execute arbitrary web cripts or HTML via a crafted payload injected into the Page parameter.