31 matches found
GHSA-R2F4-FF2P-XC64 Pimcore Platform - SQL Injection in DataObject composite index handling during class definition import/save
Description An authenticated administrative user who can import or save DataObject class definitions can inject attacker-controlled composite index metadata and trigger unintended SQL execution in the backend. The vulnerable flow accepts compositeIndices from imported JSON, stores the values...
CVE-2026-33914
OpenEMR (prior to 8.0.0.3) contains a blind SQL injection in the PostCalendar categoriesUpdate function. The malsicious code uses the dels POST parameter, which is read via pnVarCleanFromInput() (HTML tags stripped only) and directly interpolated into a raw SQL DELETE statement executed by Doctri...
CVE-2026-33914 OpenEMR has SQL Injection in PostCalendar Category Delete
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3, the PostCalendar module contains a blind SQL injection vulnerability in the categoriesUpdate administrative function. The dels POST parameter is read via...
CVE-2026-33914 OpenEMR has SQL Injection in PostCalendar Category Delete
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3, the PostCalendar module contains a blind SQL injection vulnerability in the categoriesUpdate administrative function. The dels POST parameter is read via...
EUVD-2021-2388
Malware in sbrugna...
Linux Distros Unpatched Vulnerability : CVE-2021-43608
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Doctrine DBAL 3.x before 3.1.4 allows SQL Injection. The escaping of offset and length inputs to the generation of a LIMIT clause was not probably cast to an...
CVE-2021-43822
Jackalope Doctrine-DBAL is an implementation of the PHP Content Repository API PHPCR using a relational database to persist data. In affected versions users can provoke SQL injections if they can specify a node name or query. Upgrade to version 1.7.4 to resolve this issue. If that is not possible...
Security Bulletin: IBM Application Navigator, which is bundled with IBM Cloud Pak for Applications, is vulnerable to a remote attacker exploitation of Apache Log4j (CVE-2021-44228)
Summary IBM Application Navigator, which is bundled with IBM Cloud Pak for Applications, is vulnerable to a remote attacker exploitation of Apache Log4j CVE-2021-44228. The IBM Application Navigator contains a copy of Apache Log4j which is not used by the IBM Application Navigator function. Out o...
GHSA-PH98-V78F-JQRM SQL injection in jackalope/jackalope-doctrine-dbal
Impact Users can provoke SQL injections if they can specify a node name or query. Patches Upgrade to version 1.7.4 If that is not possible, you can escape all places where $property is used to filter sv:name in the class Jackalope\Transport\DoctrineDBAL\Query\QOMWalker: XPath::escape$property...
SQL injection in jackalope/jackalope-doctrine-dbal
Impact Users can provoke SQL injections if they can specify a node name or query. Patches Upgrade to version 1.7.4 If that is not possible, you can escape all places where $property is used to filter sv:name in the class Jackalope\Transport\DoctrineDBAL\Query\QOMWalker: XPath::escape$property...
CVE-2021-43822
Jackalope Doctrine-DBAL is an implementation of the PHP Content Repository API PHPCR using a relational database to persist data. In affected versions users can provoke SQL injections if they can specify a node name or query. Upgrade to version 1.7.4 to resolve this issue. If that is not possible...
CVE-2021-43822
Jackalope Doctrine-DBAL is an implementation of the PHP Content Repository API PHPCR using a relational database to persist data. In affected versions users can provoke SQL injections if they can specify a node name or query. Upgrade to version 1.7.4 to resolve this issue. If that is not possible...
Sql injection
Jackalope Doctrine-DBAL is an implementation of the PHP Content Repository API PHPCR using a relational database to persist data. In affected versions users can provoke SQL injections if they can specify a node name or query. Upgrade to version 1.7.4 to resolve this issue. If that is not possible...
CVE-2021-43822
CVE-2021-43822 concerns SQL injection in the Jackalope Doctrine-DBAL PHPCR implementation. The vulnerability arises because the component that translates the query object model into Doctrine DBAL queries does not properly escape certain user-controlled identifiers (node names and xpaths), allowin...
CVE-2021-43822 SQL injection in jackalope/jackalope-doctrine-dbal
Jackalope Doctrine-DBAL is an implementation of the PHP Content Repository API PHPCR using a relational database to persist data. In affected versions users can provoke SQL injections if they can specify a node name or query. Upgrade to version 1.7.4 to resolve this issue. If that is not possible...
Jackalope Doctrine-DBAL SQL注入漏洞
Jackalope Doctrine-DBAL is an implementation of the PHP Content Repository API PHPCR that uses a relational database to persist data. Jackalope Doctrine-DBAL suffers from a SQL injection vulnerability that stems from the software's lack of effective filtering for the $property parameter. In the...
CVE-2021-43608
Doctrine DBAL 3.x before 3.1.4 allows SQL Injection. The escaping of offset and length inputs to the generation of a LIMIT clause was not probably cast to an integer, allowing SQL injection to take place if application developers passed unescaped user input to the DBAL QueryBuilder or any other A...
CVE-2021-43608
Doctrine DBAL 3.x before 3.1.4 allows SQL Injection. The escaping of offset and length inputs to the generation of a LIMIT clause was not probably cast to an integer, allowing SQL injection to take place if application developers passed unescaped user input to the DBAL QueryBuilder or any other A...
CVE-2021-43608
Doctrine DBAL 3.x before 3.1.4 allows SQL Injection. The escaping of offset and length inputs to the generation of a LIMIT clause was not probably cast to an integer, allowing SQL injection to take place if application developers passed unescaped user input to the DBAL QueryBuilder or any other A...
Sql injection
Doctrine DBAL 3.x before 3.1.4 allows SQL Injection. The escaping of offset and length inputs to the generation of a LIMIT clause was not probably cast to an integer, allowing SQL injection to take place if application developers passed unescaped user input to the DBAL QueryBuilder or any other A...