Fujian Kelixin Communication - Command Injection

A vulnerability was found in Fujian Kelixin Communication Command and Dispatch Platform up to 20240318 and classified as critical. Affected by this issue is some unknown functionality of the file api/client/user/pwdupdate.php. id: CVE-2024-2621 info: name: Fujian Kelixin Communication - Command...

Riello Netman 204 - SQL Injection

The three endpoints /cgi-bin/dbdatalogw.cgi, /cgi-bin/dbeventlogw.cgi, and /cgi-bin/dbmultimetrw.cgi are vulnerable to SQL injection without prior authentication. This enables an attacker to modify the collected log data in an arbitrary way. id: CVE-2024-8877 info: name: Riello Netman 204 - SQL...

IBAX - SQL Injection

IBAX go-ibax functionality is susceptible to SQL injection via the file /api/v2/open/rowsInfo. The manipulation of the argument tablename leads to SQL injection, and the attack may be launched remotely. An attacker can potentially obtain sensitive information, modify data, and/or execute...

Company Visitor Management System 1.0 - SQL Injection

Company Visitor Management System 1.0 contains a SQL injection vulnerability via the login page in the username parameter. An attacker can possibly obtain sensitive information from a database, modify data, and execute unauthorized administrative operations in the context of the affected site. id...

Joomla! Component Canteen 1.0 - Local File Inclusion

A SQL injection vulnerability in menu.php in the Canteen comcanteen component 1.0 for Joomla! allows remote attackers to execute arbitrary SQL commands via the mealid parameter to index.php. id: CVE-2010-4977 info: name: Joomla! Component Canteen 1.0 - Local File Inclusion author: daffainfo...

JS Help Desk <= 2.8.1 - SQL Injection

The JS Help Desk – Best Help Desk & Support Plugin plugin for WordPress is vulnerable to SQL Injection via the ‘email' and 'trackingid' parameters in all versions up to 2.8.2 exclusive due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing S...

Alumni Management System 1.0 - SQL Injection

SourceCodester Alumni Management System 1.0 contains a sqlinjection caused by unsanitized input in admin/login.php, letting attackers bypass authentication, exploit requires injection of malicious SQL payload. id: CVE-2020-29214 info: name: Alumni Management System 1.0 - SQL Injection author:...

FreePBX - Remote Code Execution

FreePBX 15, 16, and 17 contain a remote code execution caused by insufficiently sanitized user-supplied data in endpoints, letting unauthenticated attackers manipulate the database and execute code remotely, exploit requires no authentication. id: CVE-2025-57819 info: name: FreePBX - Remote Code...

Relevanssi <= 4.24.4 (Free) - Unauthenticated SQL Injection

The Relevanssi – A Better Search plugin for WordPress is vulnerable to time-based SQL Injection via the cats and tags query parameters in all versions up to, and including, 4.24.4 Free and = 2.27.4 Premium due to insufficient escaping on the user supplied parameter and lack of sufficient...

Ads Pro Plugin <= 4.88 - Unauthenticated SQL Injection

The Ads Pro Plugin - Multi-Purpose WordPress Advertising Manager plugin for WordPress is vulnerable to SQL Injection via the 'aid' parameter in all versions up to, and including, 4.88 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQ...

PrestaShop productsalert - SQL Injection

In the module 'Products Alert' productsalert up to version 1.7.4 from Smart Modules for PrestaShop, a guest can perform SQL injection in affected versions. id: CVE-2024-36683 info: name: PrestaShop productsalert - SQL Injection author: mastercho severity: critical description: | In the module...

ASIS - SQL Injection Authentication Bypass

ASIS aka Aplikasi Sistem Sekolah using CodeIgniter 3 3.0.0 through 3.2.0 allows index.php username SQL injection for Authentication Bypass. id: CVE-2024-45622 info: name: ASIS - SQL Injection Authentication Bypass author: s4e-io severity: critical description: | ASIS aka Aplikasi Sistem Sekolah...

GamiPress <= 2.8.9 - SQL Injection

GamiPress WordPress plugin version 2.8.9 and below suffers from an SQL injection vulnerability due to insufficient sanitization of user input, allowing attackers to execute arbitrary SQL commands. id: CVE-2024-13496 info: name: GamiPress = 2.8.9 - SQL Injection author: ritikchaddha severity: high...

EfroTech Timetrax v8.3 - Sql Injection

EfroTech Timetrax v8.3 was discovered to contain an unauthenticated SQL injection vulnerability via the q parameter in the search web interface. id: CVE-2024-39250 info: name: EfroTech Timetrax v8.3 - Sql Injection author: s4e-io,efran severity: high description: | EfroTech Timetrax v8.3 was...

Mongoose < 8.8.3 - Remote Code Execution

Mongoose before 8.8.3 can improperly use $where in match, leading to search injection. id: CVE-2024-53900 info: name: Mongoose 8.8.3 - Remote Code Execution author: h4mg severity: critical description: | Mongoose before 8.8.3 can improperly use $where in match, leading to search injection. impact...

WP Travel Engine <= 5.7.9 - SQL Injection

WP Travel Engine 5.7.9 and earlier contains a SQL injection caused by improper neutralization of special elements used in an SQL command, letting attackers execute arbitrary SQL queries, exploit requires user interaction. id: CVE-2024-30502 info: name: WP Travel Engine = 5.7.9 - SQL Injection...

WordPress GamiPress <= 2.5.7 - SQL Injection

The GamiPress plugin for WordPress is vulnerable to SQL Injection in versions up to, and including, 2.5.7 due to insufficient escaping on the user supplied parameter '$qv$fieldid' and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to...

Academy LMS 6.2 - SQL Injection

A vulnerability was found in Academy LMS 6.2. It has been rated as critical. Affected by this issue is some unknown functionality of the file /academy/tutor/filter of the component GET Parameter Handler. The manipulation of the argument pricemin/pricemax leads to sql injection. The attack may be...

Doctor Appointment System 1.0 - SQL Injection

Blind SQL injection in contactus.php in Doctor Appointment System 1.0 allows an unauthenticated attacker to insert malicious SQL queries via firstname parameter. id: CVE-2021-27320 info: name: Doctor Appointment System 1.0 - SQL Injection author: theamanrawat severity: high description: | Blind S...

Cost Calculator Builder <= 3.2.15 - SQL Injection

The Cost Calculator Builder plugin for WordPress is vulnerable to SQL Injection via discount codes in versions up to, and including, 3.2.15 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for...