CVE-2022-4165 Contest Gallery < 19.1.5 - Author+ SQL Injection

The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape the cgorder POST parameter before concatenating it to an SQL query in order-custom-fields-with-and-without-search.php. This may allow malicious users with at least author...

SQL Injection

mgallegos/laravel-jqgrid is vulnerable to SQL injection. The vulnerability exists in the getRows function in EloquentRepositoryAbstract.php because the library directly passes the values added at the end of query sorting to the database, allowing a malicious user to inject and execute arbitrary S...

PT-2022-8132 · Undefined · Undefined

Name of the Vulnerable Software and Affected Versions: No vulnerable software or affected versions specified. Description: The provided information does not contain details about a specific vulnerability. It appears to be a notification about a rejected candidate number from the National...

Calendar name length not validated before writing to database

None...

WordPress HTML Forms plugin SQL Injection Vulnerability

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL.WordPress plugin is an application plugin. A SQL injection vulnerabili...

CVE-2022-45329

AeroCMS v0.0.1 was discovered to contain a SQL Injection vulnerability via the Search parameter. This vulnerability allows attackers to access database information...

CVE-2022-45529

CVE-2022-45529 affects AeroCMS v0.0.1. A SQL Injection flaw exists in the post_category_id parameter of admin/includes/edit_post.php, enabling an attacker to access database information. The vulnerability stems from improper input handling in the affected endpoint. The CVSS-based assessment in pr...

3 Types of SQLi in `s` param - (Time/Boolean/Error Based)

Description I have found 3 types of SQLi on the s parameter Proof of Concept Time-Based Time-based SQL Injection is an inferential SQL Injection technique that relies on sending an SQL query to the database which forces the database to wait for a specified amount of time in seconds before...

Design/Logic Flaw

If anonymous read enabled, it's possible to read the database file directly without logging in...

CVE-2022-28764 Local information exposure in Zoom Clients

The Zoom Client for Meetings for Android, iOS, Linux, macOS, and Windows before version 5.12.6 is susceptible to a local information exposure vulnerability. A failure to clear data from a local SQL database after a meeting ends and the usage of an insufficiently secure per-device key encrypting...

CVE-2022-45136

CVE-2022-45136 affects Apache Jena SDB 3.17.0 and earlier. The vulnerability is a JDBC Deserialisation flaw that can lead to remote code execution when an attacker controls the JDBC URL or causes the database to return malicious data; the MySQL JDBC driver is specifically implicated. Jena SDB has...

CVE-2022-41892

Arches (Geospatial web platform) is vulnerable to SQL Injection in versions prior to 6.1.2, 6.2.1, and 7.1.2. Root cause is unsafe handling of crafted web requests that can execute arbitrary SQL against the database. Impact is high (confidentiality, integrity, and availability affected per CVSS h...

CVE-2022-41878

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. In versions prior to 5.3.2 or 4.10.19, keywords that are specified in the Parse Server option requestKeywordDenylist can be injected via Cloud Code Webhooks or Triggers. This will result in the...

CVE-2022-41259

SAP SQL Anywhere - version 17.0, allows an authenticated attacker to prevent legitimate users from accessing a SQL Anywhere database server by crashing the server with some queries that use an ARRAY constructor...

CVE-2020-12507 s::can moni::tools autheticated SQL injection

In s::can moni::tools before version 4.2 an authenticated attacker could get full access to the database through SQL injection. This may result in loss of confidentiality, loss of integrity and DoS...

TiDB vulnerable to Use of Externally-Controlled Format String

TiDB server importer CLI tool prior to version 6.4.0 & 6.1.3 is vulnerable to data source name injection. The database name for generating and inserting data into a database does not properly sanitize user input which can lead to arbitrary file reads."...

CVE-2021-37823

OpenCart 3.0.3.7 allows users to obtain database information or read server files through SQL injection in the background...

CVE-2022-42744

CVE-2022-42744 affects CandidATS at version 3.0.0. The root cause is improper validation of the entriesPerPage parameter, enabling an external attacker to perform CRUD operations on the application databases via SQL injection. Impact is high: confidentiality, integrity, and availability are all c...

Default credentials

Dashlane password and Keepass Server password in My Account Settings are not encrypted in the database in Devolutions Remote Desktop Manager 2022.2.26 and prior versions and Devolutions Server 2022.3.1 and prior versions which allows database users to read the data. This issue affects : Remote...

Design/Logic Flaw

Xenstore: Guests can create orphaned Xenstore nodes By creating multiple nodes inside a transaction resulting in an error, a malicious guest can create orphaned nodes in the Xenstore data base, as the cleanup after the error will not remove all nodes already created. When the transaction is...