ROS-20220309-01

A vulnerability in the cyrus-sasl authentication mechanism implementation is related to insufficient password cleansing in the SQL plug-in provided with Cyrus SASL. Exploitation of the vulnerability could allow an attacker, acting remotely, send a specially crafted query to a vulnerable applicati...

OS4Ed OpenSIS SQL Injection Vulnerability (CNVD-2022-29290)

OS4Ed OpenSIS is OS4Ed's commercial-grade, secure, scalable and intuitive student information system, school management software. With all the functionality to run single or multiple institutions in a single installation, OS4Ed OpenSIS version 8.0 is vulnerable to SQL injection, which can be...

Github liquibase 代码问题漏洞

Github liquibase is used to track, version, and deploy database architecture changes. A security vulnerability exists in liquibase that stems from improperly restricted XML external entity references...

CVE-2021-40635

OS4ED openSIS 8.0 is affected by SQL injection in ChooseCpSearch.php, ChooseRequestSearch.php. An attacker can inject a SQL query to extract information from the database...

Taocms SQL Injection Vulnerability (CNVD-2022-31825)

Taocms is a micro Cms Content Management System in China. A SQL injection vulnerability exists in Taocms version 3.0.2, which originates from a lack of validation of externally entered SQL statements in the Comment Update field. An attacker can exploit this vulnerability to execute illegal SQL...

WordPress Asgaros Forum Plugin SQL Injection Vulnerability

WordPress is a set of blogging platforms developed using the PHP language by the WordPress Foundation. The platform supports setting up personal blog sites on servers with PHP and MySQL. A SQL injection vulnerability exists in WordPress Asgaros Forum Plugin versions prior to 2.0.0, which stems fr...

SQL Injection Vulnerability in the Monthly Care ERP Management Platform of Wuhan Jin Tongfang Technology Co. Ltd (CNVD-2022-25885)

Wuhan Jin Tongfang Technology Co., Ltd. is a company that provides informatization solutions for the mother and child service industry. There is a SQL injection vulnerability in the monthly care ERP management platform of Wuhan Golden Tongfang Technology Co. Ltd, which can be exploited by attacke...

Race condition

B2 Command Line Tool is the official command line tool for the backblaze cloud storage service. Linux and Mac releases of the B2 command-line tool version 3.2.0 and below contain a key disclosure vulnerability that, in certain conditions, can be exploited by local attackers through a...

Imperva Adds Active Attack Detection to its Data Security Platform

Protecting the data perimeter Organizations are in constant pursuit of technology that provides rapid insight into threats. Early visibility, in combination with context-rich alerting and efficient incident response workflows, streamline threat containment and remediation efforts. Identifying...

Wuhan Golden Tongfang Technology Co., Ltd. has a SQL injection vulnerability in the ERP management platform of the Moonchild Club

Ltd. is a comprehensive management software developed by the research and development team of Wuhan Golden Tongfang Technology Co., Ltd. that combines the needs of enterprises related to the industry's menstrual centers to control all aspects of the menstrual center business process. Ltd. has a S...

WordPress Wicked Folders plugin SQL injection vulnerability

WordPress is a set of blogging platform developed by the WordPress Foundation using the PHP language. WordPress Wicked Folders plugin in version 2.8.10 has a SQL injection vulnerability, which stems from the failure to filter and escape the oderid parameter, and can be used by attackers to execut...

Sourcecodester Simple Client Management System SQL注入漏洞（CNVD-2022-35540）

Sourcecodester Simple Client Management System is a simple web-based application that provides an online platform to manage company customer invoices. sourcecodester Simple Client Management System is vulnerable to SQL injection vulnerability, which stems from the application's lack of validation...

SQL Injection Vulnerability in Road Passenger Transportation Ticketing System of Centillion Times Technology Group Co.

Centillion Times Technology Group Co., Ltd. has become China's largest Internet + public travel comprehensive service operation platform, and has built and operated local provincial road passenger transportation network ticketing systems for many provinces, municipalities and autonomous regions. ...

Design/Logic Flaw

XMPie uStore 12.3.7244.0 allows for administrators to generate reports based on raw SQL queries. Since the application ships with default administrative credentials, an attacker may authenticate into the application and exfiltrate sensitive information from the database...

Possible SQL injection in widget field value

Impact The currently selected widget values were not correctly sanitized before passing it to the database, leading to an SQL injection possibility. Patches The issue has been patched in tablelookupwizard version 3.3.5 and version 4.0.0. For more information If you have any questions or comments...

What Does an Internal Attack Resulting in a Data Breach Look Like in Today’s Threat Landscape?

In my last blog, I explained why taking the approach of setting up perimeter defenses, restricting data access, patching vulnerabilities, applying sensors to data movement, and encrypting data is no longer solely effective at stopping data breaches in today’s threat landscape. I also discussed th...

CVE-2021-44866

An issue was discovered in Online-Movie-Ticket-Booking-System 1.0. The file about.php does not perform input validation on the 'id' paramter. An attacker can append SQL queries to the input to extract sensitive information from the database...

Oracle MySQL Cluster Buffer Overflow Vulnerability (CNVD-2022-18211)

MySQL Cluster is a write-scalable, real-time, ACID-compliant transactional database designed to guarantee 99.999% availability. A buffer overflow vulnerability exists in Oracle MySQL Cluster, which can be exploited by an attacker to execute code in the context of a service account...

CVE-2022-23857

model/criteria/criteria.go in Navidrome before 0.47.5 is vulnerable to SQL injection attacks when processing crafted Smart Playlists. An authenticated user could abuse this to extract arbitrary data from the database, including the user table which contains sensitive information such as the users...

CVE-2022-23129

CVE-2022-23129 affects Mitsubishi Electric MC Works64 and ICONICS GENESIS64 where exporting GridWorX Server configuration to CSV saves authentication information in plaintext. Affected products: ICONICS GENESIS64 (versions 10.90 to 10.97) and MC Works64 (prior to 4.04E / 10.95.210.01). Root cause...