2 matches found
QIWI: Remote Code Execution on contactws.contact-sys.com via SQL injection in TAktifBankObject.GetOrder in parameter DOC_ID
Summary The API interface on https://contactws.contact-sys.com:3456/ accepts a body to interact with the server's AppServ object. Because of insufficient input validation, an attacker can abuse the DOCID parameter on the TAktifBankObject operation GetOrder to inject arbitrary SQL statements into...
LedgerSMB < 1.2.8, SQL-Ledger 2.x Multiple SQL Injection Issues
Severity: Critical Effect: Compromise of FInancial Data, deletion of audit trails, alteration of system settings, disclosure of confidential information possible in some setups. Affected products: LedgerSMB 1.0.0-1.2.7 , SQL-Ledger 2.x all versions. 1: SQL injection issue in invoice quantity fiel...