20 matches found
CVE-2026-33083
DataEase is an open-source data visualization and analytics platform. Versions 2.10.20 and below contain a SQL injection vulnerability in the orderDirection parameter used in dataset-related endpoints including /de2api/datasetData/enumValueDs and /de2api/datasetTree/exportDataset. The Order2SQLOb...
CVE-2026-33083
DataEase has a SQL injection in the orderDirection parameter for dataset endpoints (e.g., /de2api/datasetData/enumValueDs, /de2api/datasetTree/exportDataset) affecting versions 2.10.20 and earlier. The Order2SQLObj directly assigns raw user-supplied orderDirection into the SQL query and renders i...
CVE-2026-33083
DataEase is an open-source data visualization and analytics platform. Versions 2.10.20 and below contain a SQL injection vulnerability in the orderDirection parameter used in dataset-related endpoints including /de2api/datasetData/enumValueDs and /de2api/datasetTree/exportDataset. The Order2SQLOb...
EUVD-2026-23282
DataEase is an open-source data visualization and analytics platform. Versions 2.10.20 and below contain a SQL injection vulnerability in the orderDirection parameter used in dataset-related endpoints including /de2api/datasetData/enumValueDs and /de2api/datasetTree/exportDataset. The Order2SQLOb...
PT-2026-33352
DataEase is an open-source data visualization and analytics platform. Versions 2.10.20 and below contain a SQL injection vulnerability in the orderDirection parameter used in dataset-related endpoints including /de2api/datasetData/enumValueDs and /de2api/datasetTree/exportDataset. The Order2SQLOb...
CVE-2026-31825
Sylius is an Open Source eCommerce Framework on Symfony. Sylius API filters ProductPriceOrderFilter and TranslationOrderNameAndLocaleFilter pass user-supplied order direction values directly to Doctrine's orderBy without validation. An attacker can inject arbitrary DQL. The issue is fixed in...
GHSA-XCWX-R2GW-W93M Sylius has a DQL Injection via API Order Filters
Impact Sylius API filters ProductPriceOrderFilter and TranslationOrderNameAndLocaleFilter pass user-supplied order direction values directly to Doctrine's orderBy without validation. An attacker can inject arbitrary DQL: GET /api/v2/shop/products?orderprice=ASC,%20variant.code%20DESC Patches The...
EUVD-2026-10923
Sylius has a DQL Injection via API Order Filters...
CVE-2025-70791
Cross Site Scripting vulnerability in the "/admin/order/abandoned" endpoint of Microweber 2.0.19. An attacker can manipulate the "orderDirection" parameter in a crafted URL and lure a user with admin privileges into visiting it, achieving JavaScript code execution in the victim's browser. The iss...
Cross-site Scripting (XSS)
Overview microweber/microweber is a new generation CMS with drag and drop. Affected versions of this package are vulnerable to Cross-site Scripting XSS via the orderDirection parameter in the /admin/order/abandoned endpoint. An attacker can execute arbitrary JavaScript code in the context of an...
GHSA-5JG5-XQFW-RV92 Microweber has a Cross-site Scripting vulnerability
Cross-site Scripting vulnerability in the "/admin/order/abandoned" endpoint of Microweber 2.0.19. An attacker can manipulate the "orderDirection" parameter in a crafted URL and lure a user with admin privileges into visiting it, achieving JavaScript code execution in the victim's browser. The iss...
CVE-2025-70791
Cross Site Scripting vulnerability in the "/admin/order/abandoned" endpoint of Microweber 2.0.19. An attacker can manipulate the "orderDirection" parameter in a crafted URL and lure a user with admin privileges into visiting it, achieving JavaScript code execution in the victim's browser. The iss...
CVE-2025-70791
Cross Site Scripting vulnerability in the "/admin/order/abandoned" endpoint of Microweber 2.0.19. An attacker can manipulate the "orderDirection" parameter in a crafted URL and lure a user with admin privileges into visiting it, achieving JavaScript code execution in the victim's browser. The iss...
PT-2026-6596
Name of the Vulnerable Software and Affected Versions Microweber versions prior to 2.0.20 Description A Cross Site Scripting issue exists in the /admin/order/abandoned API endpoint of the software. An attacker can manipulate the orderDirection parameter within a crafted URL. By enticing a user wi...
CVE-2025-70791
Cross Site Scripting vulnerability in the "/admin/order/abandoned" endpoint of Microweber 2.0.19. An attacker can manipulate the "orderDirection" parameter in a crafted URL and lure a user with admin privileges into visiting it, achieving JavaScript code execution in the victim's browser. The iss...
CVE-2025-70791
CVE-2025-70791 : Microweber 2.0.19 has a Cross-Site Scripting vulnerability in the "/admin/order/abandoned" endpoint. The issue arises from accepting and manipulating the orderDirection parameter in a crafted URL, which can lure a user with admin privileges into visiting it and result in JavaScri...
CVE-2021-26754
wpDataTables before 3.4.1 mishandles order direction for server-side tables, aka admin-ajax.php?action=getwdtable order0dir SQL injection...
Centralized Salesforce Development Framework 注入漏洞
Centralized Salesforce Development Framework is a centralized development framework on the Force.com platform by Scott Covert, an individual developer. An injection vulnerability exists in the Centralized Salesforce Development Framework that stems from an incorrect manipulation of the parameter...
Piwigo SQL注入漏洞
Piwigo is a free and open source web photo album software. A SQL injection vulnerability exists in the order0dir parameter in admin/userlistbackend.php in Piwigo version 11.4.0. An attacker can exploit this vulnerability to obtain sensitive database information...
CVE-2021-26754
wpDataTables before 3.4.1 mishandles order direction for server-side tables, aka admin-ajax.php?action=getwdtable order0dir SQL injection...