| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| Fiyo CMS 2.0.7 has SQL injection in /apps/app_user/sys_user.php via $_POST[name] or $_POST[email]. This vulnerability can lead to escalation from normal user privileges to administrator privileges. |
| Paid To Read Script 2.0.5 has SQL Injection via the admin/userview.php uid parameter, the admin/viewemcamp.php fnum parameter, or the admin/viewvisitcamp.php fn parameter. |
| Techno - Portfolio Management Panel through 2017-11-16 allows SQL Injection via the panel/search.php s parameter. |
| Fiyo CMS 2.0.7 has SQL injection in /system/site.php via $_REQUEST['link']. |
| A SQL injection vulnerability in core/inc/auto-modules.php in BigTree CMS through 4.2.19 allows remote authenticated attackers to obtain information in the context of the user used by the application to retrieve data from the database. The attack uses an admin/trees/add/process request with a crafted _tags[] parameter that is mishandled in a later admin/ajax/dashboard/approve-change request. |
| SQL injection vulnerability in the InLinks plugin through 1.1 for WordPress allows authenticated users to execute arbitrary SQL commands via the "keyword" parameter to /wp-admin/options-general.php?page=inlinks/inlinks.php. |
| Trape before 2017-11-05 has SQL injection via the /nr red parameter, the /nr vId parameter, the /register User-Agent HTTP header, the /register country parameter, the /register countryCode parameter, the /register cpu parameter, the /register isp parameter, the /register lat parameter, the /register lon parameter, the /register org parameter, the /register query parameter, the /register region parameter, the /register regionName parameter, the /register timezone parameter, the /register vId parameter, the /register zip parameter, or the /tping id parameter. |
| A SQL injection in classes/handler/public.php in the forgotpass component of Tiny Tiny RSS 17.4 exists via the login parameter. |
| The application Piwigo is affected by an SQL injection vulnerability in version 2.9.2 and possibly prior. This vulnerability allows remote authenticated attackers to obtain information in the context of the user used by the application to retrieve data from the database. tags.php is affected: values of the edit_list parameters are not sanitized; these are used to construct an SQL query and retrieve a list of registered users into the application. |
| Zoho ManageEngine Applications Manager 13 before build 13530 allows SQL injection via the /MyPage.do widgetid parameter. |
| Zoho ManageEngine Applications Manager 13 before build 13530 allows SQL injection via the /showresource.do resourceid parameter in a getResourceProfiles action. |
| Zoho ManageEngine Applications Manager 13 before build 13530 allows SQL injection via the /MyPage.do?method=viewDashBoard forpage parameter. |
| CWEBNET/WOSummary/List in ZUUSE BEIMS ContractorWeb .NET 5.18.0.0 allows SQL injection via the tradestatus, assetno, assignto, building, domain, jobtype, site, trade, woType, workorderno, or workorderstatus parameter. |
| Zoho ManageEngine Applications Manager 13 allows SQL injection via the /manageConfMons.do groupname parameter. |
| Zoho ManageEngine Applications Manager 13 before build 13530 allows SQL injection via the /showresource.do resourceid parameter in a showPlasmaView action. |
| Zoho ManageEngine Applications Manager 13 before build 13530 allows SQL injection via the /manageApplications.do?method=AddSubGroup haid parameter. |
| /view/friend_profile.php in Ingenious School Management System 2.3.0 is vulnerable to Boolean-based and Time-based SQL injection in the 'friend_index' parameter of a GET request. |
| Zoho ManageEngine Applications Manager 13 before build 13500 allows SQL injection via GraphicalView.do, as demonstrated by a crafted viewProps yCanvas field or viewid parameter. |
| Zoho ManageEngine Applications Manager 13 before build 13500 allows Post-authentication SQL injection via the name parameter in a manageApplications.do?method=insert request. |
| WPHRM Human Resource Management System for WordPress 1.0 allows SQL Injection via the employee_id parameter. |
