Total
17594 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-53544 | 2025-02-25 | 9.8 Critical | ||
| NovaCHRON Zeitsysteme GmbH & Co. KG Smart Time Plus v8.x to v8.6 was discovered to contain a SQL injection vulnerability via the getCookieNames method in the smarttimeplus/MySQLConnection endpoint. | ||||
| CVE-2023-28108 | 1 Pimcore | 1 Pimcore | 2025-02-25 | 7.9 High |
| Pimcore is an open source data and experience management platform. Prior to version 10.5.19, quoting is not done properly in UUID DAO model. There is the theoretical possibility to inject custom SQL if the developer is using this methods with input data and not doing proper input validation in advance and so relies on the auto-quoting being done by the DAO class. Users should update to version 10.5.19 to receive a patch or, as a workaround, apply the patch manually. | ||||
| CVE-2023-28438 | 1 Pimcore | 1 Pimcore | 2025-02-25 | 6.2 Medium |
| Pimcore is an open source data and experience management platform. Prior to version 10.5.19, since a user with 'report' permission can already write arbitrary SQL queries and given the fact that this endpoint is using the GET method (no CSRF protection), an attacker can inject an arbitrary query by manipulating a user to click on a link. Users should upgrade to version 10.5.19 to receive a patch or, as a workaround, may apply the patch manually. | ||||
| CVE-2025-1640 | 2025-02-25 | 7.3 High | ||
| A vulnerability was found in Benner ModernaNet up to 1.1.0 and classified as critical. Affected by this issue is some unknown functionality of the file /Home/JS_CarregaCombo?formName=DADOS_PESSOAIS_PLANO&additionalCondition=&insideParameters=&elementToReturn=DADOS_PESSOAIS_PLANO&ordenarPelaDescricao=true&direcaoOrdenacao=asc&_=1739290047295. The manipulation leads to sql injection. The attack may be launched remotely. Upgrading to version 1.1.1 is able to address this issue. It is recommended to upgrade the affected component. | ||||
| CVE-2025-1641 | 2025-02-25 | 7.3 High | ||
| A vulnerability was found in Benner ModernaNet up to 1.1.0. It has been classified as critical. This affects an unknown part of the file /AGE0000700/GetHorariosDoDia?idespec=0&idproced=1103&data=2025-02-25+19%3A25&agserv=0&convenio=1&localatend=1&idplano=5&pesfis=01&idprofissional=0&target=.horarios--dia--d0&_=1739371223797. The manipulation leads to sql injection. It is possible to initiate the attack remotely. Upgrading to version 1.1.1 is able to address this issue. It is recommended to upgrade the affected component. | ||||
| CVE-2025-0821 | 1 Bitapps | 1 Bit Assist | 2025-02-25 | 6.5 Medium |
| Bit Assist plugin for WordPress is vulnerable to time-based SQL Injection via the ‘id’ parameter in all versions up to, and including, 1.5.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | ||||
| CVE-2025-1356 | 1 Needyamin | 1 Library Card System | 2025-02-25 | 6.3 Medium |
| A vulnerability was found in needyamin Library Card System 1.0. It has been rated as critical. Affected by this issue is some unknown functionality of the file card.php. The manipulation of the argument id leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2024-11260 | 1 Pixelite | 1 Events Manager | 2025-02-25 | 7.5 High |
| The Events Manager – Calendar, Bookings, Tickets, and more! plugin for WordPress is vulnerable to time-based SQL Injection via the active_status parameter in all versions up to, and including, 6.6.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | ||||
| CVE-2024-12276 | 1 Ultimatemember | 1 Ultimate Member | 2025-02-25 | 5.3 Medium |
| The Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to second-order SQL Injection via filenames in all versions up to, and including, 2.9.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with access to upload files and manage filenames through a third-party plugin like a File Manager, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. The risk of this vulnerability is very minimal as it requires a user to be able to manipulate filenames in order to successfully exploit. | ||||
| CVE-2024-13713 | 1 Wpexperts | 1 Givewp Square | 2025-02-25 | 6.5 Medium |
| The WPExperts Square For GiveWP plugin for WordPress is vulnerable to SQL Injection via the 'post' parameter in all versions up to, and including, 1.3.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | ||||
| CVE-2024-13846 | 1 Wpindeed | 1 Ultimate Learning Pro | 2025-02-25 | 4.9 Medium |
| The Indeed Ultimate Learning Pro plugin for WordPress is vulnerable to time-based SQL Injection via the ‘post_id’ parameter in all versions up to, and including, 3.9 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | ||||
| CVE-2025-27133 | 2025-02-24 | N/A | ||
| WeGIA is a Web manager for charitable institutions. A SQL Injection vulnerability was discovered in the WeGIA application prior to version 3.2.15 at the `adicionar_tipo_exame.php` endpoint. This vulnerability allows an authorized attacker to execute arbitrary SQL queries, allowing access to sensitive information. Version 3.2.15 contains a patch for the issue. | ||||
| CVE-2024-54820 | 2025-02-24 | 9.8 Critical | ||
| XOne Web Monitor v02.10.2024.530 framework 1.0.4.9 was discovered to contain a SQL injection vulnerability in the login page. This vulnerability allows attackers to extract all usernames and passwords via a crafted input. | ||||
| CVE-2024-12918 | 2025-02-24 | 8.8 High | ||
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Agito Computer Health4All allows SQL Injection.This issue affects Health4All: before 10.01.2025. | ||||
| CVE-2025-27312 | 2025-02-24 | 8.5 High | ||
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Jenst WP Sitemap allows SQL Injection. This issue affects WP Sitemap: from n/a through 1.0. | ||||
| CVE-2025-27297 | 2025-02-24 | 7.6 High | ||
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in guelben Bravo Search & Replace allows Blind SQL Injection. This issue affects Bravo Search & Replace: from n/a through 1.0. | ||||
| CVE-2024-12916 | 2025-02-24 | 8.8 High | ||
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Agito Computer Life4All allows SQL Injection.This issue affects Life4All: before 10.01.2025. | ||||
| CVE-2021-43140 | 1 Oretnom23 | 1 Simple Subscription Website | 2025-02-24 | 9.8 Critical |
| SQL Injection vulnerability exists in Sourcecodester. Simple Subscription Website 1.0. via the login. | ||||
| CVE-2022-30053 | 1 Oretnom23 | 1 Toll Tax Management System | 2025-02-24 | 9.8 Critical |
| In Toll Tax Management System 1.0, the id parameter appears to be vulnerable to SQL injection attacks. | ||||
| CVE-2022-34067 | 1 Oretnom23 | 1 Warehouse Management System | 2025-02-24 | 7.5 High |
| Warehouse Management System v1.0 was discovered to contain a SQL injection vulnerability via the cari parameter. | ||||