Total
17555 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-27709 | 1 Eskooly | 1 Web Product | 2024-11-21 | 9.8 Critical |
| SQL Injection vulnerability in Eskooly Web Product v.3.0 allows a remote attacker to execute arbitrary code via the searchby parameter of the allstudents.php component and the id parameter of the requestmanager.php component. | ||||
| CVE-2024-27574 | 1 Trainme Acadamy | 1 Ichin | 2024-11-21 | 9.1 Critical |
| SQL Injection vulnerability in Trainme Academy version Ichin v.1.3.2 allows a remote attacker to obtain sensitive information via the informacion, idcurso, and tit parameters. | ||||
| CVE-2024-25924 | 2024-11-21 | 7.6 High | ||
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Trustindex.Io WP Testimonials.This issue affects WP Testimonials: from n/a through 1.4.3. | ||||
| CVE-2024-25316 | 1 Hotel Management System Project | 1 Hotel Management System | 2024-11-21 | 9.8 Critical |
| Code-projects Hotel Managment System 1.0 allows SQL Injection via the 'eid' parameter in Hotel/admin/usersettingdel.php?eid=2. | ||||
| CVE-2024-25306 | 1 Code-projects | 1 Simple School Management System | 2024-11-21 | 8.8 High |
| Code-projects Simple School Managment System 1.0 allows SQL Injection via the 'aname' parameter at "School/index.php". | ||||
| CVE-2024-25222 | 1 Task Manager In Php With Source Code Project | 1 Task Manager In Php With Source Code | 2024-11-21 | 9.8 Critical |
| Task Manager App v1.0 was discovered to contain a SQL injection vulnerability via the projectID parameter at /TaskManager/EditProject.php. | ||||
| CVE-2024-25214 | 1 Sherlock | 1 Employee Management System | 2024-11-21 | 9.8 Critical |
| An issue in Employee Managment System v1.0 allows attackers to bypass authentication via injecting a crafted payload into the E-mail and Password parameters at /alogin.html. | ||||
| CVE-2024-25212 | 1 Sherlock | 1 Employee Management System | 2024-11-21 | 7.2 High |
| Employee Managment System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /delete.php. | ||||
| CVE-2024-24868 | 2024-11-21 | 8.5 High | ||
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Smartypants SP Project & Document Manager.This issue affects SP Project & Document Manager: from n/a through 4.69. | ||||
| CVE-2024-24572 | 1 Facilemanager | 1 Facilemanager | 2024-11-21 | 6.5 Medium |
| facileManager is a modular suite of web apps built with the sysadmin in mind. In versions 4.5.0 and earlier, the $_REQUEST global array was unsafely called inside an extract() function in admin-logs.php. The PHP file fm-init.php prevents arbitrary manipulation of $_SESSION via the GET/POST parameters. However, it does not prevent manipulation of any other sensitive variables such as $search_sql. Knowing this, an authenticated user with privileges to view site logs can manipulate the search_sql variable by appending a GET parameter search_sql in the URL. The information above means that the checks and SQL injection prevention attempts were rendered unusable. | ||||
| CVE-2024-24308 | 1 Boostmyshop | 1 Boostmyshop | 2024-11-21 | 9.8 Critical |
| SQL Injection vulnerability in Boostmyshop (boostmyshopagent) module for Prestashop versions 1.1.9 and before, allows remote attackers to escalate privileges and obtain sensitive information via changeOrderCarrier.php, relayPoint.php, and shippingConfirmation.php. | ||||
| CVE-2024-24303 | 1 Hipresta | 1 Gift Wrapping Pro | 2024-11-21 | 9.8 Critical |
| SQL Injection vulnerability in HiPresta "Gift Wrapping Pro" (hiadvancedgiftwrapping) module for PrestaShop before version 1.4.1, allows remote attackers to escalate privileges and obtain sensitive information via the HiAdvancedGiftWrappingGiftWrappingModuleFrontController::addGiftWrappingCartValue() method. | ||||
| CVE-2024-24213 | 1 Supabase | 1 Postgres | 2024-11-21 | 9.8 Critical |
| Supabase PostgreSQL v15.1 was discovered to contain a SQL injection vulnerability via the component /pg_meta/default/query. NOTE: the vendor's position is that this is an intended feature; also, it exists in the Supabase dashboard product, not the Supabase PostgreSQL product. Specifically, /pg_meta/default/query is for SQL queries that are entered in an intended UI by an authorized user. Nothing is injected. | ||||
| CVE-2024-24141 | 1 Remyandrade | 1 School Task Manager | 2024-11-21 | 9.8 Critical |
| Sourcecodester School Task Manager App 1.0 allows SQL Injection via the 'task' parameter. | ||||
| CVE-2024-24139 | 1 Remyandrade | 1 Login System With Email Verification | 2024-11-21 | 7.2 High |
| Sourcecodester Login System with Email Verification 1.0 allows SQL Injection via the 'user' parameter. | ||||
| CVE-2024-24133 | 1 Atmail | 1 Atmail | 2024-11-21 | 9.8 Critical |
| Atmail v6.6.0 was discovered to contain a SQL injection vulnerability via the username parameter on the login page. | ||||
| CVE-2024-24023 | 1 Xxyopen | 1 Novel-plus | 2024-11-21 | 9.8 Critical |
| A SQL injection vulnerability exists in Novel-Plus v4.3.0-RC1 and prior. An attacker can pass specially crafted offset, limit, and sort parameters to perform SQL injection via /novel/bookContent/list. | ||||
| CVE-2024-24017 | 1 Xxyopen | 1 Novel-plus | 2024-11-21 | 9.8 Critical |
| A SQL injection vulnerability exists in Novel-Plus v4.3.0-RC1 and prior versions. An attacker can pass crafted offset, limit, and sort parameters to perform SQL injection via /common/dict/list | ||||
| CVE-2024-24004 | 1 Jishenghua | 1 Jsherp | 2024-11-21 | 9.8 Critical |
| jshERP v3.3 is vulnerable to SQL Injection. The com.jsh.erp.controller.DepotHeadController: com.jsh.erp.utils.BaseResponseInfo findInOutDetail() function of jshERP does not filter `column` and `order` parameters well enough, and an attacker can construct malicious payload to bypass jshERP's protection mechanism in `safeSqlParse` method for sql injection. | ||||
| CVE-2024-24002 | 1 Jishenghua | 1 Jsherp | 2024-11-21 | 9.8 Critical |
| jshERP v3.3 is vulnerable to SQL Injection. The com.jsh.erp.controller.MaterialController: com.jsh.erp.utils.BaseResponseInfo getListWithStock() function of jshERP does not filter `column` and `order` parameters well enough, and an attacker can construct malicious payload to bypass jshERP's protection mechanism in `safeSqlParse` method for sql injection. | ||||