| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| SQL injection vulnerability in the DRED virtual campus platform. This vulnerability allows an attacker to retrieve, create, update, and delete data from the database by sending a POST request using the ‘buscame’ parameter in ‘/catalogo_c/catalogo.php’. |
| An issue in DataLife Engine v.17.1 and before is vulnerable to SQL Injection in dboption. |
| A vulnerability was found in sfturing hosp_order up to 627f426331da8086ce8fff2017d65b1ddef384f8. It has been rated as critical. This issue affects the function findDoctorByCondition of the file DoctorServiceImpl.java. The manipulation of the argument hospitalName leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available. |
| Saved search functionality contains a blind SQL injection that can be exploited by authenticated attackers. Using a time-based blind SQLi technique the attacker can disclose all database contents. Account takeover is a potential outcome depending on the presence or lack thereof entries in certain database tables. |
| Login functionality contains a blind SQL injection that can be exploited by unauthenticated attackers. Using a time-based blind SQLi technique the attacker can disclose all database contents. Account takeover is a potential outcome depending on the presence or lack thereof entries in certain database tables. |
| A vulnerability was identified in Surbowl dormitory-management-php up to 9f1d9d1f528cabffc66fda3652c56ff327fda317. Affected is an unknown function of the file /admin/violation_add.php?id=2. Such manipulation of the argument ID leads to sql injection. The attack may be performed from a remote location. The exploit is publicly available and might be used. This product utilizes a rolling release system for continuous delivery, and as such, version information for affected or updated releases is not disclosed. This vulnerability only affects products that are no longer supported by the maintainer. |
| An 'SQL Injection' vulnerability, due to improper neutralization of special elements used in SQL commands, exists in ZKTeco-based OEM devices. This vulnerability allows an attacker to, in some cases, impersonate another user or perform unauthorized actions. In other instances, it enables the attacker to access user data and system parameters from the database.
This issue affects
ZkTeco-based OEM devices (ZkTeco ProFace X, Smartec ST-FR043, Smartec ST-FR041ME and possibly others)
with firmware
ZAM170-NF-1.8.25-7354-Ver1.0.0 and possibly other, Standalone service v. 2.1.6-20200907 and possibly others. |
| SQL injection in Sergestec's SISTICK v7.2. This vulnerability allows an attacker to retrieve, create, update, and delete databases through the 'id' parameter in '/index.php?view=ticket_detail'. |
| SQL injection vulnerability in Comerzzia Backoffice: Sales Orchestrator 3.0.15. This vulnerability allows an attacker to retrieve, create, update and delete databases via the ‘uidActivity’, ‘codCompany’ and ‘uidInstance’ parameters of the ‘/comerzzia/login’ endpoint. |
| Advantech iView versions 5.7.05.7057 and prior do not properly sanitize SNMP v1 trap (Port 162) requests, which could allow an attacker to inject SQL commands. |
| A vulnerability was found in Shandong Star Measurement and Control Equipment Heating Network Wireless Monitoring System 5.6.2 and classified as critical. Affected by this issue is the function GetDataKindByType of the file /DataSrvs/UCCGSrv.asmx. The manipulation leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL
Injection') vulnerability in ZkTeco-based OEM devices allows an
attacker
to authenticate under any user from the device database.
This issue affects
ZkTeco-based OEM devices (ZkTeco ProFace X, Smartec ST-FR043, Smartec
ST-FR041ME and possibly others) with the ZAM170-NF-1.8.25-7354-Ver1.0.0
and possibly others. |
| Obi08/Enrollment System 1.0 contains a SQL injection vulnerability in the keyword parameter of /get_subject.php that allows unauthenticated attackers to execute arbitrary SQL queries. Attackers can use UNION-based injection to extract sensitive information from the users table including usernames and passwords. |
| While editing pages managed by MegaBIP a user with high privileges is prompted to give a reasoning for performing this action. Input provided by the the user is not sanitized, leading to SQL Injection vulnerability.
Version 5.20 of MegaBIP fixes this issue. |
| A vulnerability was found in 07FLYCMS, 07FLY-CMS and 07FlyCRM up to 20250831. This issue affects some unknown processing of the file /index.php/Login/login. Performing manipulation of the argument Username results in sql injection. It is possible to initiate the attack remotely. The exploit has been made public and could be used. This product is published under multiple names. The vendor was contacted early about this disclosure but did not respond in any way. |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Exnet Informatics Software Ferry Reservation System allows SQL Injection.This issue affects Ferry Reservation System: before 240805-002. |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Bayraktar Solar Energies ScadaWatt Otopilot allows SQL Injection.This issue affects ScadaWatt Otopilot: before 27.05.2025. |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Teknogis Informatics Closed Circuit Vehicle Tracking Software allows SQL Injection, Blind SQL Injection.This issue affects Closed Circuit Vehicle Tracking Software: through 21.11.2024.
NOTE: The vendor was contacted early about this disclosure but did not respond in any way. |
| Zohocorp ManageEngine OpManager, OpManager Plus, OpManager MSP and RMM versions 128317 and below are vulnerable to authenticated SQL injection in the URL monitoring. |
| A vulnerability, which was classified as critical, has been found in webuidesigning NebulaX Theme up to 5.0 on WordPress. This issue affects the function nebula_send_to_hubspot of the file libs/Legacy/Legacy.php. The manipulation leads to sql injection. The attack may be initiated remotely. The patch is named 41230a81db0f671c570c2644bc2f80565ca83c5a. It is recommended to apply a patch to fix this issue. |
