Total
15169 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-8427 | 1 Unitrends | 1 Backup | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| In Unitrends Backup before 10.4.1, an HTTP request parameter was not properly sanitized, allowing for SQL injection that resulted in an authentication bypass. | |||||
| CVE-2020-8242 | 1 Expressionengine | 1 Expressionengine | 2024-11-21 | 6.5 MEDIUM | 7.2 HIGH |
| Unsanitized user input in ExpressionEngine <= 5.4.0 control panel member creation leads to an SQL injection. The user needs member creation/admin control panel access to execute the attack. | |||||
| CVE-2020-8211 | 1 Citrix | 1 Xenmobile Server | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| Improper input validation in Citrix XenMobile Server 10.12 before RP3, Citrix XenMobile Server 10.11 before RP6, Citrix XenMobile Server 10.10 RP6 and Citrix XenMobile Server before 10.9 RP5 allows SQL Injection. | |||||
| CVE-2020-7981 | 1 Rubygeocoder | 1 Geocoder | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| sql.rb in Geocoder before 1.6.1 allows Boolean-based SQL injection when within_bounding_box is used in conjunction with untrusted sw_lat, sw_lng, ne_lat, or ne_lng data. | |||||
| CVE-2020-7939 | 1 Plone | 1 Plone | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| SQL Injection in DTML or in connection objects in Plone 4.0 through 5.2.1 allows users to perform unwanted SQL queries. (This is a problem in Zope.) | |||||
| CVE-2020-7819 | 2 Microsoft, Ntracker | 2 Windows, Ntracker Usb Enterprise | 2024-11-21 | 5.0 MEDIUM | 9.3 CRITICAL |
| A SQL-Injection vulnerability in the nTracker USB Enterprise(secure USB management solution) allows a remote unauthenticated attacker to perform SQL query to access username password and other session related information. | |||||
| CVE-2020-7759 | 1 Pimcore | 1 Pimcore | 2024-11-21 | 6.5 MEDIUM | 6.5 MEDIUM |
| The package pimcore/pimcore from 6.7.2 and before 6.8.3 are vulnerable to SQL Injection in data classification functionality in ClassificationstoreController. This can be exploited by sending a specifically-crafted input in the relationIds parameter as demonstrated by the following request: http://vulnerable.pimcore.example/admin/classificationstore/relations?relationIds=[{"keyId"%3a"''","groupId"%3a"'asd'))+or+1%3d1+union+(select+1,2,3,4,5,6,name,8,password,'',11,12,'',14+from+users)+--+"}] | |||||
| CVE-2020-7577 | 1 Siemens | 1 Opcenter Execution Core | 2024-11-21 | 5.5 MEDIUM | 8.1 HIGH |
| A vulnerability has been identified in Camstar Enterprise Platform (All versions), Opcenter Execution Core (All versions < V8.2). Through the use of several vulnerable fields of the application, an authenticated user could perform an SQL Injection attack by passing a modified SQL query downstream to the back-end server. The exploit of this vulnerability could be used to read, and potentially modify application data to which the user has access to. | |||||
| CVE-2020-7500 | 1 Schneider-electric | 12 Mtn6260-0310, Mtn6260-0310 Firmware, Mtn6260-0315 and 9 more | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| A CWE-89:Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability exists in U.motion Servers and Touch Panels (affected versions listed in the security notification) which could cause arbitrary code to be executed when a malicious command is entered. | |||||
| CVE-2020-7493 | 1 Schneider-electric | 1 Ecostruxure Operator Terminal Expert | 2024-11-21 | 6.8 MEDIUM | 7.8 HIGH |
| A CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability exists in EcoStruxure Operator Terminal Expert 3.1 Service Pack 1 and prior (formerly known as Vijeo XD) which could cause malicious code execution when opening the project file. | |||||
| CVE-2020-7471 | 1 Djangoproject | 1 Django | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| Django 1.11 before 1.11.28, 2.2 before 2.2.10, and 3.0 before 3.0.3 allows SQL Injection if untrusted data is used as a StringAgg delimiter (e.g., in Django applications that offer downloads of data as a series of rows with a user-specified column delimiter). By passing a suitably crafted delimiter to a contrib.postgres.aggregates.StringAgg instance, it was possible to break escaping and inject malicious SQL. | |||||
| CVE-2020-7383 | 1 Rapid7 | 1 Nexpose | 2024-11-21 | 5.5 MEDIUM | 6.5 MEDIUM |
| A SQL Injection issue in Rapid7 Nexpose version prior to 6.6.49 that may have allowed an authenticated user with a low permission level to access resources & make changes they should not have been able to access. | |||||
| CVE-2020-7356 | 1 Cayintech | 1 Xpost | 2024-11-21 | 10.0 HIGH | 10.0 CRITICAL |
| CAYIN xPost suffers from an unauthenticated SQL Injection vulnerability. Input passed via the GET parameter 'wayfinder_seqid' in wayfinder_meeting_input.jsp is not properly sanitized before being returned to the user or used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code and execute SYSTEM commands. | |||||
| CVE-2020-7229 | 1 Simplejobscript | 1 Simplejobscript | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in Simplejobscript.com SJS before 1.65. There is unauthenticated SQL injection via the search engine. The parameter is landing_location. The function is countSearchedJobs(). The file is _lib/class.Job.php. | |||||
| CVE-2020-6960 | 1 Honeywell | 12 Hnmswvms, Hnmswvms Firmware, Hnmswvmslt and 9 more | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| The following versions of MAXPRO VMS and NVR, MAXPRO VMS:HNMSWVMS prior to Version VMS560 Build 595 T2-Patch, HNMSWVMSLT prior to Version VMS560 Build 595 T2-Patch, MAXPRO NVR: MAXPRO NVR XE prior to Version NVR 5.6 Build 595 T2-Patch, MAXPRO NVR SE prior to Version NVR 5.6 Build 595 T2-Patch, MAXPRO NVR PE prior to Version NVR 5.6 Build 595 T2-Patch, and MPNVRSWXX prior to Version NVR 5.6 Build 595 T2-Patch contain an SQL injection vulnerability that could give an attacker remote unauthenticated access to the web user interface with administrator-level privileges. | |||||
| CVE-2020-6880 | 1 Zte | 2 Zxv10 W908, Zxv10 W908 Firmware | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| A ZXELINK wireless controller has a SQL injection vulnerability. A remote attacker does not need to log in. By sending malicious SQL statements, because the device does not properly filter parameters, successful use can obtain management rights. This affects: ZXV10 W908 all versions before MIPS_A_1022IPV6R3T6P7Y20. | |||||
| CVE-2020-6637 | 1 Os4ed | 1 Opensis | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| openSIS Community Edition version 7.3 is vulnerable to SQL injection via the USERNAME parameter of index.php. | |||||
| CVE-2020-6577 | 1 It-recht-kanzlei | 1 It-recht-kanzlei | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| The IT-Recht Kanzlei plugin in Zen Cart 1.5.6c (German edition) allows itrk-api.php rechtstext_language SQL Injection. | |||||
| CVE-2020-6253 | 1 Sap | 1 Adaptive Server Enterprise | 2024-11-21 | 6.5 MEDIUM | 7.2 HIGH |
| Under certain conditions, SAP Adaptive Server Enterprise (Web Services), versions 15.7, 16.0, allows an authenticated user to execute crafted database queries to elevate their privileges, modify database objects, or execute commands they are not otherwise authorized to execute, leading to SQL Injection. | |||||
| CVE-2020-6249 | 1 Sap | 3 Master Data Governance \(s4core\), Master Data Governance \(s4fnd\), Master Data Governance \(sap Bs Fnd\) | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| The use of an admin backend report within SAP Master Data Governance, versions - S4CORE 101, S4FND 102, 103, 104, SAP_BS_FND 748; allows an attacker to execute crafted database queries, exposing the backend database, leading to SQL Injection. | |||||