Total
15085 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2018-3885 | 1 Erpnext | 1 Erpnext | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| An exploitable SQL injection vulnerability exists in the authenticated part of ERPNext v10.1.6. Specially crafted web requests can cause SQL injections resulting in data compromise. The order_by parameter can be used to perform an SQL injection attack. An attacker can use a browser to trigger these vulnerabilities, and no special tools are required. | |||||
| CVE-2018-3884 | 1 Erpnext | 1 Erpnext | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| An exploitable SQL injection vulnerability exists in the authenticated part of ERPNext v10.1.6. Specially crafted web requests can cause SQL injections resulting in data compromise. The sort_by and start parameter can be used to perform an SQL injection attack. An attacker can use a browser to trigger these vulnerabilities, and no special tools are required. | |||||
| CVE-2018-3883 | 1 Erpnext | 1 Erpnext | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| An exploitable SQL injection vulnerability exists in the authenticated part of ERPNext v10.1.6. Specially crafted web requests can cause SQL injections resulting in data compromise. The employee and sort_order parameter can be used to perform an SQL injection attack. An attacker can use a browser to trigger these vulnerabilities, and no special tools are required. | |||||
| CVE-2018-3882 | 1 Erpnext | 1 Erpnext | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| An exploitable SQL injection vulnerability exists in the authenticated part of ERPNext v10.1.6. Specially crafted web requests can cause SQL injections resulting in data compromise. The searchfield parameter can be used to perform an SQL injection attack. An attacker can use a browser to trigger these vulnerabilities, and no special tools are required. | |||||
| CVE-2018-3879 | 1 Samsung | 2 Sth-eth-250, Sth-eth-250 Firmware | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| An exploitable JSON injection vulnerability exists in the credentials handler of video-core's HTTP server of Samsung SmartThings Hub STH-ETH-250 devices with firmware version 0.20.17. The video-core process incorrectly parses the user-controlled JSON payload, leading to a JSON injection which in turn leads to a SQL injection in the video-core database. An attacker can send a series of HTTP requests to trigger this vulnerability. | |||||
| CVE-2018-3811 | 1 Oturia | 1 Smart Google Code Inserter | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| SQL Injection vulnerability in the Oturia Smart Google Code Inserter plugin before 3.5 for WordPress allows unauthenticated attackers to execute SQL queries in the context of the web server. The saveGoogleAdWords() function in smartgooglecode.php did not use prepared statements and did not sanitize the $_POST["oId"] variable before passing it as input into the SQL query. | |||||
| CVE-2018-3783 | 1 Flintcms | 1 Flintcms | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| A privilege escalation detected in flintcms versions <= 1.1.9 allows account takeover due to blind MongoDB injection in password reset. | |||||
| CVE-2018-3754 | 1 Query-mysql Project | 1 Query-mysql | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| Node.js third-party module query-mysql versions 0.0.0, 0.0.1, and 0.0.2 are vulnerable to an SQL injection vulnerability due to lack of user input sanitization. This may allow an attacker to run arbitrary SQL queries when fetching data from database. | |||||
| CVE-2018-3607 | 1 Trendmicro | 1 Control Manager | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| XXXTreeNode method SQL injection remote code execution (RCE) vulnerabilities in Trend Micro Control Manager 6.0 could allow a remote attacker to execute arbitrary code on vulnerable installations. | |||||
| CVE-2018-3606 | 1 Trendmicro | 1 Control Manager | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| XXXStatusXXX, XXXSummary, TemplateXXX and XXXCompliance method SQL injection remote code execution (RCE) vulnerabilities in Trend Micro Control Manager 6.0 could allow a remote attacker to execute arbitrary code on vulnerable installations. | |||||
| CVE-2018-3605 | 1 Trendmicro | 1 Control Manager | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| TopXXX, ViolationXXX, and IncidentXXX method SQL injection remote code execution (RCE) vulnerabilities in Trend Micro Control Manager 6.0 could allow a remote attacker to execute arbitrary code on vulnerable installations. | |||||
| CVE-2018-3604 | 1 Trendmicro | 1 Control Manager | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| GetXXX method SQL injection remote code execution (RCE) vulnerabilities in Trend Micro Control Manager 6.0 could allow a remote attacker to execute arbitrary code on vulnerable installations. | |||||
| CVE-2018-3603 | 1 Trendmicro | 1 Control Manager | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| A CGGIServlet SQL injection remote code execution (RCE) vulnerability in Trend Micro Control Manager 6.0 could allow a remote attacker to execute arbitrary code on vulnerable installations. | |||||
| CVE-2018-3602 | 1 Trendmicro | 1 Control Manager | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| An AdHocQuery_Processor SQL injection remote code execution (RCE) vulnerability in Trend Micro Control Manager 6.0 could allow a remote attacker to execute arbitrary code on vulnerable installations. | |||||
| CVE-2018-2450 | 1 Sap | 1 Maxdb | 2024-11-21 | 6.5 MEDIUM | 7.2 HIGH |
| SAP MaxDB (liveCache), versions 7.8 and 7.9, allows an attacker who gets DBM operator privileges to execute crafted database queries and therefore read, modify or delete sensitive data from database. | |||||
| CVE-2018-2447 | 1 Sap | 1 Businessobjects Business Intelligence | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| SAP BusinessObjects Business Intelligence (Launchpad Web Intelligence), version 4.2, allows an attacker to execute crafted InfoObject queries, exposing the CMS InfoObjects database. | |||||
| CVE-2018-25088 | 1 Blueyonder | 1 Postgraas Server | 2024-11-21 | 5.2 MEDIUM | 5.5 MEDIUM |
| A vulnerability, which was classified as critical, was found in Blue Yonder postgraas_server up to 2.0.0b2. Affected is the function _create_pg_connection/create_postgres_db of the file postgraas_server/backends/postgres_cluster/postgres_cluster_driver.py of the component PostgreSQL Backend Handler. The manipulation leads to sql injection. Upgrading to version 2.0.0 is able to address this issue. The patch is identified as 7cd8d016edc74a78af0d81c948bfafbcc93c937c. It is recommended to upgrade the affected component. VDB-234246 is the identifier assigned to this vulnerability. | |||||
| CVE-2018-25076 | 1 Events Project | 1 Events | 2024-11-21 | 5.2 MEDIUM | 5.5 MEDIUM |
| A vulnerability classified as critical was found in Events Extension on BigTree. Affected by this vulnerability is the function getRandomFeaturedEventByDate/getUpcomingFeaturedEventsInCategoriesWithSubcategories/recacheEvent/searchResults of the file classes/events.php. The manipulation leads to sql injection. The patch is named 11169e48ab1249109485fdb1e0c9fca3d25ba01d. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-218395. | |||||
| CVE-2018-25075 | 1 Obridge Project | 1 Obridge | 2024-11-21 | 4.0 MEDIUM | 4.6 MEDIUM |
| A vulnerability classified as critical has been found in karsany OBridge up to 1.3. Affected is the function getAllStandaloneProcedureAndFunction of the file obridge-main/src/main/java/org/obridge/dao/ProcedureDao.java. The manipulation leads to sql injection. The complexity of an attack is rather high. The exploitability is told to be difficult. Upgrading to version 1.4 is able to address this issue. The name of the patch is 52eca4ad05f3c292aed3178b2f58977686ffa376. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-218376. | |||||
| CVE-2018-25072 | 1 Lojban | 1 Jbovlaste | 2024-11-21 | 6.5 MEDIUM | 6.3 MEDIUM |
| A vulnerability classified as critical has been found in lojban jbovlaste. This affects an unknown part of the file dict/listing.html. The manipulation leads to sql injection. It is possible to initiate the attack remotely. The patch is named 6ff44c2e87b1113eb07d76ea62e1f64193b04d15. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-217647. | |||||