Threat Intelligence

CVE-2023-42359 (v3: 9.8) 18 Sep 2023

SQL injection vulnerability in Exam Form Submission in PHP with Source Code v.1.0 allows a remote attacker to escalate privileges via the val-username parameter in /index.php.

CVE-2023-38912 (v3: 9.8) 14 Sep 2023

SQL injection vulnerability in Super Store Finder PHP Script v.3.6 allows a remote attacker to execute arbitrary code via a crafted payload to the username parameter.

CVE-2020-12461 (v3: 8.8) 29 Apr 2020

PHP-Fusion 9.03.50 allows SQL Injection because maincore.php has an insufficient protection mechanism. An attacker can develop a crafted payload that can be inserted into the sort_order GET parameter on the members.php members search page. This parameter allows for control over anything after the ORDER BY clause in the SQL query.

CVE-2020-12429 (v3: 9.8) 28 Apr 2020

Online Course Registration 2.0 has multiple SQL injections that would can lead to a complete database compromise and authentication bypass in the login pages: admin/change-password.php, admin/check_availability.php, admin/index.php, change-password.php, check_availability.php, includes/header.php, index.php, and pincode-verification.php.

CVE-2020-10802 (v3: 8) 22 Mar 2020

In phpMyAdmin 4.x before 4.9.5 and 5.x before 5.0.2, a SQL injection vulnerability has been discovered where certain parameters are not properly escaped when generating certain queries for search actions in libraries/classes/Controllers/Table/TableSearchController.php. An attacker can generate a crafted database or table name. The attack can be performed if a user attempts certain search operations on the malicious database or table.

CVE-2020-10803 (v3: 5.4) 22 Mar 2020

In phpMyAdmin 4.x before 4.9.5 and 5.x before 5.0.2, a SQL injection vulnerability was discovered where malicious code could be used to trigger an XSS attack through retrieving and displaying results (in tbl_get_field.php and libraries/classes/Display/Results.php). The attacker must be able to insert crafted data into certain database tables, which when retrieved (for instance, through the Browse tab) can trigger the XSS attack.

CVE-2020-10804 (v3: 8) 22 Mar 2020

In phpMyAdmin 4.x before 4.9.5 and 5.x before 5.0.2, a SQL injection vulnerability was found in retrieval of the current username (in libraries/classes/Server/Privileges.php and libraries/classes/UserPassword.php). A malicious user with access to the server could create a crafted username, and then trick the victim into performing specific actions with that user account (such as editing its privileges).

CVE-2020-10106 (v3: 9.8) 5 Mar 2020

PHPGurukul Daily Expense Tracker System 1.0 is vulnerable to SQL injection, as demonstrated by the email parameter in index.php or register.php. The SQL injection allows to dump the MySQL database and to bypass the login prompt.

CVE-2020-9265 (v3: 8.2) 18 Feb 2020

phpMyChat-Plus 1.98 is vulnerable to multiple SQL injections against the deluser.php Delete User functionality, as demonstrated by pmc_username.

CVE-2020-5504 (v3: 8.8) 9 Jan 2020

In phpMyAdmin 4 before 4.9.4 and 5 before 5.0.1, SQL injection exists in the user accounts page. A malicious user could inject custom SQL in place of their own username when creating queries to this page. An attacker must have a valid MySQL account to access the server.

CVE-2020-5510 (v3: 9.8) 8 Jan 2020

PHPGurukul Hostel Management System v2.0 allows SQL injection via the id parameter in the full-profile.php file.

CVE-2020-5511 (v3: 8.8) 8 Jan 2020

PHPGurukul Small CRM v2.0 was found vulnerable to authentication bypass via SQL injection when logging into the administrator login page.

CVE-2020-5307 (v3: 9.8) 7 Jan 2020

PHPGurukul Dairy Farm Shop Management System 1.0 is vulnerable to SQL injection, as demonstrated by the username parameter in index.php, the category and CategoryCode parameters in add-category.php, the CompanyName parameter in add-company.php, and the ProductName and ProductPrice parameters in add-product.php.

CVE-2020-5192 (v3: 8.8) 6 Jan 2020

PHPGurukul Hospital Management System in PHP v4.0 suffers from multiple SQL injection vulnerabilities: multiple pages and parameters are not validating user input, and allow for the application's database and information to be fully compromised.

CVE-2019-18622 (v3: 9.8) 22 Nov 2019

An issue was discovered in phpMyAdmin before 4.9.2. A crafted database/table name can be used to trigger a SQL injection attack through the designer feature.

CVE-2019-18662 (v3: 9.8) 2 Nov 2019

An issue was discovered in YouPHPTube through 7.7. User input passed through the live_stream_code POST parameter to /plugin/LiveChat/getChat.json.php is not properly sanitized (in getFromChat in plugin/LiveChat/Objects/LiveChatObj.php) before being used to construct a SQL query. This can be exploited by malicious users to, e.g., read sensitive data from the database through in-band SQL Injection attacks. Successful exploitation of this vulnerability requires the Live Chat plugin to be enabled.

CVE-2019-5150 (v3: 9.8) 31 Oct 2019

An exploitable SQL injection vulnerability exist in YouPHPTube 7.7. When the "VideoTags" plugin is enabled, a specially crafted unauthenticated HTTP request can cause a SQL injection, possibly leading to denial of service, exfiltration of the database and local file inclusion, which could potentially further lead to code execution. An attacker can send an HTTP request to trigger this vulnerability.

CVE-2019-5151 (v3: 9.8) 31 Oct 2019

An exploitable SQL injection vulnerability exist in YouPHPTube 7.7. A specially crafted unauthenticated HTTP request can cause a SQL injection, possibly leading to denial of service, exfiltration of the database and local file inclusion, which could potentially further lead to code execution. An attacker can send an HTTP request to trigger this vulnerability.

CVE-2019-5114 (v3: 8.8) 25 Oct 2019

An exploitable SQL injection vulnerability exists in the authenticated portion of YouPHPTube 7.6. Specially crafted web requests can cause SQL injections. An attacker can send a web request with parameters containing SQL injection attacks to trigger this vulnerability, potentially allowing exfiltration of the database, user credentials and,in certain configuration, access the underlying operating system.

CVE-2019-5116 (v3: 8.8) 25 Oct 2019

An exploitable SQL injection vulnerability exists in the authenticated part of YouPHPTube 7.6. Specially crafted web requests can cause a SQL injection. An attacker can send a web request with parameters containing SQL injection attacks to trigger this vulnerability, potentially allowing exfiltration of the database, user credentials and in certain configuration, access the underlying operating system.

CVE-2019-5117 (v3: 8.8) 25 Oct 2019

Exploitable SQL injection vulnerabilities exists in the authenticated portion of YouPHPTube 7.6. Specially crafted web requests can cause SQL injections. An attacker can send a web request with parameters containing SQL injection attacks to trigger this vulnerability, potentially allowing exfiltration of the database, user credentials and in certain configuration, access the underlying operating system.

CVE-2019-5119 (v3: 8.8) 25 Oct 2019

An exploitable SQL injection vulnerability exist in the authenticated part of YouPHPTube 7.6. Specially crafted web requests can cause SQL injections. An attacker can send a web request with parameters containing SQL injection attacks to trigger this vulnerability, potentially allowing exfiltration of the database, user credentials and in certain configurations, access the underlying operating system.

CVE-2019-5120 (v3: 8.8) 25 Oct 2019

An exploitable SQL injection vulnerability exists in the authenticated part of YouPHPTube 7.6. Specially crafted web requests can cause SQL injections. An attacker can send a web request with parameters containing SQL injection attacks to trigger this vulnerability, potentially allowing exfiltration of the database, user credentials and in certain configurations, access the underlying operating system.

CVE-2019-5121 (v3: 8.8) 25 Oct 2019

SQL injection vulnerabilities exists in the authenticated part of YouPHPTube 7.6. Specially crafted web requests can cause SQL injections. An attacker can send a web request with Parameter uuid in /objects/pluginSwitch.json.php

CVE-2019-5122 (v3: 8.8) 25 Oct 2019

SQL injection vulnerabilities exists in the authenticated part of YouPHPTube 7.6. Specially crafted web requests can cause SQL injections. An attacker can send a web request with Parameter name in /objects/pluginSwitch.json.php.

CVE-2019-5123 (v3: 8.8) 25 Oct 2019

Specially crafted web requests can cause SQL injections in YouPHPTube 7.6. An attacker can send a web request with Parameter dir in /objects/pluginSwitch.json.php.

CVE-2019-16692 (v3: 9.8) 22 Sep 2019

phpIPAM 1.4 allows SQL injection via the app/admin/custom-fields/filter-result.php table parameter when action=add is used.

CVE-2019-16693 (v3: 9.8) 22 Sep 2019

phpIPAM 1.4 allows SQL injection via the app/admin/custom-fields/order.php table parameter when action=add is used.

CVE-2019-16694 (v3: 9.8) 22 Sep 2019

phpIPAM 1.4 allows SQL injection via the app/admin/custom-fields/edit-result.php table parameter when action=add is used.

CVE-2019-16695 (v3: 9.8) 22 Sep 2019

phpIPAM 1.4 allows SQL injection via the app/admin/custom-fields/filter.php table parameter when action=add is used.

CVE-2019-16696 (v3: 9.8) 22 Sep 2019

phpIPAM 1.4 allows SQL injection via the app/admin/custom-fields/edit.php table parameter when action=add is used.

CVE-2019-15537 (v3: 9.8) 23 Aug 2019

The proxystatistics module before 3.1.0 for SimpleSAMLphp allows SQL Injection in lib/Auth/Process/DatabaseCommand.php.

CVE-2019-14430 (v3: 5.3) 20 Aug 2019

plugin/Audit/Objects/AuditTable.php in YouPHPTube through 7.2 allows SQL Injection.

CVE-2019-11970 (v3: 8.8) 5 Jun 2019

A SQL injection code execution vulnerability was identified in HPE Intelligent Management Center (IMC) PLAT earlier than version 7.3 E0506P09.

CVE-2019-11971 (v3: 8.8) 5 Jun 2019

A SQL injection code execution vulnerability was identified in HPE Intelligent Management Center (IMC) PLAT earlier than version 7.3 E0506P09.

CVE-2019-11972 (v3: 8.8) 5 Jun 2019

A SQL injection code execution vulnerability was identified in HPE Intelligent Management Center (IMC) PLAT earlier than version 7.3 E0506P09.

CVE-2019-11973 (v3: 8.8) 5 Jun 2019

A SQL injection code execution vulnerability was identified in HPE Intelligent Management Center (IMC) PLAT earlier than version 7.3 E0506P09.

CVE-2019-11974 (v3: 8.8) 5 Jun 2019

A SQL injection code execution vulnerability was identified in HPE Intelligent Management Center (IMC) PLAT earlier than version 7.3 E0506P09.

CVE-2019-11975 (v3: 8.8) 5 Jun 2019

A SQL injection code execution vulnerability was identified in HPE Intelligent Management Center (IMC) PLAT earlier than version 7.3 E0506P09.

CVE-2019-11976 (v3: 8.8) 5 Jun 2019

A SQL injection code execution vulnerability was identified in HPE Intelligent Management Center (IMC) PLAT earlier than version 7.3 E0506P09.

CVE-2019-11977 (v3: 8.8) 5 Jun 2019

A SQL injection code execution vulnerability was identified in HPE Intelligent Management Center (IMC) PLAT earlier than version 7.3 E0506P09.

CVE-2019-11978 (v3: 8.8) 5 Jun 2019

A SQL injection code execution vulnerability was identified in HPE Intelligent Management Center (IMC) PLAT earlier than version 7.3 E0506P09.

CVE-2019-11979 (v3: 8.8) 5 Jun 2019

A SQL injection code execution vulnerability was identified in HPE Intelligent Management Center (IMC) PLAT earlier than version 7.3 E0506P09.

CVE-2019-11984 (v3: 8.8) 5 Jun 2019

A SQL injection code execution vulnerability was identified in HPE Intelligent Management Center (IMC) PLAT earlier than version 7.3 E0506P09.

CVE-2019-11768 (v3: 9.8) 5 Jun 2019

An issue was discovered in phpMyAdmin before 4.9.0.1. A vulnerability was reported where a specially crafted database name can be used to trigger an SQL injection attack through the designer feature.

CVE-2019-9762 (v3: 9.8) 14 Mar 2019

A SQL Injection was discovered in PHPSHE 1.7 in include/plugin/payment/alipay/pay.php with the parameter id. The vulnerability does not need any authentication.

CVE-2019-9626 (v3: 9.8) 7 Mar 2019

PHPSHE 1.7 allows module/index/cart.php pintuan_id SQL Injection to index.php.

CVE-2019-6798 (v3: 9.8) 26 Jan 2019

An issue was discovered in phpMyAdmin before 4.8.5. A vulnerability was reported where a specially crafted username can be used to trigger a SQL injection attack through the designer feature.

CVE-2019-6691 (v3: 7.2) 23 Jan 2019

phpwind 9.0.2.170426 UTF8 allows SQL Injection via the admin.php?m=backup&c=backup&a=doback tabledb[] parameter, related to the "--backup database" option.

CVE-2018-17374 (v3: 9.8) 19 Jun 2019

SQL Injection exists in the Auction Factory 4.5.5 component for Joomla! via the filter_order_Dir or filter_order parameter.

CVE-2018-17381 (v3: 9.8) 19 Jun 2019

SQL Injection exists in the Dutch Auction Factory 2.0.2 component for Joomla! via the filter_order_Dir or filter_order parameter.

CVE-2018-17386 (v3: 9.8) 19 Jun 2019

SQL Injection exists in the Micro Deal Factory 2.4.0 component for Joomla! via the id parameter, or the PATH_INFO to mydeals/ or listdeals/.

CVE-2018-1000869 (v3: 9.8) 20 Dec 2018

phpIPAM version 1.3.2 contains a CWE-89 vulnerability in /app/admin/nat/item-add-submit.php that can result in SQL Injection.. This attack appear to be exploitable via Rough user, exploiting the vulnerability to access information he/she does not have access to.. This vulnerability appears to have been fixed in 1.4.

CVE-2018-18704 (v3: 9.8) 29 Oct 2018

PhpTpoint Pharmacy Management System suffers from a SQL injection vulnerability in the index.php username parameter.

CVE-2018-18705 (v3: 9.8) 29 Oct 2018

PhpTpoint hospital management system suffers from multiple SQL injection vulnerabilities via the index.php user parameter associated with LOGIN.php, or the rno parameter to ALIST.php, DUNDEL.php, PDEL.php, or PUNDEL.php.

CVE-2018-18546 (v3: 9.8) 21 Oct 2018

ThinkPHP 3.2.4 has SQL Injection via the order parameter because the Library/Think/Db/Driver.class.php parseOrder function mishandles the key variable.

CVE-2018-18529 (v3: 9.8) 19 Oct 2018

ThinkPHP 3.2.4 has SQL Injection via the count parameter because the Library/Think/Db/Driver/Mysql.class.php parseKey function mishandles the key variable. NOTE: a backquote character is not required in the attack URI.

CVE-2018-18530 (v3: 9.8) 19 Oct 2018

ThinkPHP 5.1.25 has SQL Injection via the count parameter because the library/think/db/Query.php aggregate function mishandles the aggregate variable. NOTE: a backquote character is required in the attack URI.

CVE-2018-18486 (v3: 9.8) 18 Oct 2018

An issue was discovered in PHPSHE 1.7. SQL injection exists via the admin.php?mod=user&act=del user_id[] parameter.

CVE-2018-17376 (v3: 9.8) 28 Sep 2018

SQL Injection exists in the Reverse Auction Factory 4.3.8 component for Joomla! via the filter_order_Dir, cat, or filter_letter parameter.

CVE-2018-17378 (v3: 9.8) 28 Sep 2018

SQL Injection exists in the Penny Auction Factory 2.0.4 component for Joomla! via the filter_order_Dir or filter_order parameter.

CVE-2018-17379 (v3: 9.8) 28 Sep 2018

SQL Injection exists in the Raffle Factory 3.5.2 component for Joomla! via the filter_order_Dir or filter_order parameter.

CVE-2018-17380 (v3: 9.8) 28 Sep 2018

SQL Injection exists in the Article Factory Manager 4.3.9 component for Joomla! via the start_date, m_start_date, or m_end_date parameter.

CVE-2018-17382 (v3: 9.8) 28 Sep 2018

SQL Injection exists in the Jobs Factory 2.0.4 component for Joomla! via the filter_letter parameter.

CVE-2018-17383 (v3: 9.8) 28 Sep 2018

SQL Injection exists in the Collection Factory 4.1.9 component for Joomla! via the filter_order or filter_order_Dir parameter.

CVE-2018-17384 (v3: 9.8) 28 Sep 2018

SQL Injection exists in the Swap Factory 2.2.1 component for Joomla! via the filter_order_Dir or filter_order parameter.

CVE-2018-17385 (v3: 9.8) 28 Sep 2018

SQL Injection exists in the Social Factory 3.8.3 component for Joomla! via the radius[lat], radius[lng], or radius[radius] parameter.

CVE-2018-7107 (v3: 8.8) 27 Sep 2018

A potential security vulnerability has been identified in HPE Device Entitlement Gateway (DEG) v3.2.4, v3.3 and v3.3.1. The vulnerability could be remotely exploited to allow local SQL injection and elevation of privilege.

CVE-2018-17566 (v3: 9.8) 26 Sep 2018

In ThinkPHP 5.1.24, the inner function delete can be used for SQL injection when its WHERE condition's value can be controlled by a user's request.

CVE-2018-16385 (v3: 9.8) 3 Sep 2018

ThinkPHP before 5.1.23 allows SQL Injection via the public/index/index/test/index query string.

CVE-2018-16278 (v3: 9.8) 31 Aug 2018

phpkaiyuancms PhpOpenSourceCMS (POSCMS) V3.2.0 allows an unauthenticated user to execute arbitrary SQL commands via the diy/module/member/controllers/Api.php ajax_save_draft function with the dir parameter.

CVE-2018-6493 (v3: 8.8) 22 May 2018

SQL Injection in HP Network Operations Management Ultimate, version 2017.07, 2017.11, 2018.02 and in Network Automation, version 10.00, 10.10, 10.11, 10.20, 10.30, 10.40, 10.50. This vulnerability could be remotely exploited to allow Remote SQL Injection.

CVE-2018-6494 (v3: 5.4) 22 May 2018

Remote SQL Injection against the HP Service Manager Software Web Tier, version 9.30, 9.31, 9.32, 9.33, 9.34, 9.35, 9.40, 9.41, 9.50, 9.51, may lead to unauthorized disclosure of data.

CVE-2018-11032 (v3: 9.8) 14 May 2018

PHPRAP 1.0.4 through 1.0.8 has SQL Injection via the application/home/controller/project.php search() function.

CVE-2018-10225 (v3: 9.8) 19 Apr 2018

thinkphp 3.1.3 has SQL Injection via the index.php s parameter.

CVE-2018-8943 (v3: 9.8) 22 Mar 2018

There is a SQL injection in the PHPSHE 1.6 userbank parameter.

CVE-2018-5211 (v3: 9.8) 9 Jan 2018

PHP Melody version 2.7.1 suffer from SQL Injection Time-based attack on the page ajax.php with the parameter playlist.

CVE-2017-5810 (v3: 9.8) 15 Feb 2018

A remote sql injection vulnerability in HPE Network Automation version 9.1x, 9.2x, 10.0x, 10.1x and 10.2x were found.

CVE-2017-5812 (v3: 7.5) 15 Feb 2018

A remote sql information disclosure vulnerability in HPE Network Automation version 9.1x, 9.2x, 10.0x, 10.1x and 10.2x were found.

CVE-2017-5814 (v3: 9.8) 15 Feb 2018

A remote sql injection authentication bypass in HPE Network Automation version 9.1x, 9.2x, 10.0x, 10.1x and 10.2x were found.

CVE-2017-17951 (v3: 9.8) 28 Dec 2017

PHP Scripts Mall PHP Multivendor Ecommerce has SQL Injection via the shopping-cart.php cusid parameter.

CVE-2017-17957 (v3: 9.8) 28 Dec 2017

PHP Scripts Mall PHP Multivendor Ecommerce has SQL Injection via the my_wishlist.php fid parameter.

CVE-2017-17959 (v3: 9.8) 28 Dec 2017

PHP Scripts Mall PHP Multivendor Ecommerce has SQL Injection via the seller-view.php usid parameter.

CVE-2017-17873 (v3: 9.8) 27 Dec 2017

Vanguard Marketplace Digital Products PHP 1.4 has SQL Injection via the PATH_INFO to the /p URI.

CVE-2017-17645 (v3: 9.8) 18 Dec 2017

Bus Booking Script 1.0 has SQL Injection via the txtname parameter to admin/index.php.

CVE-2017-17594 (v3: 9.8) 13 Dec 2017

DomainSale PHP Script 1.0 has SQL Injection via the domain.php id parameter.

CVE-2017-17624 (v3: 9.8) 13 Dec 2017

PHP Multivendor Ecommerce 1.0 has SQL Injection via the single_detail.php sid parameter, or the category.php searchcat or chid1 parameter.

CVE-2017-17626 (v3: 9.8) 13 Dec 2017

Readymade PHP Classified Script 3.3 has SQL Injection via the /categories subctid or mctid parameter.

CVE-2017-14356 (v3: 9.8) 31 Oct 2017

An SQL Injection vulnerability in HP ArcSight ESM and HP ArcSight ESM Express, in any 6.x version prior to 6.9.1c Patch 4 or 6.11.0 Patch 1. This vulnerability could be exploited remotely to allow SQL injection.

CVE-2017-15978 (v3: 9.8) 31 Oct 2017

AROX School ERP PHP Script 1.0 allows SQL Injection via the office_admin/ id parameter.

CVE-2017-15988 (v3: 9.8) 31 Oct 2017

Nice PHP FAQ Script allows SQL Injection via the index.php nice_theme parameter, a different vulnerability than CVE-2008-6525.

CVE-2017-15964 (v3: 9.8) 29 Oct 2017

Job Board Script Software allows SQL Injection via the PATH_INFO to a /job-details URI.

CVE-2017-15970 (v3: 9.8) 29 Oct 2017

PHP CityPortal 2.0 allows SQL Injection via the nid parameter to index.php in a page=news action, or the cat parameter.

CVE-2017-15907 (v3: 9.8) 26 Oct 2017

SQL injection vulnerability in phpCollab 2.5.1 and earlier allows remote attackers to execute arbitrary SQL commands via the id parameter to newsdesk/newsdesk.php.

CVE-2017-15081 (v3: 9.8) 24 Oct 2017

In PHPSUGAR PHP Melody CMS 2.6.1, SQL Injection exists via the playlist parameter to playlists.php.

CVE-2017-15578 (v3: 8.8) 18 Oct 2017

In PHPSUGAR PHP Melody before 2.7.3, SQL Injection exists via the image parameter to admin/edit_category.php.

CVE-2017-15579 (v3: 9.8) 18 Oct 2017

In PHPSUGAR PHP Melody before 2.7.3, SQL Injection exists via an aa_pages_per_page cookie in a playlist action to watch.php.

CVE-2017-6089 (v3: 9.8) 3 Oct 2017

SQL injection vulnerability in PhpCollab 2.5.1 and earlier allows remote attackers to execute arbitrary SQL commands via the (1) project or id parameters to topics/deletetopics.php; the (2) id parameter to bookmarks/deletebookmarks.php; or the (3) id parameter to calendar/deletecalendar.php.

CVE-2017-14512 (v3: 9.8) 17 Sep 2017

NexusPHP 1.5.beta5.20120707 has SQL Injection in forummanage.php via the sort parameter in an editforum action, a different vulnerability than CVE-2017-12981.

CVE-2017-14076 (v3: 9.8) 31 Aug 2017

SQL Injection exists in NexusPHP 1.5.beta5.20120707 via the id parameter to linksmanage.php in an editlink action.

CVE-2017-14069 (v3: 9.8) 31 Aug 2017

SQL Injection exists in NexusPHP 1.5.beta5.20120707 via the usernw array parameter to nowarn.php.

CVE-2017-12679 (v3: 9.8) 24 Aug 2017

SQL Injection exists in NexusPHP 1.5.beta5.20120707 via the delcheater parameter to cheaterbox.php.

CVE-2017-13669 (v3: 9.8) 24 Aug 2017

SQL Injection exists in NexusPHP 1.5.beta5.20120707 via the setanswered parameter to staffbox.php.

CVE-2017-12981 (v3: 9.8) 21 Aug 2017

NexusPHP 1.5.beta5.20120707 has SQL Injection in forummanage.php via the sort parameter in an addforum action.

CVE-2017-12776 (v3: 9.8) 18 Aug 2017

SQL injection vulnerability in reports.php in NexusPHP 1.5 allows remote attackers to execute arbitrary SQL commands via the delreport parameter.

CVE-2017-12908 (v3: 9.8) 17 Aug 2017

SQL injection vulnerability in takeconfirm.php in NexusPHP 1.5 allows remote attackers to execute arbitrary SQL commands via the conusr parameter.

CVE-2017-12909 (v3: 9.8) 17 Aug 2017

SQL injection vulnerability in modtask.php in NexusPHP 1.5 allows remote attackers to execute arbitrary SQL commands via the userid parameter.

CVE-2017-12910 (v3: 9.8) 17 Aug 2017

SQL injection vulnerability in massmail.php in NexusPHP 1.5 allows remote attackers to execute arbitrary SQL commands via the or parameter.

CVE-2016-9864 (v3: 7.5) 11 Dec 2016

An issue was discovered in phpMyAdmin. With a crafted username or a table name, it was possible to inject SQL statements in the tracking functionality that would run with the privileges of the control user. This gives read and write access to the tables of the configuration storage database, and if the control user has the necessary privileges, read access to some tables of the MySQL database. All 4.6.x versions (prior to 4.6.5), 4.4.x versions (prior to 4.4.15.9), and 4.0.x versions (prior to 4.0.10.18) are affected.

CVE-2016-6611 (v3: 8.1) 11 Dec 2016

An issue was discovered in phpMyAdmin. A specially crafted database and/or table name can be used to trigger an SQL injection attack through the export functionality. All 4.6.x versions (prior to 4.6.4), 4.4.x versions (prior to 4.4.15.8), and 4.0.x versions (prior to 4.0.10.17) are affected.

CVE-2016-6616 (v3: 7.5) 11 Dec 2016

An issue was discovered in phpMyAdmin. In the "User group" and "Designer" features, a user can execute an SQL injection attack against the account of the control user. All 4.6.x versions (prior to 4.6.4) and 4.4.x versions (prior to 4.4.15.8) are affected.

CVE-2016-6617 (v3: 8.1) 11 Dec 2016

An issue was discovered in phpMyAdmin. A specially crafted database and/or table name can be used to trigger an SQL injection attack through the export functionality. All 4.6.x versions (prior to 4.6.4) are affected.

CVE-2016-6619 (v3: 8.8) 11 Dec 2016

An issue was discovered in phpMyAdmin. In the user interface preference feature, a user can execute an SQL injection attack against the account of the control user. All 4.6.x versions (prior to 4.6.4), 4.4.x versions (prior to 4.4.15.8), and 4.0.x versions (prior to 4.0.10.17) are affected.

CVE-2015-3637 (v3: 8.1) 28 Dec 2017

SQL injection vulnerability in phpMyBackupPro when run in multi-user mode before 2.5 allows remote attackers to execute arbitrary SQL commands via the username and password parameters.

CVE-2015-2146 (v3: 9.8) 6 Oct 2017

Multiple SQL injection vulnerabilities in Issuetracker phpBugTracker before 1.7.0 allow remote attackers to execute arbitrary SQL commands via the (1) id parameter to project.php, the (2) group_id parameter to group.php, the (3) status_id parameter to status.php, the (4) resolution_id parameter to resolution.php, the (5) severity_id parameter to severity.php, the (6) priority_id parameter to priority.php, the (7) os_id parameter to os.php, or the (8) site_id parameter to site.php.

CVE-2015-2147 (v3: 9.8) 6 Oct 2017

Multiple SQL injection vulnerabilities in Issuetracker phpBugTracker before 1.7.0 allow remote attackers to execute arbitrary SQL commands via unspecified parameters.

CVE-2015-5648 (v2: 6.5) 11 Oct 2015

SQL injection vulnerability in list.php in phpRechnung before 1.6.5 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors.

CVE-2015-4713 (v2: 6.5) 22 Jun 2015

SQL injection vulnerability in ApPHP Hotel Site 3.x.x allows remote editors to execute arbitrary SQL commands via the pid parameter to index.php.

CVE-2015-3345 (v2: 6.5) 21 Apr 2015

SQL injection vulnerability in the PHPlist Integration Module before 6.x-1.7 for Drupal allows remote administrators to execute arbitrary SQL commands via unspecified vectors, related to the "phpList database."

CVE-2015-2563 (v2: 7.5) 20 Mar 2015

SQL injection vulnerability in groups.php in Vastal I-Tech phpVID 0.9.9 and 1.2.3 allows remote attackers to execute arbitrary SQL commands via the order_by parameter. NOTE: The cat parameter vector is already covered by CVE-2008-4157.