Proteus® NextGen Data Privacy™ users can receive automated alerts using this data by linking it to their ITIL CMDB (IT asset register)

2025

2024

2023

CVE-2023-42359 (v3: 9.8) 18 Sept 2023
SQL injection vulnerability in Exam Form Submission in PHP with Source Code v.1.0 allows a remote attacker to escalate privileges via the val-username parameter in /index.php.
CVE-2023-38912 (v3: 9.8) 14 Sept 2023
SQL injection vulnerability in Super Store Finder PHP Script v.3.6 allows a remote attacker to execute arbitrary code via a crafted payload to the username parameter.

2022

2021

2020

CVE-2020-12461 (v3: 8.8) 29 Apr 2020
PHP-Fusion 9.03.50 allows SQL Injection because maincore.php has an insufficient protection mechanism. An attacker can develop a crafted payload that can be inserted into the sort_order GET parameter on the members.php members search page. This parameter allows for control over anything after the ORDER BY clause in the SQL query.
CVE-2020-12429 (v3: 9.8) 28 Apr 2020
Online Course Registration 2.0 has multiple SQL injections that would can lead to a complete database compromise and authentication bypass in the login pages: admin/change-password.php, admin/check_availability.php, admin/index.php, change-password.php, check_availability.php, includes/header.php, index.php, and pincode-verification.php.
CVE-2020-10802 (v3: 8) 22 Mar 2020
In phpMyAdmin 4.x before 4.9.5 and 5.x before 5.0.2, a SQL injection vulnerability has been discovered where certain parameters are not properly escaped when generating certain queries for search actions in libraries/classes/Controllers/Table/TableSearchController.php. An attacker can generate a crafted database or table name. The attack can be performed if a user attempts certain search operations on the malicious database or table.
CVE-2020-10803 (v3: 5.4) 22 Mar 2020
In phpMyAdmin 4.x before 4.9.5 and 5.x before 5.0.2, a SQL injection vulnerability was discovered where malicious code could be used to trigger an XSS attack through retrieving and displaying results (in tbl_get_field.php and libraries/classes/Display/Results.php). The attacker must be able to insert crafted data into certain database tables, which when retrieved (for instance, through the Browse tab) can trigger the XSS attack.
CVE-2020-10804 (v3: 8) 22 Mar 2020
In phpMyAdmin 4.x before 4.9.5 and 5.x before 5.0.2, a SQL injection vulnerability was found in retrieval of the current username (in libraries/classes/Server/Privileges.php and libraries/classes/UserPassword.php). A malicious user with access to the server could create a crafted username, and then trick the victim into performing specific actions with that user account (such as editing its privileges).
CVE-2020-10106 (v3: 9.8) 5 Mar 2020
PHPGurukul Daily Expense Tracker System 1.0 is vulnerable to SQL injection, as demonstrated by the email parameter in index.php or register.php. The SQL injection allows to dump the MySQL database and to bypass the login prompt.
CVE-2020-9265 (v3: 8.2) 18 Feb 2020
phpMyChat-Plus 1.98 is vulnerable to multiple SQL injections against the deluser.php Delete User functionality, as demonstrated by pmc_username.
CVE-2020-5504 (v3: 8.8) 9 Jan 2020
In phpMyAdmin 4 before 4.9.4 and 5 before 5.0.1, SQL injection exists in the user accounts page. A malicious user could inject custom SQL in place of their own username when creating queries to this page. An attacker must have a valid MySQL account to access the server.
CVE-2020-5510 (v3: 9.8) 8 Jan 2020
PHPGurukul Hostel Management System v2.0 allows SQL injection via the id parameter in the full-profile.php file.
CVE-2020-5511 (v3: 8.8) 8 Jan 2020
PHPGurukul Small CRM v2.0 was found vulnerable to authentication bypass via SQL injection when logging into the administrator login page.
CVE-2020-5307 (v3: 9.8) 7 Jan 2020
PHPGurukul Dairy Farm Shop Management System 1.0 is vulnerable to SQL injection, as demonstrated by the username parameter in index.php, the category and CategoryCode parameters in add-category.php, the CompanyName parameter in add-company.php, and the ProductName and ProductPrice parameters in add-product.php.
CVE-2020-5192 (v3: 8.8) 6 Jan 2020
PHPGurukul Hospital Management System in PHP v4.0 suffers from multiple SQL injection vulnerabilities: multiple pages and parameters are not validating user input, and allow for the application's database and information to be fully compromised.

2019

CVE-2019-18622 (v3: 9.8) 22 Nov 2019
An issue was discovered in phpMyAdmin before 4.9.2. A crafted database/table name can be used to trigger a SQL injection attack through the designer feature.
CVE-2019-18662 (v3: 9.8) 2 Nov 2019
An issue was discovered in YouPHPTube through 7.7. User input passed through the live_stream_code POST parameter to /plugin/LiveChat/getChat.json.php is not properly sanitized (in getFromChat in plugin/LiveChat/Objects/LiveChatObj.php) before being used to construct a SQL query. This can be exploited by malicious users to, e.g., read sensitive data from the database through in-band SQL Injection attacks. Successful exploitation of this vulnerability requires the Live Chat plugin to be enabled.
CVE-2019-5150 (v3: 9.8) 31 Oct 2019
An exploitable SQL injection vulnerability exist in YouPHPTube 7.7. When the "VideoTags" plugin is enabled, a specially crafted unauthenticated HTTP request can cause a SQL injection, possibly leading to denial of service, exfiltration of the database and local file inclusion, which could potentially further lead to code execution. An attacker can send an HTTP request to trigger this vulnerability.
CVE-2019-5151 (v3: 9.8) 31 Oct 2019
An exploitable SQL injection vulnerability exist in YouPHPTube 7.7. A specially crafted unauthenticated HTTP request can cause a SQL injection, possibly leading to denial of service, exfiltration of the database and local file inclusion, which could potentially further lead to code execution. An attacker can send an HTTP request to trigger this vulnerability.
CVE-2019-5114 (v3: 8.8) 25 Oct 2019
An exploitable SQL injection vulnerability exists in the authenticated portion of YouPHPTube 7.6. Specially crafted web requests can cause SQL injections. An attacker can send a web request with parameters containing SQL injection attacks to trigger this vulnerability, potentially allowing exfiltration of the database, user credentials and,in certain configuration, access the underlying operating system.
CVE-2019-5116 (v3: 8.8) 25 Oct 2019
An exploitable SQL injection vulnerability exists in the authenticated part of YouPHPTube 7.6. Specially crafted web requests can cause a SQL injection. An attacker can send a web request with parameters containing SQL injection attacks to trigger this vulnerability, potentially allowing exfiltration of the database, user credentials and in certain configuration, access the underlying operating system.
CVE-2019-5117 (v3: 8.8) 25 Oct 2019
Exploitable SQL injection vulnerabilities exists in the authenticated portion of YouPHPTube 7.6. Specially crafted web requests can cause SQL injections. An attacker can send a web request with parameters containing SQL injection attacks to trigger this vulnerability, potentially allowing exfiltration of the database, user credentials and in certain configuration, access the underlying operating system.
CVE-2019-5119 (v3: 8.8) 25 Oct 2019
An exploitable SQL injection vulnerability exist in the authenticated part of YouPHPTube 7.6. Specially crafted web requests can cause SQL injections. An attacker can send a web request with parameters containing SQL injection attacks to trigger this vulnerability, potentially allowing exfiltration of the database, user credentials and in certain configurations, access the underlying operating system.
CVE-2019-5120 (v3: 8.8) 25 Oct 2019
An exploitable SQL injection vulnerability exists in the authenticated part of YouPHPTube 7.6. Specially crafted web requests can cause SQL injections. An attacker can send a web request with parameters containing SQL injection attacks to trigger this vulnerability, potentially allowing exfiltration of the database, user credentials and in certain configurations, access the underlying operating system.
CVE-2019-5121 (v3: 8.8) 25 Oct 2019
SQL injection vulnerabilities exists in the authenticated part of YouPHPTube 7.6. Specially crafted web requests can cause SQL injections. An attacker can send a web request with Parameter uuid in /objects/pluginSwitch.json.php
CVE-2019-5122 (v3: 8.8) 25 Oct 2019
SQL injection vulnerabilities exists in the authenticated part of YouPHPTube 7.6. Specially crafted web requests can cause SQL injections. An attacker can send a web request with Parameter name in /objects/pluginSwitch.json.php.
CVE-2019-5123 (v3: 8.8) 25 Oct 2019
Specially crafted web requests can cause SQL injections in YouPHPTube 7.6. An attacker can send a web request with Parameter dir in /objects/pluginSwitch.json.php.
CVE-2019-16692 (v3: 9.8) 22 Sept 2019
phpIPAM 1.4 allows SQL injection via the app/admin/custom-fields/filter-result.php table parameter when action=add is used.
CVE-2019-16693 (v3: 9.8) 22 Sept 2019
phpIPAM 1.4 allows SQL injection via the app/admin/custom-fields/order.php table parameter when action=add is used.
CVE-2019-16694 (v3: 9.8) 22 Sept 2019
phpIPAM 1.4 allows SQL injection via the app/admin/custom-fields/edit-result.php table parameter when action=add is used.
CVE-2019-16695 (v3: 9.8) 22 Sept 2019
phpIPAM 1.4 allows SQL injection via the app/admin/custom-fields/filter.php table parameter when action=add is used.
CVE-2019-16696 (v3: 9.8) 22 Sept 2019
phpIPAM 1.4 allows SQL injection via the app/admin/custom-fields/edit.php table parameter when action=add is used.
CVE-2019-15537 (v3: 9.8) 23 Aug 2019
The proxystatistics module before 3.1.0 for SimpleSAMLphp allows SQL Injection in lib/Auth/Process/DatabaseCommand.php.
CVE-2019-14430 (v3: 5.3) 20 Aug 2019
plugin/Audit/Objects/AuditTable.php in YouPHPTube through 7.2 allows SQL Injection.
CVE-2019-11970 (v3: 8.8) 5 Jun 2019
A SQL injection code execution vulnerability was identified in HPE Intelligent Management Center (IMC) PLAT earlier than version 7.3 E0506P09.
CVE-2019-11971 (v3: 8.8) 5 Jun 2019
A SQL injection code execution vulnerability was identified in HPE Intelligent Management Center (IMC) PLAT earlier than version 7.3 E0506P09.
CVE-2019-11972 (v3: 8.8) 5 Jun 2019
A SQL injection code execution vulnerability was identified in HPE Intelligent Management Center (IMC) PLAT earlier than version 7.3 E0506P09.
CVE-2019-11973 (v3: 8.8) 5 Jun 2019
A SQL injection code execution vulnerability was identified in HPE Intelligent Management Center (IMC) PLAT earlier than version 7.3 E0506P09.
CVE-2019-11974 (v3: 8.8) 5 Jun 2019
A SQL injection code execution vulnerability was identified in HPE Intelligent Management Center (IMC) PLAT earlier than version 7.3 E0506P09.
CVE-2019-11975 (v3: 8.8) 5 Jun 2019
A SQL injection code execution vulnerability was identified in HPE Intelligent Management Center (IMC) PLAT earlier than version 7.3 E0506P09.
CVE-2019-11976 (v3: 8.8) 5 Jun 2019
A SQL injection code execution vulnerability was identified in HPE Intelligent Management Center (IMC) PLAT earlier than version 7.3 E0506P09.
CVE-2019-11977 (v3: 8.8) 5 Jun 2019
A SQL injection code execution vulnerability was identified in HPE Intelligent Management Center (IMC) PLAT earlier than version 7.3 E0506P09.
CVE-2019-11978 (v3: 8.8) 5 Jun 2019
A SQL injection code execution vulnerability was identified in HPE Intelligent Management Center (IMC) PLAT earlier than version 7.3 E0506P09.
CVE-2019-11979 (v3: 8.8) 5 Jun 2019
A SQL injection code execution vulnerability was identified in HPE Intelligent Management Center (IMC) PLAT earlier than version 7.3 E0506P09.
CVE-2019-11984 (v3: 8.8) 5 Jun 2019
A SQL injection code execution vulnerability was identified in HPE Intelligent Management Center (IMC) PLAT earlier than version 7.3 E0506P09.
CVE-2019-11768 (v3: 9.8) 5 Jun 2019
An issue was discovered in phpMyAdmin before 4.9.0.1. A vulnerability was reported where a specially crafted database name can be used to trigger an SQL injection attack through the designer feature.
CVE-2019-9762 (v3: 9.8) 14 Mar 2019
A SQL Injection was discovered in PHPSHE 1.7 in include/plugin/payment/alipay/pay.php with the parameter id. The vulnerability does not need any authentication.
CVE-2019-9626 (v3: 9.8) 7 Mar 2019
PHPSHE 1.7 allows module/index/cart.php pintuan_id SQL Injection to index.php.
CVE-2019-6798 (v3: 9.8) 26 Jan 2019
An issue was discovered in phpMyAdmin before 4.8.5. A vulnerability was reported where a specially crafted username can be used to trigger a SQL injection attack through the designer feature.
CVE-2019-6691 (v3: 7.2) 23 Jan 2019
phpwind 9.0.2.170426 UTF8 allows SQL Injection via the admin.php?m=backup&c=backup&a=doback tabledb[] parameter, related to the "--backup database" option.

2018

CVE-2018-17374 (v3: 9.8) 19 Jun 2019
SQL Injection exists in the Auction Factory 4.5.5 component for Joomla! via the filter_order_Dir or filter_order parameter.
CVE-2018-17381 (v3: 9.8) 19 Jun 2019
SQL Injection exists in the Dutch Auction Factory 2.0.2 component for Joomla! via the filter_order_Dir or filter_order parameter.
CVE-2018-17386 (v3: 9.8) 19 Jun 2019
SQL Injection exists in the Micro Deal Factory 2.4.0 component for Joomla! via the id parameter, or the PATH_INFO to mydeals/ or listdeals/.
CVE-2018-1000869 (v3: 9.8) 20 Dec 2018
phpIPAM version 1.3.2 contains a CWE-89 vulnerability in /app/admin/nat/item-add-submit.php that can result in SQL Injection.. This attack appear to be exploitable via Rough user, exploiting the vulnerability to access information he/she does not have access to.. This vulnerability appears to have been fixed in 1.4.
CVE-2018-18704 (v3: 9.8) 29 Oct 2018
PhpTpoint Pharmacy Management System suffers from a SQL injection vulnerability in the index.php username parameter.
CVE-2018-18705 (v3: 9.8) 29 Oct 2018
PhpTpoint hospital management system suffers from multiple SQL injection vulnerabilities via the index.php user parameter associated with LOGIN.php, or the rno parameter to ALIST.php, DUNDEL.php, PDEL.php, or PUNDEL.php.
CVE-2018-18546 (v3: 9.8) 21 Oct 2018
ThinkPHP 3.2.4 has SQL Injection via the order parameter because the Library/Think/Db/Driver.class.php parseOrder function mishandles the key variable.
CVE-2018-18529 (v3: 9.8) 19 Oct 2018
ThinkPHP 3.2.4 has SQL Injection via the count parameter because the Library/Think/Db/Driver/Mysql.class.php parseKey function mishandles the key variable. NOTE: a backquote character is not required in the attack URI.
CVE-2018-18530 (v3: 9.8) 19 Oct 2018
ThinkPHP 5.1.25 has SQL Injection via the count parameter because the library/think/db/Query.php aggregate function mishandles the aggregate variable. NOTE: a backquote character is required in the attack URI.
CVE-2018-18486 (v3: 9.8) 18 Oct 2018
An issue was discovered in PHPSHE 1.7. SQL injection exists via the admin.php?mod=user&act=del user_id[] parameter.
CVE-2018-17376 (v3: 9.8) 28 Sept 2018
SQL Injection exists in the Reverse Auction Factory 4.3.8 component for Joomla! via the filter_order_Dir, cat, or filter_letter parameter.
CVE-2018-17378 (v3: 9.8) 28 Sept 2018
SQL Injection exists in the Penny Auction Factory 2.0.4 component for Joomla! via the filter_order_Dir or filter_order parameter.
CVE-2018-17379 (v3: 9.8) 28 Sept 2018
SQL Injection exists in the Raffle Factory 3.5.2 component for Joomla! via the filter_order_Dir or filter_order parameter.
CVE-2018-17380 (v3: 9.8) 28 Sept 2018
SQL Injection exists in the Article Factory Manager 4.3.9 component for Joomla! via the start_date, m_start_date, or m_end_date parameter.
CVE-2018-17382 (v3: 9.8) 28 Sept 2018
SQL Injection exists in the Jobs Factory 2.0.4 component for Joomla! via the filter_letter parameter.
CVE-2018-17383 (v3: 9.8) 28 Sept 2018
SQL Injection exists in the Collection Factory 4.1.9 component for Joomla! via the filter_order or filter_order_Dir parameter.
CVE-2018-17384 (v3: 9.8) 28 Sept 2018
SQL Injection exists in the Swap Factory 2.2.1 component for Joomla! via the filter_order_Dir or filter_order parameter.
CVE-2018-17385 (v3: 9.8) 28 Sept 2018
SQL Injection exists in the Social Factory 3.8.3 component for Joomla! via the radius[lat], radius[lng], or radius[radius] parameter.
CVE-2018-7107 (v3: 8.8) 27 Sept 2018
A potential security vulnerability has been identified in HPE Device Entitlement Gateway (DEG) v3.2.4, v3.3 and v3.3.1. The vulnerability could be remotely exploited to allow local SQL injection and elevation of privilege.
CVE-2018-17566 (v3: 9.8) 26 Sept 2018
In ThinkPHP 5.1.24, the inner function delete can be used for SQL injection when its WHERE condition's value can be controlled by a user's request.
CVE-2018-16385 (v3: 9.8) 3 Sept 2018
ThinkPHP before 5.1.23 allows SQL Injection via the public/index/index/test/index query string.
CVE-2018-16278 (v3: 9.8) 31 Aug 2018
phpkaiyuancms PhpOpenSourceCMS (POSCMS) V3.2.0 allows an unauthenticated user to execute arbitrary SQL commands via the diy/module/member/controllers/Api.php ajax_save_draft function with the dir parameter.
CVE-2018-6493 (v3: 8.8) 22 May 2018
SQL Injection in HP Network Operations Management Ultimate, version 2017.07, 2017.11, 2018.02 and in Network Automation, version 10.00, 10.10, 10.11, 10.20, 10.30, 10.40, 10.50. This vulnerability could be remotely exploited to allow Remote SQL Injection.
CVE-2018-6494 (v3: 5.4) 22 May 2018
Remote SQL Injection against the HP Service Manager Software Web Tier, version 9.30, 9.31, 9.32, 9.33, 9.34, 9.35, 9.40, 9.41, 9.50, 9.51, may lead to unauthorized disclosure of data.
CVE-2018-11032 (v3: 9.8) 14 May 2018
PHPRAP 1.0.4 through 1.0.8 has SQL Injection via the application/home/controller/project.php search() function.
CVE-2018-10225 (v3: 9.8) 19 Apr 2018
thinkphp 3.1.3 has SQL Injection via the index.php s parameter.
CVE-2018-8943 (v3: 9.8) 22 Mar 2018
There is a SQL injection in the PHPSHE 1.6 userbank parameter.
CVE-2018-5211 (v3: 9.8) 9 Jan 2018
PHP Melody version 2.7.1 suffer from SQL Injection Time-based attack on the page ajax.php with the parameter playlist.

2017

CVE-2017-5810 (v3: 9.8) 15 Feb 2018
A remote sql injection vulnerability in HPE Network Automation version 9.1x, 9.2x, 10.0x, 10.1x and 10.2x were found.
CVE-2017-5812 (v3: 7.5) 15 Feb 2018
A remote sql information disclosure vulnerability in HPE Network Automation version 9.1x, 9.2x, 10.0x, 10.1x and 10.2x were found.
CVE-2017-5814 (v3: 9.8) 15 Feb 2018
A remote sql injection authentication bypass in HPE Network Automation version 9.1x, 9.2x, 10.0x, 10.1x and 10.2x were found.
CVE-2017-17951 (v3: 9.8) 28 Dec 2017
PHP Scripts Mall PHP Multivendor Ecommerce has SQL Injection via the shopping-cart.php cusid parameter.
CVE-2017-17957 (v3: 9.8) 28 Dec 2017
PHP Scripts Mall PHP Multivendor Ecommerce has SQL Injection via the my_wishlist.php fid parameter.
CVE-2017-17959 (v3: 9.8) 28 Dec 2017
PHP Scripts Mall PHP Multivendor Ecommerce has SQL Injection via the seller-view.php usid parameter.
CVE-2017-17873 (v3: 9.8) 27 Dec 2017
Vanguard Marketplace Digital Products PHP 1.4 has SQL Injection via the PATH_INFO to the /p URI.
CVE-2017-17645 (v3: 9.8) 18 Dec 2017
Bus Booking Script 1.0 has SQL Injection via the txtname parameter to admin/index.php.
CVE-2017-17594 (v3: 9.8) 13 Dec 2017
DomainSale PHP Script 1.0 has SQL Injection via the domain.php id parameter.
CVE-2017-17624 (v3: 9.8) 13 Dec 2017
PHP Multivendor Ecommerce 1.0 has SQL Injection via the single_detail.php sid parameter, or the category.php searchcat or chid1 parameter.
CVE-2017-17626 (v3: 9.8) 13 Dec 2017
Readymade PHP Classified Script 3.3 has SQL Injection via the /categories subctid or mctid parameter.
CVE-2017-14356 (v3: 9.8) 31 Oct 2017
An SQL Injection vulnerability in HP ArcSight ESM and HP ArcSight ESM Express, in any 6.x version prior to 6.9.1c Patch 4 or 6.11.0 Patch 1. This vulnerability could be exploited remotely to allow SQL injection.
CVE-2017-15978 (v3: 9.8) 31 Oct 2017
AROX School ERP PHP Script 1.0 allows SQL Injection via the office_admin/ id parameter.
CVE-2017-15988 (v3: 9.8) 31 Oct 2017
Nice PHP FAQ Script allows SQL Injection via the index.php nice_theme parameter, a different vulnerability than CVE-2008-6525.
CVE-2017-15964 (v3: 9.8) 29 Oct 2017
Job Board Script Software allows SQL Injection via the PATH_INFO to a /job-details URI.
CVE-2017-15970 (v3: 9.8) 29 Oct 2017
PHP CityPortal 2.0 allows SQL Injection via the nid parameter to index.php in a page=news action, or the cat parameter.
CVE-2017-15907 (v3: 9.8) 26 Oct 2017
SQL injection vulnerability in phpCollab 2.5.1 and earlier allows remote attackers to execute arbitrary SQL commands via the id parameter to newsdesk/newsdesk.php.
CVE-2017-15081 (v3: 9.8) 24 Oct 2017
In PHPSUGAR PHP Melody CMS 2.6.1, SQL Injection exists via the playlist parameter to playlists.php.
CVE-2017-15578 (v3: 8.8) 18 Oct 2017
In PHPSUGAR PHP Melody before 2.7.3, SQL Injection exists via the image parameter to admin/edit_category.php.
CVE-2017-15579 (v3: 9.8) 18 Oct 2017
In PHPSUGAR PHP Melody before 2.7.3, SQL Injection exists via an aa_pages_per_page cookie in a playlist action to watch.php.
CVE-2017-6089 (v3: 9.8) 3 Oct 2017
SQL injection vulnerability in PhpCollab 2.5.1 and earlier allows remote attackers to execute arbitrary SQL commands via the (1) project or id parameters to topics/deletetopics.php; the (2) id parameter to bookmarks/deletebookmarks.php; or the (3) id parameter to calendar/deletecalendar.php.
CVE-2017-14512 (v3: 9.8) 17 Sept 2017
NexusPHP 1.5.beta5.20120707 has SQL Injection in forummanage.php via the sort parameter in an editforum action, a different vulnerability than CVE-2017-12981.
CVE-2017-14076 (v3: 9.8) 31 Aug 2017
SQL Injection exists in NexusPHP 1.5.beta5.20120707 via the id parameter to linksmanage.php in an editlink action.
CVE-2017-14069 (v3: 9.8) 31 Aug 2017
SQL Injection exists in NexusPHP 1.5.beta5.20120707 via the usernw array parameter to nowarn.php.
CVE-2017-12679 (v3: 9.8) 24 Aug 2017
SQL Injection exists in NexusPHP 1.5.beta5.20120707 via the delcheater parameter to cheaterbox.php.
CVE-2017-13669 (v3: 9.8) 24 Aug 2017
SQL Injection exists in NexusPHP 1.5.beta5.20120707 via the setanswered parameter to staffbox.php.
CVE-2017-12981 (v3: 9.8) 21 Aug 2017
NexusPHP 1.5.beta5.20120707 has SQL Injection in forummanage.php via the sort parameter in an addforum action.
CVE-2017-12776 (v3: 9.8) 18 Aug 2017
SQL injection vulnerability in reports.php in NexusPHP 1.5 allows remote attackers to execute arbitrary SQL commands via the delreport parameter.
CVE-2017-12908 (v3: 9.8) 17 Aug 2017
SQL injection vulnerability in takeconfirm.php in NexusPHP 1.5 allows remote attackers to execute arbitrary SQL commands via the conusr parameter.
CVE-2017-12909 (v3: 9.8) 17 Aug 2017
SQL injection vulnerability in modtask.php in NexusPHP 1.5 allows remote attackers to execute arbitrary SQL commands via the userid parameter.
CVE-2017-12910 (v3: 9.8) 17 Aug 2017
SQL injection vulnerability in massmail.php in NexusPHP 1.5 allows remote attackers to execute arbitrary SQL commands via the or parameter.

2016

CVE-2016-9864 (v3: 7.5) 11 Dec 2016
An issue was discovered in phpMyAdmin. With a crafted username or a table name, it was possible to inject SQL statements in the tracking functionality that would run with the privileges of the control user. This gives read and write access to the tables of the configuration storage database, and if the control user has the necessary privileges, read access to some tables of the MySQL database. All 4.6.x versions (prior to 4.6.5), 4.4.x versions (prior to 4.4.15.9), and 4.0.x versions (prior to 4.0.10.18) are affected.
CVE-2016-6611 (v3: 8.1) 11 Dec 2016
An issue was discovered in phpMyAdmin. A specially crafted database and/or table name can be used to trigger an SQL injection attack through the export functionality. All 4.6.x versions (prior to 4.6.4), 4.4.x versions (prior to 4.4.15.8), and 4.0.x versions (prior to 4.0.10.17) are affected.
CVE-2016-6616 (v3: 7.5) 11 Dec 2016
An issue was discovered in phpMyAdmin. In the "User group" and "Designer" features, a user can execute an SQL injection attack against the account of the control user. All 4.6.x versions (prior to 4.6.4) and 4.4.x versions (prior to 4.4.15.8) are affected.
CVE-2016-6617 (v3: 8.1) 11 Dec 2016
An issue was discovered in phpMyAdmin. A specially crafted database and/or table name can be used to trigger an SQL injection attack through the export functionality. All 4.6.x versions (prior to 4.6.4) are affected.
CVE-2016-6619 (v3: 8.8) 11 Dec 2016
An issue was discovered in phpMyAdmin. In the user interface preference feature, a user can execute an SQL injection attack against the account of the control user. All 4.6.x versions (prior to 4.6.4), 4.4.x versions (prior to 4.4.15.8), and 4.0.x versions (prior to 4.0.10.17) are affected.