Total
16373 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2020-15052 | 1 Articatech | 1 Artica Proxy | 2024-11-21 | 7.5 High |
| An issue was discovered in Artica Proxy CE before 4.28.030.418. SQL Injection exists via the Netmask, Hostname, and Alias fields. | ||||
| CVE-2020-15008 | 1 Connectwise | 1 Connectwise Automate | 2024-11-21 | 7.5 High |
| A SQLi exists in the probe code of all Connectwise Automate versions before 2020.7 or 2019.12. A SQL Injection in the probe implementation to save data to a custom table exists due to inadequate server side validation. As the code creates dynamic SQL for the insert statement and utilizes the user supplied table name with little validation, the table name can be modified to allow arbitrary update commands to be run. Usage of other SQL injection techniques such as timing attacks, it is possible to perform full data extraction as well. Patched in 2020.7 and in a hotfix for 2019.12. | ||||
| CVE-2020-14982 | 1 Kronos | 1 Web Time And Attendance | 2024-11-21 | 6.5 Medium |
| A Blind SQL Injection vulnerability in Kronos WebTA 3.8.x and later before 4.0 (affecting the com.threeis.webta.H352premPayRequest servlet's SortBy parameter) allows an attacker with the Employee, Supervisor, or Timekeeper role to read sensitive data from the database. | ||||
| CVE-2020-14972 | 1 Pisay Online E-learning System Project | 1 Pisay Online E-learning System | 2024-11-21 | 9.8 Critical |
| Multiple SQL injection vulnerabilities in Sourcecodester Pisay Online E-Learning System 1.0 allow remote unauthenticated attackers to bypass authentication and achieve Remote Code Execution (RCE) via the user_email, user_pass, and id parameters on the admin login-portal and the edit-lessons webpages. | ||||
| CVE-2020-14960 | 1 Php-fusion | 1 Php-fusion | 2024-11-21 | 7.2 High |
| A SQL injection vulnerability in PHP-Fusion 9.03.50 affects the endpoint administration/comments.php via the ctype parameter, | ||||
| CVE-2020-14497 | 1 Advantech | 1 Iview | 2024-11-21 | 9.8 Critical |
| Advantech iView, versions 5.6 and prior, contains multiple SQL injection vulnerabilities that are vulnerable to the use of an attacker-controlled string in the construction of SQL queries. An attacker could extract user credentials, read or modify information, and remotely execute code. | ||||
| CVE-2020-14443 | 1 Dolibarr | 1 Dolibarr | 2024-11-21 | 8.8 High |
| A SQL injection vulnerability in accountancy/customer/card.php in Dolibarr 11.0.3 allows remote authenticated users to execute arbitrary SQL commands via the id parameter. | ||||
| CVE-2020-14349 | 3 Opensuse, Postgresql, Redhat | 7 Leap, Postgresql, Enterprise Linux and 4 more | 2024-11-21 | 7.1 High |
| It was found that PostgreSQL versions before 12.4, before 11.9 and before 10.14 did not properly sanitize the search_path during logical replication. An authenticated attacker could use this flaw in an attack similar to CVE-2018-1058, in order to execute arbitrary SQL command in the context of the user used for replication. | ||||
| CVE-2020-14295 | 2 Cacti, Fedoraproject | 2 Cacti, Fedora | 2024-11-21 | 7.2 High |
| A SQL injection issue in color.php in Cacti 1.2.12 allows an admin to inject SQL via the filter parameter. This can lead to remote command execution because the product accepts stacked queries. | ||||
| CVE-2020-14207 | 1 Divebook Project | 1 Divebook | 2024-11-21 | 5.3 Medium |
| The DiveBook plugin 1.1.4 for WordPress was prone to a SQL injection within divelog.php, allowing unauthenticated users to retrieve data from the database via the divelog.php filter_diver parameter. | ||||
| CVE-2020-14159 | 1 Connectwise | 1 Automate Api | 2024-11-21 | 8.8 High |
| By using an Automate API in ConnectWise Automate before 2020.5.178, a remote authenticated user could execute commands and/or modifications within an individual Automate instance by triggering an SQL injection vulnerability in /LabTech/agent.aspx. This affects versions before 2019.12.337, 2020 before 2020.1.53, 2020.2 before 2020.2.85, 2020.3 before 2020.3.114, 2020.4 before 2020.4.143, and 2020.5 before 2020.5.178. | ||||
| CVE-2020-14092 | 1 Ithemes | 1 Paypal Pro | 2024-11-21 | 9.8 Critical |
| The CodePeople Payment Form for PayPal Pro plugin before 1.1.65 for WordPress allows SQL Injection. | ||||
| CVE-2020-14069 | 1 Mk-auth | 1 Mk-auth | 2024-11-21 | 6.8 Medium |
| An issue was discovered in MK-AUTH 19.01. There are SQL injection issues in mkt/ PHP scripts, as demonstrated by arp.php, dhcp.php, hotspot.php, ip.php, pgaviso.php, pgcorte.php, pppoe.php, queues.php, and wifi.php. | ||||
| CVE-2020-14068 | 1 Mk-auth | 1 Mk-auth | 2024-11-21 | 9.8 Critical |
| An issue was discovered in MK-AUTH 19.01. The web login functionality allows an attacker to bypass authentication and gain client privileges via SQL injection in central/executar_login.php. | ||||
| CVE-2020-14054 | 1 Sokkia | 2 Gnr5 Vanguard, Gnr5 Vanguard Firmware | 2024-11-21 | 9.8 Critical |
| SOKKIA GNR5 Vanguard WEB version 1.2 (build: 91f2b2c3a04d203d79862f87e2440cb7cefc3cd3) and hardware version 212 allows remote attackers to bypass admin authentication via a SQL injection attack that uses the User Name or Password field on the login page. | ||||
| CVE-2020-13996 | 1 J2store | 1 J2store | 2024-11-21 | 8.8 High |
| The J2Store plugin before 3.3.13 for Joomla! allows a SQL injection attack by a trusted store manager. | ||||
| CVE-2020-13993 | 1 Mods-for-hesk | 1 Mods For Hesk | 2024-11-21 | 7.5 High |
| An issue was discovered in Mods for HESK 3.1.0 through 2019.1.0. A blind time-based SQL injection issue allows remote unauthenticated attackers to retrieve information from the database via a ticket. | ||||
| CVE-2020-13968 | 1 Crk | 1 Business Platform | 2024-11-21 | 9.8 Critical |
| CRK Business Platform <= 2019.1 allows can inject SQL statements against the DB on any path using the 'strSessao' parameter. | ||||
| CVE-2020-13926 | 1 Apache | 1 Kylin | 2024-11-21 | 9.8 Critical |
| Kylin concatenates and executes a Hive SQL in Hive CLI or beeline when building a new segment; some part of the HQL is from system configurations, while the configuration can be overwritten by certain rest api, which makes SQL injection attack is possible. Users of all previous versions after 2.0 should upgrade to 3.1.0. | ||||
| CVE-2020-13921 | 1 Apache | 1 Skywalking | 2024-11-21 | 9.8 Critical |
| **Resolved** Only when using H2/MySQL/TiDB as Apache SkyWalking storage, there is a SQL injection vulnerability in the wildcard query cases. | ||||