Total
16332 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2018-20329 | 1 Chamilo | 1 Chamilo Lms | 2024-11-21 | N/A |
| Chamilo LMS version 1.11.8 contains a main/inc/lib/CoursesAndSessionsCatalog.class.php SQL injection, allowing users with access to the sessions catalogue (which may optionally be made public) to extract and/or modify database information. | ||||
| CVE-2018-20173 | 1 Zohocorp | 1 Manageengine Opmanager | 2024-11-21 | N/A |
| Zoho ManageEngine OpManager 12.3 before 123238 allows SQL injection via the getGraphData API. | ||||
| CVE-2018-20091 | 1 Cloudera | 1 Data Science Workbench | 2024-11-21 | N/A |
| An SQL injection vulnerability was found in Cloudera Data Science Workbench (CDSW) 1.4.0 through 1.4.2. This would allow any authenticated user to run arbitrary queries against CDSW's internal database. The database contains user contact information, encrypted CDSW passwords (in the case of local authentication), API keys, and stored Kerberos keytabs. | ||||
| CVE-2018-20061 | 1 Frappe | 1 Erpnext | 2024-11-21 | N/A |
| A SQL injection issue was discovered in ERPNext 10.x and 11.x through 11.0.3-beta.29. This attack is only available to a logged-in user; however, many ERPNext sites allow account creation via the web. No special privileges are needed to conduct the attack. By calling a JavaScript function that calls a server-side Python function with carefully chosen arguments, a SQL attack can be carried out which allows SQL queries to be constructed to return any columns from any tables in the database. This is related to /api/resource/Item?fields= URIs, frappe.get_list, and frappe.call. | ||||
| CVE-2018-20018 | 1 S-cms | 1 S-cms | 2024-11-21 | N/A |
| S-CMS V3.0 has SQL injection via the S_id parameter, as demonstrated by the /1/?type=productinfo&S_id=140 URI. | ||||
| CVE-2018-1994 | 1 Ibm | 2 Infosphere Information Server On Cloud, Infosphere Metadata Asset Manager | 2024-11-21 | N/A |
| IBM InfoSphere Information Server 11.5 and 11.7 is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements, which could allow the attacker to view, add, modify or delete information in the back-end database. IBM X-Force ID: 154494. | ||||
| CVE-2018-1819 | 1 Ibm | 1 Financial Transaction Manager | 2024-11-21 | N/A |
| IBM Financial Transaction Manager for Digital Payments for Multi-Platform 3.0.2, 3.0.4, 3.0.6, and 3.2.0 is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements, which could allow the attacker to view, add, modify or delete information in the back-end database. IBM X-force ID: 150023. | ||||
| CVE-2018-1756 | 1 Ibm | 1 Security Identity Governance And Intelligence | 2024-11-21 | N/A |
| IBM Security Identity Governance and Intelligence 5.2.3.2 and 5.2.4 is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements, which could allow the attacker to view, information in the back-end database. IBM X-Force ID: 148599. | ||||
| CVE-2018-1699 | 1 Ibm | 1 Maximo Asset Management | 2024-11-21 | N/A |
| IBM Maximo Asset Management 7.6 through 7.6.3 is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements, which could allow the attacker to view, add, modify or delete information in the back-end database. IBM X-Force ID: 145968. | ||||
| CVE-2018-1674 | 1 Ibm | 2 Business Automation Workflow, Business Process Manager | 2024-11-21 | N/A |
| IBM Business Process Manager 8.5 through 8.6 and 18.0.0.0 through 18.0.0.1 are vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements, which could allow the attacker to view, add, modify or delete information in the back-end database. IBM X-Force ID: 145109. | ||||
| CVE-2018-1414 | 1 Ibm | 2 Maximo Asset Management, Maximo Asset Management Essentials | 2024-11-21 | N/A |
| IBM Maximo Asset Management 7.5 and 7.6 is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements, which could allow the attacker to view, add, modify or delete information in the back-end database. IBM X-Force ID: 138820. | ||||
| CVE-2018-1292 | 1 Apache | 1 Fineract | 2024-11-21 | N/A |
| Within the 'getReportType' method in Apache Fineract 1.0.0, 0.6.0-incubating, 0.5.0-incubating, 0.4.0-incubating, a hacker could inject SQL to read/update data for which he doesn't have authorization for by way of the 'reportName' parameter. | ||||
| CVE-2018-1291 | 1 Apache | 1 Fineract | 2024-11-21 | N/A |
| Apache Fineract 1.0.0, 0.6.0-incubating, 0.5.0-incubating, 0.4.0-incubating exposes different REST end points to query domain specific entities with a Query Parameter 'orderBy' which are appended directly with SQL statements. A hacker/user can inject/draft the 'orderBy' query parameter by way of the "order" param in such a way to read/update the data for which he doesn't have authorization. | ||||
| CVE-2018-1290 | 1 Apache | 1 Fineract | 2024-11-21 | N/A |
| In Apache Fineract versions 1.0.0, 0.6.0-incubating, 0.5.0-incubating, 0.4.0-incubating, Using a single quotation escape with two continuous SQL parameters can cause a SQL injection. This could be done in Methods like retrieveAuditEntries of AuditsApiResource Class and retrieveCommands of MakercheckersApiResource Class. | ||||
| CVE-2018-1289 | 1 Apache | 1 Fineract | 2024-11-21 | N/A |
| In Apache Fineract versions 1.0.0, 0.6.0-incubating, 0.5.0-incubating, 0.4.0-incubating, the system exposes different REST end points to query domain specific entities with a Query Parameter 'orderBy' and 'sortOrder' which are appended directly with SQL statements. A hacker/user can inject/draft the 'orderBy' and 'sortOrder' query parameter in such a way to read/update the data for which he doesn't have authorization. | ||||
| CVE-2018-1282 | 1 Apache | 1 Hive | 2024-11-21 | N/A |
| This vulnerability in Apache Hive JDBC driver 0.7.1 to 2.3.2 allows carefully crafted arguments to be used to bypass the argument escaping/cleanup that JDBC driver does in PreparedStatement implementation. | ||||
| CVE-2018-1280 | 1 Pivotal Software | 1 Greenplum Command Center | 2024-11-21 | N/A |
| Pivotal Greenplum Command Center versions 2.x prior to 2.5.1 contains a blind SQL injection vulnerability. An unauthenticated user can perform a SQL injection in the command center which results in disclosure of database contents. | ||||
| CVE-2018-1252 | 1 Rsa | 1 Web Threat Detection | 2024-11-21 | N/A |
| RSA Web Threat Detection versions prior to 6.4, contain an SQL injection vulnerability in the Administration and Forensics applications. An authenticated malicious user with low privileges could potentially exploit this vulnerability to execute SQL commands on the back-end database to gain unauthorized access to the tool's monitoring and user information by supplying specially crafted input data to the affected application. | ||||
| CVE-2018-1132 | 1 Opendaylight | 1 Sdninterfaceapp | 2024-11-21 | N/A |
| A flaw was found in Opendaylight's SDNInterfaceapp (SDNI). Attackers can SQL inject the component's database (SQLite) without authenticating to the controller or SDNInterfaceapp. SDNInterface has been deprecated in OpenDayLight since it was last used in the final Carbon series release. In addition to the component not being included in OpenDayLight in newer releases, the SDNInterface component is not packaged in the opendaylight package included in RHEL. | ||||
| CVE-2018-1096 | 2 Redhat, Theforeman | 3 Satellite, Satellite Capsule, Foreman | 2024-11-21 | N/A |
| An input sanitization flaw was found in the id field in the dashboard controller of Foreman before 1.16.1. A user could use this flaw to perform an SQL injection attack on the back end database. | ||||