CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  What's the CVSS score of your company?
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In October 2021(SQL Injection)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2021-42369 89 Sql 2021-10-14 2021-10-21
6.5
None Remote Low ??? Partial Partial Partial
Imagicle Application Suite (for Cisco UC) before 2021.Summer.2 allows SQL injection. A low-privileged user could inject a SQL statement through the "Export to CSV" feature of the Contact Manager web GUI.
2 CVE-2021-42334 89 Sql 2021-10-15 2021-10-20
6.5
None Remote Low ??? Partial Partial Partial
The Easytest contains SQL injection vulnerabilities. After obtaining a user’s privilege, remote attackers can inject SQL commands into the parameters of the elective course management page to obtain all database and administrator permissions.
3 CVE-2021-42333 89 Sql 2021-10-15 2021-10-20
6.5
None Remote Low ??? Partial Partial Partial
The Easytest contains SQL injection vulnerabilities. After obtaining user’s privilege, remote attackers can inject SQL commands into the parameters of the learning history page to access all database and obtain administrator permissions.
4 CVE-2021-42325 89 Sql 2021-10-12 2021-11-26
7.5
None Remote Low Not required Partial Partial Partial
Froxlor through 0.10.29.1 allows SQL injection in Database/Manager/DbManagerMySQL.php via a custom DB name.
5 CVE-2021-42258 89 Exec Code Sql 2021-10-22 2021-10-28
6.8
None Remote Medium Not required Partial Partial Partial
BQE BillQuick Web Suite 2018 through 2021 before 22.0.9.1 allows SQL injection for unauthenticated remote code execution, as exploited in the wild in October 2021 for ransomware installation. SQL injection can, for example, use the txtID (aka username) parameter. Successful exploitation can include the ability to execute arbitrary code as MSSQLSERVER$ via xp_cmdshell.
6 CVE-2021-42224 89 Sql 2021-10-13 2021-10-19
7.5
None Remote Low Not required Partial Partial Partial
SQL Injection vulnerability exists in IFSC Code Finder Project 1.0 via the searchifsccode POST parameter in /search.php.
7 CVE-2021-42169 89 Sql Bypass 2021-10-22 2021-12-03
7.5
None Remote Low Not required Partial Partial Partial
The Simple Payroll System with Dynamic Tax Bracket in PHP using SQLite Free Source Code (by: oretnom23 ) is vulnerable from remote SQL-Injection-Bypass-Authentication for the admin account. The parameter (username) from the login form is not protected correctly and there is no security and escaping from malicious payloads.
8 CVE-2021-41971 89 Sql 2021-10-18 2021-10-22
6.0
None Remote Medium ??? Partial Partial Partial
Apache Superset up to and including 1.3.0 when configured with ENABLE_TEMPLATE_PROCESSING on (disabled by default) allowed SQL injection when a malicious authenticated user sends an http request with a custom URL.
9 CVE-2021-41947 89 Sql 2021-10-08 2021-11-30
6.5
None Remote Low ??? Partial Partial Partial
A SQL injection vulnerability exists in Subrion CMS v4.2.1 in the visual-mode.
10 CVE-2021-41920 89 Sql 2021-10-08 2021-10-15
5.0
None Remote Low Not required Partial None None
webTareas version 2.4 and earlier allows an unauthenticated user to perform Time and Boolean-based blind SQL Injection on the endpoint /includes/library.php, via the sor_cible, sor_champs, and sor_ordre HTTP POST parameters. This allows an attacker to access all the data in the database and obtain access to the webTareas application.
11 CVE-2021-41845 89 Sql 2021-10-01 2021-10-07
4.0
None Remote Low ??? None Partial None
A SQL injection issue was discovered in ThycoticCentrify Secret Server before 11.0.000007. The only affected versions are 10.9.000032 through 11.0.000006.
12 CVE-2021-41746 89 Sql +Info 2021-10-29 2021-12-06
5.0
None Remote Low Not required Partial None None
SQL Injection vulnerability exists in all versions of Yonyou TurboCRM.via the orgcode parameter in changepswd.php. Attackers can use the vulnerabilities to obtain sensitive database information.
13 CVE-2021-41676 89 Sql 2021-10-29 2021-11-26
7.5
None Remote Low Not required Partial Partial Partial
An SQL Injection vulnerabilty exists in the oretnom23 Pharmacy Point of Sale System 1.0 in the login function in actions.php.
14 CVE-2021-41674 89 Sql 2021-10-29 2021-11-26
7.5
None Remote Low Not required Partial Partial Partial
An SQL Injection vulnerability exists in Sourcecodester E-Negosyo System 1.0 via the user_email parameter in /admin/login.php.
15 CVE-2021-41651 89 Sql 2021-10-04 2021-10-12
5.0
None Remote Low Not required Partial None None
A blind SQL injection vulnerability exists in the Raymart DG / Ahmed Helal Hotel-mgmt-system. A malicious attacker can retrieve sensitive database information and interact with the database using the vulnerable cid parameter in process_update_profile.php.
16 CVE-2021-41649 89 Sql 2021-10-01 2021-11-05
7.5
None Remote Low Not required Partial Partial Partial
An un-authenticated SQL Injection exists in PuneethReddyHC online-shopping-system-advanced through the /homeaction.php cat_id parameter. Using a post request does not sanitize the user input.
17 CVE-2021-41648 89 Sql 2021-10-01 2021-11-26
5.0
None Remote Low Not required Partial None None
An un-authenticated SQL Injection exists in PuneethReddyHC online-shopping-system-advanced through the /action.php prId parameter. Using a post request does not sanitize the user input.
18 CVE-2021-41647 89 Sql 2021-10-01 2021-10-08
6.4
None Remote Low Not required Partial Partial None
An un-authenticated error-based and time-based blind SQL injection vulnerability exists in Kaushik Jadhav Online Food Ordering Web App 1.0. An attacker can exploit the vulnerable "username" parameter in login.php and retrieve sensitive database information, as well as add an administrative user.
19 CVE-2021-41511 89 Sql Bypass 2021-10-04 2021-11-30
7.5
None Remote Low Not required Partial Partial Partial
The username and password field of login in Lodging Reservation Management System V1 can give access to any user by using SQL injection to bypass authentication.
20 CVE-2021-41155 89 Sql 2021-10-18 2021-10-22
6.5
None Remote Low ??? Partial Partial Partial
Tuleap is a Free & Open Source Suite to improve management of software developments and collaboration. In affected versions Tuleap does not sanitize properly user inputs when constructing the SQL query to browse and search revisions in the CVS repositories. The following versions contain the fix: Tuleap Community Edition 11.17.99.146, Tuleap Enterprise Edition 11.17-5, Tuleap Enterprise Edition 11.16-7.
21 CVE-2021-41154 89 Sql 2021-10-18 2021-10-22
6.5
None Remote Low ??? Partial Partial Partial
Tuleap is a Free & Open Source Suite to improve management of software developments and collaboration. In affected versions an attacker with read access to a "SVN core" repository could execute arbitrary SQL queries. The following versions contain the fix: Tuleap Community Edition 11.17.99.144, Tuleap Enterprise Edition 11.17-5, Tuleap Enterprise Edition 11.16-7.
22 CVE-2021-41148 89 Sql 2021-10-15 2021-10-21
6.5
None Remote Low ??? Partial Partial Partial
Tuleap Open ALM is a libre and open source tool for end to end traceability of application and system developments. Prior to version 11.16.99.173 of Community Edition and versions 11.16-6 and 11.15-8 of Enterprise Edition, an attacker with the ability to add one the CI widget to its personal dashboard could execute arbitrary SQL queries. Tuleap Community Edition 11.16.99.173, Tuleap Enterprise Edition 11.16-6, and Tuleap Enterprise Edition 11.15-8 contain a patch for this issue.
23 CVE-2021-41147 89 Sql 2021-10-15 2021-10-21
6.5
None Remote Low ??? Partial Partial Partial
Tuleap Open ALM is a libre and open source tool for end to end traceability of application and system developments. Prior to version 11.16.99.173 of Community Edition and versions 11.16-6 and 11.15-8 of Enterprise Edition, an attacker with admin rights in one agile dashboard service can execute arbitrary SQL queries. Tuleap Community Edition 11.16.99.173, Tuleap Enterprise Edition 11.16-6, and Tuleap Enterprise Edition 11.15-8 contain a patch for this issue.
24 CVE-2021-41075 89 Sql 2021-10-13 2021-10-19
7.5
None Remote Low Not required Partial Partial Partial
The NetFlow Analyzer in Zoho ManageEngine OpManger before 125455 is vulnerable to SQL Injection in the Attacks Module API.
25 CVE-2021-40993 89 Sql 2021-10-15 2021-10-21
5.5
None Remote Low ??? Partial Partial None
A remote SQL injection vulnerability was discovered in Aruba ClearPass Policy Manager version(s): ClearPass Policy Manager 6.10.x prior to 6.10.2 - - ClearPass Policy Manager 6.9.x prior to 6.9.7-HF1 - - ClearPass Policy Manager 6.8.x prior to 6.8.9-HF1. Aruba has released patches for ClearPass Policy Manager that address this security vulnerability.
26 CVE-2021-40992 89 Sql 2021-10-15 2021-10-21
6.5
None Remote Low ??? Partial Partial Partial
A remote SQL injection vulnerability was discovered in Aruba ClearPass Policy Manager version(s): ClearPass Policy Manager 6.10.x prior to 6.10.2 - - ClearPass Policy Manager 6.9.x prior to 6.9.7-HF1 - - ClearPass Policy Manager 6.8.x prior to 6.8.9-HF1. Aruba has released patches for ClearPass Policy Manager that address this security vulnerability.
27 CVE-2021-40843 502 Exec Code Sql 2021-10-13 2021-10-19
6.9
None Local Medium Not required Complete Complete Complete
Proofpoint Insider Threat Management Server contains an unsafe deserialization vulnerability in the Web Console. An attacker with write access to the local database could cause arbitrary code to execute with SYSTEM privileges on the underlying server when a Web Console user triggers retrieval of that data. When chained with a SQL injection vulnerability, the vulnerability could be exploited remotely if Web Console users click a series of maliciously crafted URLs. All versions prior to 7.11.2 are affected.
28 CVE-2021-40842 89 Sql 2021-10-13 2021-10-19
7.5
None Remote Low Not required Partial Partial Partial
Proofpoint Insider Threat Management Server contains a SQL injection vulnerability in the Web Console. The vulnerability exists due to improper input validation on the database name parameter required in certain unauthenticated APIs. A malicious URL visited by anyone with network access to the server could be used to blindly execute arbitrary SQL statements on the backend database. Version 7.12.0 and all versions prior to 7.11.2 are affected.
29 CVE-2021-40618 89 Sql 2021-10-12 2021-10-19
7.5
None Remote Low Not required Partial Partial Partial
An SQL Injection vulnerability exists in openSIS Classic 8.0 via the 1) ADDR_CONT_USRN, 2) ADDR_CONT_PSWD, 3) SECN_CONT_USRN or 4) SECN_CONT_PSWD parameters in HoldAddressFields.php.
30 CVE-2021-40617 89 Sql 2021-10-11 2021-10-19
7.5
None Remote Low Not required Partial Partial Partial
An SQL Injection vulnerability exists in openSIS Community Edition version 8.0 via ForgotPassUserName.php.
31 CVE-2021-40543 89 Sql 2021-10-11 2021-10-18
7.5
None Remote Low Not required Partial Partial Partial
Opensis-Classic Version 8.0 is affected by a SQL injection vulnerability due to a lack of sanitization of input data at two parameters $_GET['usrid'] and $_GET['prof_id'] in the PasswordCheck.php file.
32 CVE-2021-40493 89 Sql 2021-10-13 2021-10-19
7.5
None Remote Low Not required Partial Partial Partial
Zoho ManageEngine OpManager before 125437 is vulnerable to SQL Injection in the support diagnostics module. This occurs via the pollingObject parameter of the getDataCollectionFailureReason API.
33 CVE-2021-39351 89 Sql 2021-10-06 2021-10-14
4.0
None Remote Low ??? Partial None None
The WP Bannerize WordPress plugin is vulnerable to authenticated SQL injection via the id parameter found in the ~/Classes/wpBannerizeAdmin.php file which allows attackers to exfiltrate sensitive information from vulnerable sites. This issue affects versions 2.0.0 - 4.0.2.
34 CVE-2021-39179 89 Exec Code Sql 2021-10-29 2021-11-03
6.5
None Remote Low ??? Partial Partial Partial
DHIS 2 is an information system for data capture, management, validation, analytics and visualization. A SQL Injection vulnerability in the Tracker component in DHIS2 Server allows authenticated remote attackers to execute arbitrary SQL commands via unspecified vectors. This vulnerability affects the `/api/trackedEntityInstances` and `/api/trackedEntityInstances/query` API endpoints in all DHIS2 versions 2.34, 2.35, and 2.36. It also affects versions 2.32 and 2.33 which have reached _end of support_ - exceptional security updates have been added to the latest *end of support* builds for these versions. Versions 2.31 and older are unaffected. The system is vulnerable to attack only from users that are logged in to DHIS2, and there is no known way of exploiting the vulnerability without first being logged in as a DHIS2 user. The vulnerability is not exposed to a non-malicious user - the vulnerability requires a conscious attack to be exploited. A successful exploit of this vulnerability could allow the malicious user to read, edit and delete data in the DHIS2 instance. There are no known exploits of the security vulnerabilities addressed by these patch releases. Security patches are available in DHIS2 versions 2.32-EOS, 2.33-EOS, 2.34.7, 2.35.7, and 2.36.4. There is no straightforward known workaround for DHIS2 instances using the Tracker functionality other than upgrading the affected DHIS2 server to one of the patches in which this vulnerability has been fixed. For implementations which do NOT use Tracker functionality, it may be possible to block all network access to POST to the `/api/trackedEntityInstances`, and `/api/trackedEntityInstances/query` endpoints as a temporary workaround while waiting to upgrade.
35 CVE-2021-38481 89 Sql 2021-10-22 2021-10-27
7.5
None Remote Low Not required Partial Partial Partial
The scheduler service running on a specific TCP port enables the user to start and stop jobs. There is no sanitation of the supplied JOB ID provided to the function. An attacker may send a malicious payload that can enable the user to execute another SQL expression by sending a specific string.
36 CVE-2021-37808 89 Sql 2021-10-27 2021-12-16
4.3
None Remote Medium Not required Partial None None
SQL Injection vulnerabilities exist in https://phpgurukul.com News Portal Project 3.1 via the (1) category, (2) subcategory, (3) sucatdescription, and (4) username parameters, the server response is about (N) seconds delay respectively which mean it is vulnerable to MySQL Blind (Time Based). An attacker can use sqlmap to further the exploitation for extracting sensitive information from the database.
37 CVE-2021-37807 89 Sql 2021-10-27 2021-11-03
5.0
None Remote Low Not required Partial None None
An SQL Injection vulneraility exists in https://phpgurukul.com Online Shopping Portal 3.1 via the email parameter on the /check_availability.php endpoint that serves as a checker whether a new user's email is already exist within the database.
38 CVE-2021-37806 89 Sql 2021-10-27 2021-11-28
4.3
None Remote Medium Not required Partial None None
An SQL Injection vulnerability exists in https://phpgurukul.com Vehicle Parking Management System affected version 1.0. The system is vulnerable to time-based SQL injection on multiple endpoints. Based on the SLEEP(N) function payload that will sleep for a number of seconds used on the (1) editid , (2) viewid, and (3) catename parameters, the server response is about (N) seconds delay respectively which mean it is vulnerable to MySQL Blind (Time Based). An attacker can use sqlmap to further the exploitation for extracting sensitive information from the database.
39 CVE-2021-37803 89 Sql 2021-10-27 2021-11-02
9.3
None Remote Medium Not required Complete Complete Complete
An SQL Injection vulnerability exists in Sourcecodester Online Covid Vaccination Scheduler System 1.0 via the username in lognin.php .
40 CVE-2021-37737 89 Sql 2021-10-15 2021-10-20
6.5
None Remote Low ??? Partial Partial Partial
A remote SQL injection vulnerability was discovered in Aruba ClearPass Policy Manager version(s): ClearPass Policy Manager 6.10.x prior to 6.10.2 - - ClearPass Policy Manager 6.9.x prior to 6.9.7-HF1 - - ClearPass Policy Manager 6.8.x prior to 6.8.9-HF1. Aruba has released patches for ClearPass Policy Manager that address this security vulnerability.
41 CVE-2021-37371 89 Sql Bypass 2021-10-26 2021-10-28
7.5
None Remote Low Not required Partial Partial Partial
Online Student Admission System 1.0 is affected by an unauthenticated SQL injection bypass vulnerability in /admin/login.php.
42 CVE-2021-33736 89 Exec Code Sql 2021-10-12 2021-10-18
6.5
None Remote Low ??? Partial Partial Partial
A vulnerability has been identified in SINEC NMS (All versions < V1.0 SP2 Update 1). A privileged authenticated attacker could execute arbitrary commands in the local database by sending crafted requests to the webserver of the affected application.
43 CVE-2021-33735 89 Exec Code Sql 2021-10-12 2021-10-18
6.5
None Remote Low ??? Partial Partial Partial
A vulnerability has been identified in SINEC NMS (All versions < V1.0 SP2 Update 1). A privileged authenticated attacker could execute arbitrary commands in the local database by sending crafted requests to the webserver of the affected application.
44 CVE-2021-33734 89 Exec Code Sql 2021-10-12 2021-10-18
6.5
None Remote Low ??? Partial Partial Partial
A vulnerability has been identified in SINEC NMS (All versions < V1.0 SP2 Update 1). A privileged authenticated attacker could execute arbitrary commands in the local database by sending crafted requests to the webserver of the affected application.
45 CVE-2021-33733 89 Exec Code Sql 2021-10-12 2021-10-18
6.5
None Remote Low ??? Partial Partial Partial
A vulnerability has been identified in SINEC NMS (All versions < V1.0 SP2 Update 1). A privileged authenticated attacker could execute arbitrary commands in the local database by sending crafted requests to the webserver of the affected application.
46 CVE-2021-33732 89 Exec Code Sql 2021-10-12 2021-10-18
6.5
None Remote Low ??? Partial Partial Partial
A vulnerability has been identified in SINEC NMS (All versions < V1.0 SP2 Update 1). A privileged authenticated attacker could execute arbitrary commands in the local database by sending crafted requests to the webserver of the affected application.
47 CVE-2021-33731 89 Exec Code Sql 2021-10-12 2021-10-18
6.5
None Remote Low ??? Partial Partial Partial
A vulnerability has been identified in SINEC NMS (All versions < V1.0 SP2 Update 1). A privileged authenticated attacker could execute arbitrary commands in the local database by sending crafted requests to the webserver of the affected application.
48 CVE-2021-33730 89 Exec Code Sql 2021-10-12 2021-10-18
6.5
None Remote Low ??? Partial Partial Partial
A vulnerability has been identified in SINEC NMS (All versions < V1.0 SP2 Update 1). A privileged authenticated attacker could execute arbitrary commands in the local database by sending crafted requests to the webserver of the affected application.
49 CVE-2021-33729 89 Exec Code Sql 2021-10-12 2021-10-18
6.5
None Remote Low ??? Partial Partial Partial
A vulnerability has been identified in SINEC NMS (All versions < V1.0 SP2 Update 1). An authenticated attacker that is able to import firmware containers to an affected system could execute arbitrary commands in the local database.
50 CVE-2021-33177 89 Sql 2021-10-14 2021-10-20
6.5
None Remote Low ??? Partial Partial Partial
The Bulk Modifications functionality in Nagios XI versions prior to 5.8.5 is vulnerable to SQL injection. Exploitation requires the malicious actor to be authenticated to the vulnerable system, but once authenticated they would be able to execute arbitrary sql queries.
Total number of vulnerabilities : 73   Page : 1 (This Page)2
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.