CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  What's the CVSS score of your company?
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In November 2021(SQL Injection)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2021-44427 89 Sql 2021-11-29 2021-11-30
7.5
None Remote Low Not required Partial Partial Partial
An unauthenticated SQL Injection vulnerability in Rosario Student Information System (aka rosariosis) before 8.1.1 allows remote attackers to execute PostgreSQL statements (e.g., SELECT, INSERT, UPDATE, and DELETE) through /Side.php via the syear parameter.
2 CVE-2021-44026 89 Sql 2021-11-19 2021-12-16
7.5
None Remote Low Not required Partial Partial Partial
Roundcube before 1.3.17 and 1.4.x before 1.4.12 is prone to a potential SQL injection via search or search_params.
3 CVE-2021-43408 89 Exec Code Sql 2021-11-19 2021-11-24
9.0
None Remote Low ??? Complete Complete Complete
The "Duplicate Post" WordPress plugin up to and including version 1.1.9 is vulnerable to SQL Injection. SQL injection vulnerabilities occur when client supplied data is included within an SQL Query insecurely. SQL Injection can typically be exploited to read, modify and delete SQL table data. In many cases it also possible to exploit features of SQL server to execute system commands and/or access the local file system. This particular vulnerability can be exploited by any authenticated user who has been granted access to use the Duplicate Post plugin. By default, this is limited to Administrators, however the plugin presents the option to permit access to the Editor, Author, Contributor and Subscriber roles.
4 CVE-2021-43362 89 Sql 2021-11-16 2021-11-17
7.5
None Remote Low Not required Partial Partial Partial
Due to improper sanitization MedData HBYS software suffers from a remote SQL injection vulnerability. An unauthenticated attacker with the web access is able to extract critical information from the system.
5 CVE-2021-43361 89 Sql 2021-11-16 2021-11-17
7.5
None Remote Low Not required Partial Partial Partial
Due to improper sanitization MedData HBYS software suffers from a remote SQL injection vulnerability. An unauthenticated attacker with the web access is able to extract critical information from the system.
6 CVE-2021-43338 89 Sql 2021-11-03 2021-11-05
6.5
None Remote Low ??? Partial Partial Partial
In Ericsson Network Location MPS GMPC21, it is possible to creates a new admin user with a SQL Query for file_name in the export functionality.
7 CVE-2021-43140 89 Sql 2021-11-03 2021-11-17
7.5
None Remote Low Not required Partial Partial Partial
SQL Injection vulnerability exists in Sourcecodester. Simple Subscription Website 1.0. via the login.
8 CVE-2021-43130 89 Sql 2021-11-03 2021-11-17
10.0
None Remote Low Not required Complete Complete Complete
An SQL Injection vulnerability exists in Sourcecodester Customer Relationship Management System (CRM) 1.0 via the username parameter in customer/login.php.
9 CVE-2021-42670 89 Exec Code Sql 2021-11-05 2021-11-17
7.5
None Remote Low Not required Partial Partial Partial
A SQL injection vulnerability exists in Sourcecodester Engineers Online Portal in PHP via the id parameter to the announcements_student.php web page. As a result a malicious user can extract sensitive data from the web server and in some cases use this vulnerability in order to get a remote code execution on the remote web server.
10 CVE-2021-42668 89 Exec Code Sql 2021-11-05 2021-12-16
7.5
None Remote Low Not required Partial Partial Partial
A SQL Injection vulnerability exists in Sourcecodester Engineers Online Portal in PHP via the id parameter in the my_classmates.php web page.. As a result, an attacker can extract sensitive data from the web server and in some cases can use this vulnerability in order to get a remote code execution on the remote web server.
11 CVE-2021-42667 89 Exec Code Sql 2021-11-05 2021-11-28
7.5
None Remote Low Not required Partial Partial Partial
A SQL Injection vulnerability exists in Sourcecodester Online Event Booking and Reservation System in PHP in event-management/views. An attacker can leverage this vulnerability in order to manipulate the sql query performed. As a result he can extract sensitive data from the web server and in some cases he can use this vulnerability in order to get a remote code execution on the remote web server.
12 CVE-2021-42666 89 Exec Code Sql 2021-11-05 2021-11-30
6.5
None Remote Low ??? Partial Partial Partial
A SQL Injection vulnerability exists in Sourcecodester Engineers Online Portal in PHP via the id parameter to quiz_question.php, which could let a malicious user extract sensitive data from the web server and in some cases use this vulnerability in order to get a remote code execution on the remote web server.
13 CVE-2021-42665 89 Sql Bypass 2021-11-05 2021-11-23
7.5
None Remote Low Not required Partial Partial Partial
An SQL Injection vulnerability exists in Sourcecodester Engineers Online Portal in PHP via the login form inside of index.php, which can allow an attacker to bypass authentication.
14 CVE-2021-42663 74 Sql 2021-11-05 2021-11-09
4.3
None Remote Medium Not required Partial None None
An HTML injection vulnerability exists in Sourcecodester Online Event Booking and Reservation System in PHP/MySQL via the msg parameter to /event-management/index.php. An attacker can leverage this vulnerability in order to change the visibility of the website. Once the target user clicks on a given link he will display the content of the HTML code of the attacker's choice.
15 CVE-2021-42580 89 Exec Code Sql Bypass 2021-11-15 2021-11-26
7.5
None Remote Low Not required Partial Partial Partial
Sourcecodester Online Learning System 2.0 is vunlerable to sql injection authentication bypass in admin login file (/admin/login.php) and authenticated file upload in (Master.php) file , we can craft these two vunlerablities to get unauthenticated remote command execution.
16 CVE-2021-42077 89 Sql Bypass 2021-11-08 2021-11-09
10.0
None Remote Low Not required Complete Complete Complete
PHP Event Calendar before 2021-09-03 allows SQL injection, as demonstrated by the /server/ajax/user_manager.php username parameter. This can be used to execute SQL statements directly on the database, allowing an adversary in some cases to completely compromise the database system. It can also be used to bypass the login form.
17 CVE-2021-41931 89 Sql 2021-11-17 2021-11-18
7.5
None Remote Low Not required Partial Partial Partial
The Company's Recruitment Management System in id=2 of the parameter from view_vacancy app on-page appears to be vulnerable to SQL injection. The payloads 19424269' or '1309'='1309 and 39476597' or '2917'='2923 were each submitted in the id parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
18 CVE-2021-41765 89 Exec Code Sql 2021-11-15 2021-11-17
7.5
None Remote Low Not required Partial Partial Partial
A SQL injection issue in pages/edit_fields/9_ajax/add_keyword.php of ResourceSpace 9.5 and 9.6 < rev 18274 allows remote unauthenticated attackers to execute arbitrary SQL commands via the k parameter. This allows attackers to uncover the full contents of the ResourceSpace database, including user session cookies. An attacker who gets an admin user session cookie can use the session cookie to execute arbitrary code on the server.
19 CVE-2021-41679 89 Sql 2021-11-30 2021-11-30
6.8
None Remote Medium Not required Partial Partial Partial
A SQL injection vulnerability exists in version 8.0 of openSIS when MySQL or MariaDB is used as the application database. An attacker can then issue the SQL command through the /opensis/modules/grades/InputFinalGrades.php, period parameter.
20 CVE-2021-41678 89 Sql 2021-11-30 2021-11-30
6.8
None Remote Medium Not required Partial Partial Partial
A SQL injection vulnerability exists in version 8.0 of openSIS when MySQL or MariaDB is used as the application database. An attacker can then issue the SQL command through the /opensis/modules/users/Staff.php, staff{TITLE] parameter.
21 CVE-2021-41677 89 Sql 2021-11-30 2021-11-30
6.8
None Remote Medium Not required Partial Partial Partial
A SQL injection vulnerability exists in version 8.0 of openSIS when MySQL or MariaDB is used as the application database. An attacker can then issue the SQL command through the /opensis/functions/GetStuListFnc.php &Grade= parameter.
22 CVE-2021-41492 89 Sql 2021-11-03 2021-12-15
7.5
None Remote Low Not required Partial Partial Partial
Multiple SQL Injection vulnerabilities exist in Sourcecodester Simple Cashiering System (POS) 1.0 via the (1) Product Code in the pos page in cashiering. (2) id parameter in manage_products and the (3) t paramater in actions.php.
23 CVE-2021-41187 89 Sql 2021-11-01 2021-11-02
6.5
None Remote Low ??? Partial Partial Partial
DHIS 2 is an information system for data capture, management, validation, analytics and visualization. A SQL injection security vulnerability has been found in specific versions of DHIS2. This vulnerability affects the API endpoints for /api/trackedEntityInstances and api/events in DHIS2. The system is vulnerable to attack only from users that are logged in to DHIS2, and there is no known way of exploiting the vulnerability without first being logged in as a DHIS2 user. A successful exploit of this vulnerability could allow the malicious user to read, edit and delete data in the DHIS2 instance. There are no known exploits of the security vulnerabilities addressed by these patch releases. However, we strongly recommend that all DHIS2 implementations using versions 2.32, 2.33, 2.34, 2.35 and 2.36 install these patches as soon as possible. There is no straightforward known workaround for DHIS2 instances using the Tracker functionality other than upgrading the affected DHIS2 server to one of the patches in which this vulnerability has been fixed. For implementations which do NOT use Tracker functionality, it may be possible to block all network access to POST to the /api/trackedEntityInstance and /api/events endpoints as a temporary workaround while waiting to upgrade.
24 CVE-2021-41081 89 Sql 2021-11-11 2021-11-15
7.5
None Remote Low Not required Partial Partial Partial
Zoho ManageEngine Network Configuration Manager before ??125465 is vulnerable to SQL Injection in a configuration search.
25 CVE-2021-41080 89 Sql 2021-11-11 2021-11-15
7.5
None Remote Low Not required Partial Partial Partial
Zoho ManageEngine Network Configuration Manager before ??125465 is vulnerable to SQL Injection in a hardware details search.
26 CVE-2021-40129 89 Sql 2021-11-19 2021-11-23
4.0
None Remote Low ??? Partial None None
A vulnerability in the configuration dashboard of Cisco Common Services Platform Collector (CSPC) could allow an authenticated, remote attacker to submit a SQL query through the CSPC configuration dashboard. This vulnerability is due to insufficient input validation of uploaded files. An attacker could exploit this vulnerability by uploading a file containing a SQL query to the configuration dashboard. A successful exploit could allow the attacker to read restricted information from the CSPC SQL database.
27 CVE-2021-36916 89 Sql 2021-11-24 2021-11-26
7.5
None Remote Low Not required Partial Partial Partial
The SQL injection vulnerability in the Hide My WP WordPress plugin (versions <= 6.2.3) is possible because of how the IP address is retrieved and used inside a SQL query. The function "hmwp_get_user_ip" tries to retrieve the IP address from multiple headers, including IP address headers that the user can spoof, such as "X-Forwarded-For." As a result, the malicious payload supplied in one of these IP address headers will be directly inserted into the SQL query, making SQL injection possible.
28 CVE-2021-36807 89 Exec Code Sql 2021-11-26 2021-11-30
6.5
None Remote Low ??? Partial Partial Partial
An authenticated user could potentially execute code via an SQLi vulnerability in the user portal of SG UTM before version 9.708 MR8.
29 CVE-2021-36328 89 Exec Code Sql 2021-11-30 2021-12-01
6.5
None Remote Low ??? Partial Partial Partial
Dell EMC Streaming Data Platform versions before 1.3 contain a SQL Injection Vulnerability. A remote malicious user may potentially exploit this vulnerability to execute SQL commands to perform unauthorized actions and retrieve sensitive information from the database.
30 CVE-2021-36300 89 Sql 2021-11-23 2021-11-26
6.4
None Remote Low Not required Partial None Partial
iDRAC9 versions prior to 5.00.00.00 contain an improper input validation vulnerability. An unauthenticated remote attacker may potentially exploit this vulnerability by sending a specially crafted malicious request to crash the webserver or cause information disclosure.
31 CVE-2021-36299 89 DoS Sql 2021-11-23 2021-11-27
5.5
None Remote Low ??? Partial None Partial
Dell iDRAC9 versions 4.40.00.00 and later, but prior to 4.40.29.00 and 5.00.00.00 contain an SQL injection vulnerability. A remote authenticated malicious user with low privileges may potentially exploit this vulnerability to cause information disclosure or denial of service by supplying specially crafted input data to the affected application.
32 CVE-2021-36184 89 Sql 2021-11-02 2021-11-04
4.0
None Remote Low ??? Partial None None
A improper neutralization of Special Elements used in an SQL Command ('SQL Injection') in Fortinet FortiWLM version 8.6.1 and below allows attacker to disclosure device, users and database information via crafted HTTP requests.
33 CVE-2021-34684 89 Sql 2021-11-08 2021-11-09
7.5
None Remote Low Not required Partial Partial Partial
Hitachi Vantara Pentaho Business Analytics through 9.1 allows an unauthenticated user to execute arbitrary SQL queries on any Pentaho data source and thus retrieve data from the related databases, as demonstrated by an api/repos/dashboards/editor URI.
34 CVE-2021-31849 89 Sql 2021-11-01 2021-11-03
6.5
None Remote Low ??? Partial Partial Partial
SQL injection vulnerability in McAfee Data Loss Prevention (DLP) ePO extension prior to 11.7.100 allows a remote attacker logged into ePO as an administrator to inject arbitrary SQL into the ePO database through the user management section of the DLP ePO extension.
35 CVE-2021-28022 89 Sql 2021-11-08 2021-11-09
5.0
None Remote Low Not required Partial None None
Blind SQL injection in the login form in ServiceTonic Helpdesk software < 9.0.35937 allows attacker to exfiltrate information via specially crafted HQL-compatible time-based SQL queries.
36 CVE-2021-27644 89 Sql 2021-11-01 2021-11-02
6.0
None Remote Medium ??? Partial Partial Partial
In Apache DolphinScheduler before 1.3.6 versions, authorized users can use SQL injection in the data source center. (Only applicable to MySQL data source with internal login account password)
37 CVE-2021-26795 89 Sql +Info 2021-11-14 2021-11-17
6.5
None Remote Low ??? Partial Partial Partial
A SQL Injection vulnerability in /appliance/shiftmgn.php in TalariaX sendQuick Alert Plus Server Admin 4.3 before 8HF11 allows attackers to obtain sensitive information via a Roster Time to Roster Management.
38 CVE-2021-26739 89 Exec Code Sql 2021-11-01 2021-11-02
7.5
None Remote Low Not required Partial Partial Partial
SQL Injection vulnerability in pay.php in millken doyocms 2.3, allows attackers to execute arbitrary code, via the attribute parameter.
39 CVE-2021-25874 89 Sql 2021-11-01 2021-11-08
5.0
None Remote Low Not required Partial None None
AVideo/YouPHPTube AVideo/YouPHPTube 10.0 and prior is affected by a SQL Injection SQL injection in the catName parameter which allows a remote unauthenticated attacker to retrieve databases information such as application passwords hashes.
40 CVE-2021-24915 89 Sql 2021-11-29 2021-12-15
7.5
None Remote Low Not required Partial Partial Partial
The Contest Gallery WordPress plugin before 13.1.0.6 does not have capability checks and does not sanitise or escape the cg-search-user-name-original parameter before using it in a SQL statement when exporting users from a gallery, which could allow unauthenticated to perform SQL injections attacks, as well as get the list of all users registered on the blog, including their username and email address
41 CVE-2021-24889 89 Sql 2021-11-29 2021-11-29
6.5
None Remote Low ??? Partial Partial Partial
The Ninja Forms Contact Form WordPress plugin before 3.6.4 does not escape keys of the fields POST parameter, which could allow high privilege users to perform SQL injections attacks
42 CVE-2021-24877 89 Sql 2021-11-23 2021-11-26
6.0
None Remote Medium ??? Partial Partial Partial
The MainWP Child WordPress plugin before 4.1.8 does not validate the orderby and order parameter before using them in a SQL statement, leading to an SQL injection exploitable by high privilege users such as admin when the Backup and Staging by WP Time Capsule plugin is installed
43 CVE-2021-24860 89 Sql 2021-11-29 2021-11-29
6.5
None Remote Low ??? Partial Partial Partial
The BSK PDF Manager WordPress plugin before 3.1.2 does not validate and escape the orderby and order parameters before using them in a SQL statement, leading to a SQL injection issue
44 CVE-2021-24847 89 Sql 2021-11-17 2021-11-18
6.5
None Remote Low ??? Partial Partial Partial
The importFromRedirection AJAX action of the SEO Redirection Plugin – 301 Redirect Manager WordPress plugin before 8.2, available to any authenticated user, does not properly sanitise the offset parameter before using it in a SQL statement, leading an SQL injection when the redirection plugin is also installed
45 CVE-2021-24844 89 Sql 2021-11-08 2021-11-13
6.5
None Remote Low ??? Partial Partial Partial
The Affiliates Manager WordPress plugin before 2.8.7 does not validate the orderby parameter before using it in an SQL statement in the admin dashboard, leading to an SQL Injection issue
46 CVE-2021-24835 89 Sql 2021-11-08 2021-11-13
6.5
None Remote Low ??? Partial Partial Partial
The WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible WordPress plugin before 6.5.12, when used in combination with another WCFM - WooCommerce Multivendor plugin such as WCFM - WooCommerce Multivendor Marketplace, does not escape the withdrawal_vendor parameter before using it in a SQL statement, allowing low privilege users such as Subscribers to perform SQL injection attacks
47 CVE-2021-24829 89 Sql 2021-11-08 2021-11-10
6.5
None Remote Low ??? Partial Partial Partial
The Visitor Traffic Real Time Statistics WordPress plugin before 3.9 does not validate and escape user input passed to the today_traffic_index AJAX action (available to any authenticated users) before using it in a SQL statement, leading to an SQL injection issue
48 CVE-2021-24827 89 Sql 2021-11-08 2021-11-10
7.5
None Remote Low Not required Partial Partial Partial
The Asgaros Forum WordPress plugin before 1.15.13 does not validate and escape user input when subscribing to a topic before using it in a SQL statement, leading to an unauthenticated SQL injection issue
49 CVE-2021-24791 89 Sql 2021-11-08 2021-11-10
6.5
None Remote Low ??? Partial Partial Partial
The Header Footer Code Manager WordPress plugin before 1.1.14 does not validate and escape the "orderby" and "order" request parameters before using them in a SQL statement when viewing the Snippets admin dashboard, leading to SQL injections
50 CVE-2021-24772 89 Sql 2021-11-17 2021-11-19
6.5
None Remote Low ??? Partial Partial Partial
The Stream WordPress plugin before 3.8.2 does not sanitise and validate the order GET parameter from the Stream Records admin dashboard before using it in a SQL statement, leading to an SQL injection issue.
Total number of vulnerabilities : 73   Page : 1 (This Page)2
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.