CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  Take a third party risk management course for FREE
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In December 2021(SQL Injection)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2021-45814 89 Sql Bypass 2021-12-28 2022-01-07
7.5
None Remote Low Not required Partial Partial Partial
Nettmp NNT 5.1 is affected by a SQL injection vulnerability. An attacker can bypass authentication and access the panel with an administrative account.
2 CVE-2021-45255 89 Sql 2021-12-21 2022-01-04
10.0
None Remote Low Not required Complete Complete Complete
The email parameter from ajax.php of Video Sharing Website 1.0 appears to be vulnerable to SQL injection attacks. A payload injects a SQL sub-query that calls MySQL's load_file function with a UNC file path that references a URL on an external domain. The application interacted with that domain, indicating that the injected SQL query was executed.
3 CVE-2021-45253 89 Sql 2021-12-21 2021-12-27
7.5
None Remote Low Not required Partial Partial Partial
The id parameter in view_storage.php from Simple Cold Storage Management System 1.0 appears to be vulnerable to SQL injection attacks. A payload injects a SQL sub-query that calls MySQL's load_file function with a UNC file path that references a URL on an external domain. The application interacted with that domain, indicating that the injected SQL query was executed.
4 CVE-2021-45252 89 Sql 2021-12-21 2021-12-27
7.5
None Remote Low Not required Partial Partial Partial
Multiple SQL injection vulnerabilities are found on Simple Forum-Discussion System 1.0 For example on three applications which are manage_topic.php, manage_user.php, and ajax.php. The attacker can be retrieving all information from the database of this system by using this vulnerability.
5 CVE-2021-45041 89 Sql 2021-12-19 2022-01-04
6.5
None Remote Low ??? Partial Partial Partial
SuiteCRM before 7.12.2 and 8.x before 8.0.1 allows authenticated SQL injection via the Tooltips action in the Project module, involving resource_id and start_date.
6 CVE-2021-45014 89 Sql 2021-12-14 2021-12-15
7.5
None Remote Low Not required Partial Partial Partial
There is an upload sql injection vulnerability in the background of taocms 3.0.2 in parameter id:action=cms&ctrl=update&id=26
7 CVE-2021-44966 89 Sql Bypass 2021-12-13 2021-12-17
10.0
None Remote Low Not required Complete Complete Complete
SQL injection bypass authentication vulnerability in PHPGURUKUL Employee Record Management System 1.2 via index.php. An attacker can log in as an admin account of this system and can destroy, change or manipulate all sensitive information on the system.
8 CVE-2021-44874 89 Sql 2021-12-21 2021-12-27
6.5
None Remote Low ??? Partial Partial Partial
Dalmark Systems Systeam 2.22.8 build 1724 is vulnerable to Insecure design on report build via SQL query. The Systeam application is an ERP system that uses a mixed architecture based on SaaS tenant and user management, and on-premise database and web application counterparts. The bi report module exposes direct SQL commands via POST data in order to select data for report generation. A malicious actor can use the bi report endpoint as a direct SQL prompt under the authenticated user.
9 CVE-2021-44655 89 Sql Bypass 2021-12-15 2022-03-29
7.5
None Remote Low Not required Partial Partial Partial
Online Pre-owned/Used Car Showroom Management System 1.0 contains a SQL injection authentication bypass vulnerability. Admin panel authentication can be bypassed due to SQL injection vulnerability in the login form allowing attacker to get admin access on the application.
10 CVE-2021-44653 89 Sql Bypass 2021-12-15 2022-03-29
7.5
None Remote Low Not required Partial Partial Partial
Online Magazine Management System 1.0 contains a SQL injection authentication bypass vulnerability. The Admin panel authentication can be bypassed due to SQL injection vulnerability in the login form allowing attacker to gain access as admin to the application.
11 CVE-2021-44600 89 Sql 2021-12-23 2022-01-04
5.0
None Remote Low Not required Partial None None
The password parameter on Simple Online Mens Salon Management System (MSMS) 1.0 appears to be vulnerable to SQL injection attacks through the password parameter. The predictive tests of this application interacted with that domain, indicating that the injected SQL query was executed. The attacker can retrieve all authentication and information about the users of this system.
12 CVE-2021-44599 89 Sql 2021-12-23 2022-01-04
5.0
None Remote Low Not required Partial None None
The id parameter from Online Enrollment Management System 1.0 system appears to be vulnerable to SQL injection attacks. A crafted payload injects a SQL sub-query that calls MySQL's load_file function with a UNC file path that references a URL on an external domain. The application interacted with that domain, indicating that the injected SQL query was executed. The attacker can retrieve sensitive information for all users of this system.
13 CVE-2021-44350 89 Sql 2021-12-15 2021-12-20
7.5
None Remote Low Not required Partial Partial Partial
SQL Injection vulnerability exists in ThinkPHP5 5.0.x <=5.1.22 via the parseOrder function in Builder.php.
14 CVE-2021-44349 89 Sql 2021-12-03 2021-12-06
7.5
None Remote Low Not required Partial Partial Partial
SQL Injection vulnerability exists in TuziCMS v2.0.6 via the id parameter in App\Manage\Controller\DownloadController.class.php.
15 CVE-2021-44348 89 Sql 2021-12-03 2021-12-06
7.5
None Remote Low Not required Partial Partial Partial
SQL Injection vulnerability exists in TuziCMS v2.0.6 via the id parameer in App\Manage\Controller\AdvertController.class.php.
16 CVE-2021-44347 89 Sql 2021-12-03 2021-12-06
7.5
None Remote Low Not required Partial Partial Partial
SQL Injection vulnerability exists in TuziCMS v2.0.6 in App\Manage\Controller\GuestbookController.class.php.
17 CVE-2021-44280 89 Sql 2021-12-01 2021-12-22
7.5
None Remote Low Not required Partial Partial Partial
attendance management system 1.0 is affected by a SQL injection vulnerability in admin/incFunctions.php through the makeSafe function.
18 CVE-2021-44161 89 Sql 2021-12-29 2022-01-10
5.8
None Local Network Low Not required Partial Partial Partial
Changing MOTP (Mobile One Time Password) system’s specific function parameter has insufficient validation for user input. A attacker in local area network can perform SQL injection attack to read, modify or delete backend database without authentication.
19 CVE-2021-44050 89 Sql 2021-12-02 2021-12-06
4.0
None Remote Low ??? Partial None None
CA Network Flow Analysis (NFA) 21.2.1 and earlier contain a SQL injection vulnerability in the NFA web application, due to insufficient input validation, that could potentially allow an authenticated user to access sensitive data.
20 CVE-2021-43851 89 Sql 2021-12-22 2021-12-28
6.5
None Remote Low ??? Partial Partial Partial
Anuko Time Tracker is an open source, web-based time tracking application written in PHP. SQL injection vulnerability exist in multiple files in Time Tracker version 1.19.33.5606 and prior due to not properly checking of the "group" and "status" parameters in POST requests. Group parameter is posted along when navigating between organizational subgroups (groups.php file). Status parameter is used in multiple files to change a status of an entity such as making a project, task, or user inactive. This issue has been patched in version 1.19.33.5607. An upgrade is highly recommended. If an upgrade is not practical, introduce ttValidStatus function as in the latest version and start using it user input check blocks wherever status field is used. For groups.php fix, introduce ttValidInteger function as in the latest version and use it in the access check block in the file.
21 CVE-2021-43830 89 Sql 2021-12-14 2021-12-20
6.5
None Remote Low ??? Partial Partial Partial
OpenProject is a web-based project management software. OpenProject versions >= 12.0.0 are vulnerable to a SQL injection in the budgets module. For authenticated users with the "Edit budgets" permission, the request to reassign work packages to another budget unsufficiently sanitizes user input in the `reassign_to_id` parameter. The vulnerability has been fixed in version 12.0.4. Versions prior to 12.0.0 are not affected. If you're upgrading from an older version, ensure you are upgrading to at least version 12.0.4. If you are unable to upgrade in a timely fashion, the following patch can be applied: https://github.com/opf/openproject/pull/9983.patch
22 CVE-2021-43822 89 Sql 2021-12-13 2021-12-17
6.8
None Remote Medium Not required Partial Partial Partial
Jackalope Doctrine-DBAL is an implementation of the PHP Content Repository API (PHPCR) using a relational database to persist data. In affected versions users can provoke SQL injections if they can specify a node name or query. Upgrade to version 1.7.4 to resolve this issue. If that is not possible, you can escape all places where `$property` is used to filter `sv:name` in the class `Jackalope\Transport\DoctrineDBAL\Query\QOMWalker`: `XPath::escape($property)`. Node names and xpaths can contain `"` or `;` according to the JCR specification. The jackalope component that translates the query object model into doctrine dbal queries does not properly escape the names and paths, so that a accordingly crafted node name can lead to an SQL injection. If queries are never done from user input, or if you validate the user input to not contain `;`, you are not affected.
23 CVE-2021-43806 89 Sql 2021-12-15 2021-12-21
6.5
None Remote Low ??? Partial Partial Partial
Tuleap is a Libre and Open Source tool for end to end traceability of application and system developments. In affected versions Tuleap does not sanitize properly user settings when constructing the SQL query to browse and search commits in the CVS repositories. A authenticated malicious user with read access to a CVS repository could execute arbitrary SQL queries. Tuleap instances without an active CVS repositories are not impacted. The following versions contain the fix: Tuleap Community Edition 13.2.99.155, Tuleap Enterprise Edition 13.1-7, and Tuleap Enterprise Edition 13.2-6.
24 CVE-2021-43789 89 Sql 2021-12-07 2021-12-08
7.5
None Remote Low Not required Partial Partial Partial
PrestaShop is an Open Source e-commerce web application. Versions of PrestaShop prior to 1.7.8.2 are vulnerable to blind SQL injection using search filters with `orderBy` and `sortOrder` parameters. The problem is fixed in version 1.7.8.2.
25 CVE-2021-43679 89 Sql 2021-12-02 2021-12-03
7.5
None Remote Low Not required Partial Partial Partial
ecshop v2.7.3 is affected by a SQL injection vulnerability in shopex\ecshop\upload\api\client\api.php.
26 CVE-2021-43631 89 Sql 2021-12-22 2021-12-28
7.5
None Remote Low Not required Partial Partial Partial
Projectworlds Hospital Management System v1.0 is vulnerable to SQL injection via the appointment_no parameter in payment.php.
27 CVE-2021-43630 89 Exec Code Sql 2021-12-22 2021-12-28
6.5
None Remote Low ??? Partial Partial Partial
Projectworlds Hospital Management System v1.0 is vulnerable to SQL injection via multiple parameters in add_patient.php. As a result, an authenticated malicious user can compromise the databases system and in some cases leverage this vulnerability to get remote code execution on the remote web server.
28 CVE-2021-43629 89 Sql 2021-12-22 2021-12-28
7.5
None Remote Low Not required Partial Partial Partial
Projectworlds Hospital Management System v1.0 is vulnerable to SQL injection via multiple parameters in admin_home.php.
29 CVE-2021-43628 89 Sql 2021-12-22 2021-12-28
7.5
None Remote Low Not required Partial Partial Partial
Projectworlds Hospital Management System v1.0 is vulnerable to SQL injection via the email parameter in hms-staff.php.
30 CVE-2021-43608 89 Sql 2021-12-09 2021-12-15
7.5
None Remote Low Not required Partial Partial Partial
Doctrine DBAL 3.x before 3.1.4 allows SQL Injection. The escaping of offset and length inputs to the generation of a LIMIT clause was not probably cast to an integer, allowing SQL injection to take place if application developers passed unescaped user input to the DBAL QueryBuilder or any other API that ultimately uses the AbstractPlatform::modifyLimitQuery API.
31 CVE-2021-43451 89 Sql 2021-12-01 2021-12-22
7.5
None Remote Low Not required Partial Partial Partial
SQL Injection vulnerability exists in PHPGURUKUL Employee Record Management System 1.2 via the Email POST parameter in /forgetpassword.php.
32 CVE-2021-43157 89 Sql 2021-12-22 2021-12-28
7.5
None Remote Low Not required Partial Partial Partial
Projectsworlds Online Shopping System PHP 1.0 is vulnerable to SQL injection via the id parameter in cart_remove.php.
33 CVE-2021-43155 89 Sql 2021-12-22 2021-12-28
7.5
None Remote Low Not required Partial Partial Partial
Projectsworlds Online Book Store PHP v1.0 is vulnerable to SQL injection via the "bookisbn" parameter in cart.php.
34 CVE-2021-43035 89 Exec Code Sql 2021-12-06 2021-12-06
7.5
None Remote Low Not required Partial Partial Partial
An issue was discovered in Kaseya Unitrends Backup Appliance before 10.5.5. Two unauthenticated SQL injection vulnerabilities were discovered, allowing arbitrary SQL queries to be injected and executed under the postgres superuser account. Remote code execution was possible, leading to full access to the postgres user account.
35 CVE-2021-42945 89 Sql 2021-12-15 2021-12-15
7.5
None Remote Low Not required Partial Partial Partial
A SQL Injection vulnerability exists in ZZCMS 2021 via the askbigclassid parameter in /admin/ask.php.
36 CVE-2021-42760 89 Sql 2021-12-08 2021-12-09
7.5
None Remote Low Not required Partial Partial Partial
A improper neutralization of special elements used in an sql command ('sql injection') in Fortinet FortiWLM version 8.6.1 and below allows attacker to disclose sensitive information from DB tables via crafted requests.
37 CVE-2021-42313 89 Exec Code Sql 2021-12-15 2021-12-30
10.0
None Remote Low Not required Complete Complete Complete
Microsoft Defender for IoT Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-41365, CVE-2021-42310, CVE-2021-42311, CVE-2021-42314, CVE-2021-42315, CVE-2021-43882, CVE-2021-43889.
38 CVE-2021-42131 89 Sql 2021-12-07 2021-12-08
6.5
None Remote Low ??? Partial Partial Partial
A SQL Injection vulnerability exists in Ivanti Avalance before 6.3.3 allows an attacker with access to the Inforail Service to perform privilege escalation.
39 CVE-2021-42064 89 Sql 2021-12-14 2021-12-16
6.8
None Remote Medium Not required Partial Partial Partial
If configured to use an Oracle database and if a query is created using the flexible search java api with a parameterized "in" clause, SAP Commerce - versions 1905, 2005, 2105, 2011, allows attacker to execute crafted database queries, exposing backend database. The vulnerability is present if the parameterized "in" clause accepts more than 1000 values.
40 CVE-2021-41843 89 Sql 2021-12-17 2021-12-22
6.8
None Remote Low ??? Complete None None
An authenticated SQL injection issue in the calendar search function of OpenEMR 6.0.0 before patch 3 allows an attacker to read data from all tables of the database via the parameter provider_id, as demonstrated by the /interface/main/calendar/index.php?module=PostCalendar&func=search URI.
41 CVE-2021-41695 89 Sql 2021-12-09 2021-12-14
7.5
None Remote Low Not required Partial Partial Partial
An SQL Injection vulnerability exists in Premiumdatingscript 4.2.7.7 via the ip parameter in connect.php. .
42 CVE-2021-41262 89 Sql 2021-12-16 2021-12-21
6.5
None Remote Low ??? Partial Partial Partial
Galette is a membership management web application built for non profit organizations and released under GPLv3. Versions prior to 0.9.6 are subject to SQL injection attacks by users with "member" privilege. Users are advised to upgrade to version 0.9.6 as soon as possible. There are no known workarounds.
43 CVE-2021-41063 89 Exec Code Sql 2021-12-08 2022-01-04
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability was discovered in Aanderaa GeoView Webservice prior to version 2.1.3 that could allow an unauthenticated attackers to execute arbitrary commands.
44 CVE-2021-40861 89 Exec Code Sql 2021-12-08 2021-12-13
6.5
None Remote Low ??? Partial Partial Partial
A SQL Injection in the custom filter query component in Genesys intelligent Workload Distribution (IWD) 9.0.017.07 allows an attacker to execute arbitrary SQL queries via the value attribute, with which all data in the database can be extracted and OS command execution is possible depending on the permissions and/or database engine.
45 CVE-2021-40860 89 Exec Code Sql 2021-12-08 2021-12-13
6.5
None Remote Low ??? Partial Partial Partial
A SQL Injection in the custom filter query component in Genesys intelligent Workload Distribution (IWD) before 9.0.013.11 allows an attacker to execute arbitrary SQL queries via the ql_expression parameter, with which all data in the database can be extracted and OS command execution is possible depending on the permissions and/or database engine.
46 CVE-2021-40850 89 Sql 2021-12-17 2021-12-21
7.5
None Remote Low Not required Partial Partial Partial
TCMAN GIM is vulnerable to a SQL injection vulnerability inside several available webservice methods in /PC/WebService.asmx.
47 CVE-2021-40578 89 Exec Code Sql +Info 2021-12-07 2021-12-16
6.5
None Remote Low ??? Partial Partial Partial
Authenticated Blind & Error-based SQL injection vulnerability was discovered in Online Enrollment Management System in PHP and PayPal Free Source Code 1.0, that allows attackers to obtain sensitive information and execute arbitrary SQL commands via IDNO parameter.
48 CVE-2021-40313 89 Sql 2021-12-06 2021-12-07
6.5
None Remote Low ??? Partial Partial Partial
Piwigo v11.5 was discovered to contain a SQL injection vulnerability via the parameter pwg_token in /admin/batch_manager_global.php.
49 CVE-2021-40282 89 Sql 2021-12-09 2021-12-13
6.5
None Remote Low ??? Partial Partial Partial
An SQL Injection vulnerability exists in zzcms 8.2, 8.3, 2020, abd 2021 in dl/dl_download.php. when registering ordinary users.
50 CVE-2021-40281 89 Sql 2021-12-09 2021-12-13
6.5
None Remote Low ??? Partial Partial Partial
An SQL Injection vulnerability exists in zzcms 8.2, 8.3, 2020, and 2021 in dl/dl_print.php when registering ordinary users.
Total number of vulnerabilities : 100   Page : 1 (This Page)2
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.