CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  What's the CVSS score of your company?
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In March 2021(SQL Injection)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2021-29343 89 Sql 2021-03-30 2021-04-05
5.5
None Remote Low ??? Partial Partial None
Ovidentia CMS 6.x contains a SQL injection vulnerability in the "id" parameter of index.php. The "checkbox" property into "text" data can be extracted and displayed in the text region or in source code.
2 CVE-2021-28668 89 Sql 2021-03-29 2021-04-01
7.5
None Remote Low Not required Partial Partial Partial
Xerox AltaLink B80xx before 103.008.020.23120, C8030/C8035 before 103.001.020.23120, C8045/C8055 before 103.002.020.23120 and C8070 before 103.003.020.23120 has several SQL injection vulnerabilities.
3 CVE-2021-28419 89 Sql 2021-03-18 2021-04-27
6.5
None Remote Low ??? Partial Partial Partial
The "order_col" parameter in archive.php of SEO Panel 4.8.0 is vulnerable to time-based blind SQL injection, which leads to the ability to retrieve all databases.
4 CVE-2021-28381 89 Sql 2021-03-16 2021-03-22
7.5
None Remote Low Not required Partial Partial Partial
The vhs (aka VHS: Fluid ViewHelpers) extension before 5.1.1 for TYPO3 allows SQL injection via isLanguageViewHelper.
5 CVE-2021-28295 89 Sql 2021-03-16 2021-03-22
5.0
None Remote Low Not required Partial None None
Online Ordering System 1.0 is vulnerable to unauthenticated SQL injection through /onlineordering/GPST/admin/design.php, which may lead to database information disclosure.
6 CVE-2021-28245 89 Sql 2021-03-31 2021-04-05
5.0
None Remote Low Not required Partial None None
PbootCMS 3.0.4 contains a SQL injection vulnerability through index.php via the search parameter that can reveal sensitive information through adding an admin account.
7 CVE-2021-27948 89 Sql 2021-03-15 2021-03-16
6.5
None Remote Low ??? Partial Partial Partial
SQL Injection vulnerability in MyBB before 1.8.26 via User Groups. (issue 3 of 3).
8 CVE-2021-27947 89 Sql 2021-03-15 2021-03-16
6.5
None Remote Low ??? Partial Partial Partial
SQL Injection vulnerability in MyBB before 1.8.26 via the Copy Forum feature in Forum Management. (issue 2 of 3).
9 CVE-2021-27946 89 Sql 2021-03-15 2021-03-23
6.5
None Remote Low ??? Partial Partial Partial
SQL Injection vulnerability in MyBB before 1.8.26 via poll vote count. (issue 1 of 3).
10 CVE-2021-27928 78 Exec Code Sql 2021-03-19 2022-01-04
9.0
None Remote Low ??? Complete Complete Complete
A remote code execution issue was discovered in MariaDB 10.2 before 10.2.37, 10.3 before 10.3.28, 10.4 before 10.4.18, and 10.5 before 10.5.9; Percona Server through 2021-03-03; and the wsrep patch through 2021-03-03 for MySQL. An untrusted search path leads to eval injection, in which a database SUPER user can execute OS commands after modifying wsrep_provider and wsrep_notify_cmd. NOTE: this does not affect an Oracle product.
11 CVE-2021-27890 89 Sql 2021-03-15 2021-09-21
6.8
None Remote Medium Not required Partial Partial Partial
SQL Injection vulnerablity in MyBB before 1.8.26 via theme properties included in theme XML files.
12 CVE-2021-27581 89 Sql 2021-03-05 2021-03-15
7.5
None Remote Low Not required Partial Partial Partial
The Blog module in Kentico CMS 5.5 R2 build 5.5.3996 allows SQL injection via the tagname parameter.
13 CVE-2021-27320 89 Sql 2021-03-24 2021-03-24
5.0
None Remote Low Not required Partial None None
Blind SQL injection in contactus.php in Doctor Appointment System 1.0 allows an unauthenticated attacker to insert malicious SQL queries via firstname parameter.
14 CVE-2021-27319 89 Sql 2021-03-24 2021-03-24
5.0
None Remote Low Not required Partial None None
Blind SQL injection in contactus.php in Doctor Appointment System 1.0 allows an unauthenticated attacker to insert malicious SQL queries via email parameter.
15 CVE-2021-27316 89 Sql 2021-03-24 2021-03-24
5.0
None Remote Low Not required Partial None None
Blind SQL injection in contactus.php in doctor appointment system 1.0 allows an unauthenticated attacker to insert malicious SQL queries via lastname parameter.
16 CVE-2021-27315 89 Sql 2021-03-24 2021-03-24
5.0
None Remote Low Not required Partial None None
Blind SQL injection in contactus.php in Doctor Appointment System 1.0 allows an unauthenticated attacker to insert malicious SQL queries via the comment parameter.
17 CVE-2021-27314 89 Sql 2021-03-05 2021-03-05
7.5
None Remote Low Not required Partial Partial Partial
SQL injection in admin.php in doctor appointment system 1.0 allows an unauthenticated attacker to insert malicious SQL queries via username parameter at login page.
18 CVE-2021-26966 89 Sql +Info 2021-03-05 2021-03-10
5.5
None Remote Low ??? Partial Partial None
A remote authenticated sql injection vulnerability was discovered in Aruba AirWave Management Platform version(s): Prior to 8.2.12.0. Multiple vulnerabilities in the API of AirWave could allow an authenticated remote attacker to conduct SQL injection attacks against the AirWave instance. An attacker could exploit these vulnerabilities to obtain and modify sensitive information in the underlying database.
19 CVE-2021-26965 89 Sql +Info 2021-03-05 2021-03-10
5.5
None Remote Low ??? Partial Partial None
A remote authenticated sql injection vulnerability was discovered in Aruba AirWave Management Platform version(s): Prior to 8.2.12.0. Multiple vulnerabilities in the API of AirWave could allow an authenticated remote attacker to conduct SQL injection attacks against the AirWave instance. An attacker could exploit these vulnerabilities to obtain and modify sensitive information in the underlying database.
20 CVE-2021-26935 89 Sql 2021-03-18 2021-03-24
5.0
None Remote Low Not required Partial None None
In WoWonder < 3.1, remote attackers can gain access to the database by exploiting a requests.php?f=search-my-followers SQL Injection vulnerability via the event_id parameter.
21 CVE-2021-26578 89 Sql 2021-03-22 2021-03-25
5.0
None Remote Low Not required Partial None None
A potential security vulnerability has been identified in HPE Network Orchestrator (NetO) version(s): Prior to 2.5. The vulnerability could be remotely exploited with SQL injection.
22 CVE-2021-24149 89 Sql 2021-03-18 2021-03-23
6.5
None Remote Low ??? Partial Partial Partial
Unvalidated input in the Modern Events Calendar Lite WordPress plugin, versions before 5.16.6, did not sanitise the mec[post_id] POST parameter in the mec_fes_form AJAX action when logged in as an author+, leading to an authenticated SQL Injection issue.
23 CVE-2021-24143 89 Sql 2021-03-18 2021-03-22
6.5
None Remote Low ??? Partial Partial Partial
Unvalidated input in the AccessPress Social Icons plugin, versions before 1.8.1, did not sanitise its widget attribute, allowing accounts with post permission, such as author, to perform SQL injections.
24 CVE-2021-24142 89 Sql 2021-03-18 2021-03-22
6.5
None Remote Low ??? Partial Partial Partial
Unvaludated input in the 301 Redirects - Easy Redirect Manager WordPress plugin, versions before 2.51, did not sanitise its "Redirect From" column when importing a CSV file, allowing high privilege users to perform SQL injections.
25 CVE-2021-24141 89 Sql 2021-03-18 2021-03-22
6.5
None Remote Low ??? Partial Partial Partial
Unvaludated input in the Advanced Database Cleaner plugin, versions before 3.0.2, lead to SQL injection allowing high privilege users (admin+) to perform SQL attacks.
26 CVE-2021-24140 89 Sql 2021-03-18 2021-03-22
6.5
None Remote Low ??? Partial Partial Partial
Unvalidated input in the Ajax Load More WordPress plugin, versions before 5.3.2, lead to SQL Injection in POST /wp-admin/admin-ajax.php with param repeater=' or sleep(5)#&type=test.
27 CVE-2021-24139 89 Sql 2021-03-18 2021-03-22
7.5
None Remote Low Not required Partial Partial Partial
Unvalidated input in the Photo Gallery (10Web Photo Gallery) WordPress plugin, versions before 1.5.55, leads to SQL injection via the frontend/models/model.php bwg_search_x parameter.
28 CVE-2021-24138 89 Sql 2021-03-18 2021-03-24
5.5
None Remote Low ??? Partial None Partial
Unvalidated input in the AdRotate WordPress plugin, versions before 5.8.4, leads to Authenticated SQL injection via param "id". This requires an admin privileged user.
29 CVE-2021-24137 89 Sql 2021-03-18 2021-03-23
6.5
None Remote Low ??? Partial Partial Partial
Unvalidated input in the Blog2Social WordPress plugin, versions before 6.3.1, lead to SQL Injection in the Re-Share Posts feature, allowing authenticated users to inject arbitrary SQL commands.
30 CVE-2021-24132 89 Sql 2021-03-18 2021-03-24
6.5
None Remote Low ??? Partial Partial Partial
The Slider by 10Web WordPress plugin, versions before 1.2.36, in the bulk_action, export_full and save_slider_db functionalities of the plugin were vulnerable, allowing a high privileged user (Admin), or medium one such as Contributor+ (if "Role Options" is turn on for other users) to perform a SQL Injection attacks.
31 CVE-2021-24131 89 Sql 2021-03-18 2021-03-24
6.5
None Remote Low ??? Partial Partial Partial
Unvalidated input in the Anti-Spam by CleanTalk WordPress plugin, versions before 5.149, lead to multiple authenticated SQL injection vulnerabilities, however, it requires high privilege user (admin+).
32 CVE-2021-24130 89 Sql 2021-03-18 2021-03-24
6.5
None Remote Low ??? Partial Partial Partial
Unvalidated input in the WP Google Map Plugin WordPress plugin, versions before 4.1.5, in the Manage Locations page within the plugin settings was vulnerable to SQL Injection through a high privileged user (admin+).
33 CVE-2021-24125 89 Sql 2021-03-18 2021-04-09
6.5
None Remote Low ??? Partial Partial Partial
Unvalidated input in the Contact Form Submissions WordPress plugin before 1.7.1, could lead to SQL injection in the wpcf7_contact_form GET parameter when submitting a filter request as a high privilege user (admin+)
34 CVE-2021-23352 89 Sql 2021-03-09 2021-03-13
7.5
None Remote Low Not required Partial Partial Partial
This affects the package madge before 4.0.1. It is possible to specify a custom Graphviz path via the graphVizPath option parameter which when the .image(), .svg() or .dot() functions are called, is executed by the childprocess.exec function.
35 CVE-2021-22859 89 Exec Code Sql 2021-03-17 2021-03-23
7.5
None Remote Low Not required Partial Partial Partial
The users’ data querying function of EIC e-document system does not filter the special characters which resulted in remote attackers can inject SQL syntax and execute arbitrary commands without privilege.
36 CVE-2021-22848 89 Exec Code Sql 2021-03-18 2021-03-23
7.5
None Remote Low Not required Partial Partial Partial
HGiga MailSherlock contains a SQL Injection. Remote attackers can inject SQL syntax and execute SQL commands in a URL parameter of email pages without privilege.
37 CVE-2021-21380 89 Sql 2021-03-23 2021-03-24
6.5
None Remote Low ??? Partial Partial Partial
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In affected versions of XWiki Platform (and only those with the Ratings API installed), the Rating Script Service expose an API to perform SQL requests without escaping the from and where search arguments. This might lead to an SQL script injection quite easily for any user having Script rights on XWiki. The problem has been patched in XWiki 12.9RC1. The only workaround besides upgrading XWiki would be to uninstall the Ratings API in XWiki from the Extension Manager.
38 CVE-2021-21339 312 Sql 2021-03-23 2021-03-26
5.0
None Remote Low Not required Partial None None
TYPO3 is an open source PHP based web content management system. In TYPO3 before versions 6.2.57, 7.6.51, 8.7.40, 9.5.25, 10.4.14, 11.1.1 user session identifiers were stored in cleartext - without processing of additional cryptographic hashing algorithms. This vulnerability cannot be exploited directly and occurs in combination with a chained attack - like for instance SQL injection in any other component of the system. This is fixed in versions 6.2.57, 7.6.51, 8.7.40, 9.5.25, 10.4.14, 11.1.1.
39 CVE-2021-20678 89 Exec Code Sql 2021-03-18 2021-03-23
6.5
None Remote Low ??? Partial Partial Partial
SQL injection vulnerability in the Paid Memberships Pro versions prior to 2.5.6 allows remote authenticated attackers to execute arbitrary SQL commands via unspecified vectors.
40 CVE-2021-3119 89 DoS Exec Code Sql 2021-03-25 2021-03-27
5.0
None Remote Low Not required None None Partial
Zetetic SQLCipher 4.x before 4.4.3 has a NULL pointer dereferencing issue related to sqlcipher_export in crypto.c and sqlite3StrICmp in sqlite3.c. This may allow an attacker to perform a remote denial of service attack. For example, an SQL injection can be used to execute the crafted SQL command sequence, which causes a segmentation fault.
41 CVE-2020-35337 89 Exec Code Sql 2021-03-24 2021-03-24
7.5
None Remote Low Not required Partial Partial Partial
ThinkSAAS before 3.38 contains a SQL injection vulnerability through app/topic/action/admin/topic.php via the title parameter, which allows remote attackers to execute arbitrary SQL commands.
42 CVE-2020-35329 89 Sql 2021-03-04 2021-03-04
4.0
None Remote Low ??? Partial None None
Courier Management System 1.0 1.0 is affected by SQL Injection via 'MULTIPART street '.
43 CVE-2020-35327 89 Sql 2021-03-04 2021-03-10
4.0
None Remote Low ??? Partial None None
SQL injection vulnerability was discovered in Courier Management System 1.0, which can be exploited via the ref_no (POST) parameter to admin_class.php
44 CVE-2020-28657 89 Sql 2021-03-02 2021-03-04
7.5
None Remote Low Not required Partial Partial Partial
In bPanel 2.0, the administrative ajax endpoints (aka ajax/aj_*.php) are accessible without authentication and allow SQL injections, which could lead to platform compromise.
45 CVE-2020-28172 89 Sql Bypass 2021-03-31 2021-04-02
7.5
None Remote Low Not required Partial Partial Partial
A SQL injection vulnerability in Simple College Website 1.0 allows remote unauthenticated attackers to bypass the admin authentication mechanism in college_website/admin/ajax.php?action=login, thus gaining access to the website administrative panel.
46 CVE-2020-24913 89 Sql 2021-03-04 2021-03-22
7.5
None Remote Low Not required Partial Partial Partial
A SQL injection vulnerability in qcubed (all versions including 3.1.1) in profile.php via the strQuery parameter allows an unauthenticated attacker to access the database by injecting SQL code via a crafted POST request.
47 CVE-2020-24877 89 Sql Bypass 2021-03-15 2021-03-16
7.5
None Remote Low Not required Partial Partial Partial
A SQL injection vulnerability in zzzphp v1.8.0 through /form/index.php?module=getjson may lead to a possible access restriction bypass.
48 CVE-2020-24791 89 Sql 2021-03-10 2021-03-12
7.5
None Remote Low Not required Partial Partial Partial
FUEL CMS 1.4.8 allows SQL injection via the 'fuel_replace_id' parameter in pages/replace/1. Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
49 CVE-2020-10582 89 Sql 2021-03-25 2021-03-27
7.5
None Remote Low Not required Partial Partial Partial
A SQL injection on the /admin/display_errors.php script of Invigo Automatic Device Management (ADM) through 5.0 allows remote attackers to execute arbitrary SQL requests (including data reading and modification) on the database.
50 CVE-2020-6577 89 Sql 2021-03-19 2021-03-25
7.5
None Remote Low Not required Partial Partial Partial
The IT-Recht Kanzlei plugin in Zen Cart 1.5.6c (German edition) allows itrk-api.php rechtstext_language SQL Injection.
Total number of vulnerabilities : 50   Page : 1 (This Page)
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.