CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  What's the CVSS score of your company?
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In April 2021(SQL Injection)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2021-31856 Exec Code Sql 2021-04-28 2021-04-28
0.0
None ??? ??? ??? ??? ??? ???
A SQL Injection vulnerability in the REST API in Layer5 Meshery 0.5.2 allows an attacker to execute arbitrary SQL commands via the /experimental/patternfiles endpoint (order parameter in GetMesheryPatterns in models/meshery_pattern_persister.go).
2 CVE-2021-31777 89 Sql 2021-04-28 2021-08-27
4.0
None Remote Low ??? Partial None None
The dce (aka Dynamic Content Element) extension 2.2.0 through 2.6.x before 2.6.2, and 2.7.x before 2.7.1, for TYPO3 allows SQL Injection via a backend user account.
3 CVE-2021-30459 89 Sql 2021-04-14 2021-04-21
7.5
None Remote Low Not required Partial Partial Partial
A SQL Injection issue in the SQL Panel in Jazzband Django Debug Toolbar before 1.11.1, 2.x before 2.2.1, and 3.x before 3.2.1 allows attackers to execute SQL statements by changing the raw_sql input field of the SQL explain, analyze, or select form.
4 CVE-2021-30177 89 Exec Code Sql 2021-04-07 2021-04-13
7.5
None Remote Low Not required Partial Partial Partial
There is a SQL Injection vulnerability in PHP-Nuke 8.3.3 in the User Registration section, leading to remote code execution. This occurs because the U.S. state is not validated to be two letters, and the OrderBy field is not validated to be one of LASTNAME, CITY, or STATE.
5 CVE-2021-30176 89 Sql 2021-04-13 2021-04-14
7.5
None Remote Low Not required Partial Partial Partial
The ZEROF Expert pro/2.0 application for mobile devices allows SQL Injection via the Authorization header to the /v2/devices/add endpoint.
6 CVE-2021-30175 89 Sql 2021-04-13 2021-04-14
7.5
None Remote Low Not required Partial Partial Partial
ZEROF Web Server 1.0 (April 2021) allows SQL Injection via the /HandleEvent endpoint for the login page.
7 CVE-2021-30055 89 Sql 2021-04-05 2021-04-08
6.5
None Remote Low ??? Partial Partial Partial
A SQL injection vulnerability in Knowage Suite version 7.1 exists in the documentexecution/url analytics driver component via the 'par_year' parameter when running a report.
8 CVE-2021-30000 89 Exec Code Sql 2021-04-02 2021-04-07
7.5
None Remote Low Not required Partial Partial Partial
An issue was discovered in LATRIX 0.6.0. SQL injection in the txtaccesscode parameter of inandout.php leads to information disclosure and code execution.
9 CVE-2021-29350 89 Sql 2021-04-29 2021-09-21
6.5
None Remote Low ??? Partial Partial Partial
SQL injection in the getip function in conn/function.php in ??100-???????? 1.1 allows remote attackers to inject arbitrary SQL commands via the X-Forwarded-For header to admin/product_add.php.
10 CVE-2021-28970 89 Sql 2021-04-01 2021-04-07
4.0
None Remote Low ??? Partial None None
eMPS 9.0.1.923211 on the Central Management of FireEye EX 3500 devices allows remote authenticated users to conduct SQL injection attacks via the job_id parameter to the email search feature. According to the vendor, the issue is fixed in 9.0.3.
11 CVE-2021-28969 89 Sql 2021-04-01 2021-04-07
4.0
None Remote Low ??? Partial None None
eMPS 9.0.1.923211 on FireEye EX 3500 devices allows remote authenticated users to conduct SQL injection attacks via the sort_by parameter to the email search feature. According to the vendor, the issue is fixed in 9.0.3. NOTE: this is different from CVE-2020-25034 and affects newer versions of the software.
12 CVE-2021-28925 89 Sql 2021-04-08 2021-04-13
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in Nagios Network Analyzer before 2.4.3 via the o[col] parameter to api/checks/read/.
13 CVE-2021-28828 89 Sql 2021-04-20 2021-04-23
6.5
None Remote Low ??? Partial Partial Partial
The Administration GUI component of TIBCO Software Inc.'s TIBCO Administrator - Enterprise Edition, TIBCO Administrator - Enterprise Edition, TIBCO Administrator - Enterprise Edition Distribution for TIBCO Silver Fabric, TIBCO Administrator - Enterprise Edition Distribution for TIBCO Silver Fabric, TIBCO Administrator - Enterprise Edition for z/Linux, and TIBCO Administrator - Enterprise Edition for z/Linux contains an easily exploitable vulnerability that allows a low privileged attacker with network access to execute a SQL injection attack on the affected system. Affected releases are TIBCO Software Inc.'s TIBCO Administrator - Enterprise Edition: versions 5.10.2 and below, TIBCO Administrator - Enterprise Edition: versions 5.11.0 and 5.11.1, TIBCO Administrator - Enterprise Edition Distribution for TIBCO Silver Fabric: versions 5.10.2 and below, TIBCO Administrator - Enterprise Edition Distribution for TIBCO Silver Fabric: versions 5.11.0 and 5.11.1, TIBCO Administrator - Enterprise Edition for z/Linux: versions 5.10.2 and below, and TIBCO Administrator - Enterprise Edition for z/Linux: versions 5.11.0 and 5.11.1.
14 CVE-2021-28242 77 Sql +Info 2021-04-15 2021-06-04
6.5
None Remote Low ??? Partial Partial Partial
SQL Injection in the "evoadm.php" component of b2evolution v7.2.2-stable allows remote attackers to obtain sensitive database information by injecting SQL commands into the "cf_name" parameter when creating a new filter under the "Collections" tab.
15 CVE-2021-28157 89 Exec Code Sql 2021-04-14 2021-04-21
6.5
None Remote Low ??? Partial Partial Partial
An SQL Injection issue in Devolutions Server before 2021.1 and Devolutions Server LTS before 2020.3.18 allows an administrative user to execute arbitrary SQL commands via a username in api/security/userinfo/delete.
16 CVE-2021-28142 89 Sql 2021-04-06 2021-04-19
6.5
None Remote Low ??? Partial Partial Partial
CITSmart before 9.1.2.28 mishandles the "filtro de autocomplete."
17 CVE-2021-27973 89 Sql 2021-04-02 2021-04-30
6.5
None Remote Low ??? Partial Partial Partial
SQL injection exists in Piwigo before 11.4.0 via the language parameter to admin.php?page=languages.
18 CVE-2021-27672 89 Sql +Info 2021-04-15 2021-04-21
4.0
None Remote Low ??? Partial None None
SQL Injection in the "admin_boxes.ajax.php" component of Tribal Systems Zenario CMS v8.8.52729 allows remote attackers to obtain sesnitive database information by injecting SQL commands into the "cID" parameter when creating a new HTML component.
19 CVE-2021-27545 89 Sql +Info 2021-04-15 2021-04-21
4.0
None Remote Low ??? Partial None None
SQL Injection in the "add-services.php" component of PHPGurukul Beauty Parlour Management System v1.0 allows remote attackers to obtain sensitive database information by injecting SQL commands into the "sername" parameter.
20 CVE-2021-27130 89 Sql Bypass 2021-04-14 2021-04-19
7.5
None Remote Low Not required Partial Partial Partial
Online Reviewer System 1.0 contains a SQL injection vulnerability through authentication bypass, which may lead to a reverse shell upload.
21 CVE-2021-26830 89 Sql 2021-04-16 2021-04-19
6.4
None Remote Low Not required Partial Partial None
SQL Injection in Tribalsystems Zenario CMS 8.8.52729 allows remote attackers to access the database or delete the plugin. This is accomplished via the `ID` input field of ajax.php in the `Pugin library - delete` module.
22 CVE-2021-25899 89 Sql 2021-04-23 2021-08-13
5.0
None Remote Low Not required Partial None None
An issue was discovered in svc-login.php in Void Aural Rec Monitor 9.0.0.1. An unauthenticated attacker can send a crafted HTTP request to perform a blind time-based SQL Injection. The vulnerable parameter is param1.
23 CVE-2021-25153 Sql 2021-04-28 2021-04-28
0.0
None ??? ??? ??? ??? ??? ???
A remote SQL injection vulnerability was discovered in Aruba AirWave Management Platform version(s) prior to 8.2.12.1. Aruba has released patches for AirWave Management Platform that address this security vulnerability.
24 CVE-2021-24221 89 Sql 2021-04-12 2021-04-20
6.5
None Remote Low ??? Partial Partial Partial
The Quiz And Survey Master – Best Quiz, Exam and Survey Plugin for WordPress plugin before 7.1.12 did not sanitise the result_id GET parameter on pages with the [qsm_result] shortcode without id attribute, concatenating it in a SQL statement and leading to an SQL injection. The lowest role allowed to use this shortcode in post or pages being author, such user could gain unauthorised access to the DBMS. If the shortcode (without the id attribute) is embed on a public page or post, then unauthenticated users could exploit the injection.
25 CVE-2021-24200 89 Sql 2021-04-12 2021-04-13
4.0
None Remote Low ??? Partial None None
The wpDataTables – Tables & Table Charts premium WordPress plugin before 3.4.2 allows a low privilege authenticated user to perform Boolean-based blind SQL Injection in the table list page on the endpoint /wp-admin/admin-ajax.php?action=get_wdtable&table_id=1, on the 'length' HTTP POST parameter. This allows an attacker to access all the data in the database and obtain access to the WordPress application.
26 CVE-2021-24199 89 Sql 2021-04-12 2021-04-13
4.0
None Remote Low ??? Partial None None
The wpDataTables – Tables & Table Charts premium WordPress plugin before 3.4.2 allows a low privilege authenticated user to perform Boolean-based blind SQL Injection in the table list page on the endpoint /wp-admin/admin-ajax.php?action=get_wdtable&table_id=1, on the 'start' HTTP POST parameter. This allows an attacker to access all the data in the database and obtain access to the WordPress application.
27 CVE-2021-24186 89 Sql 2021-04-05 2021-04-09
4.0
None Remote Low ??? Partial None None
The tutor_answering_quiz_question/get_answer_by_id function pair from the Tutor LMS – eLearning and online course solution WordPress plugin before 1.8.3 was vulnerable to UNION based SQL injection that could be exploited by students.
28 CVE-2021-24185 89 Sql 2021-04-05 2021-04-09
4.0
None Remote Low ??? Partial None None
The tutor_place_rating AJAX action from the Tutor LMS – eLearning and online course solution WordPress plugin before 1.7.7 was vulnerable to blind and time based SQL injections that could be exploited by students.
29 CVE-2021-24183 89 Sql 2021-04-05 2021-04-09
4.0
None Remote Low ??? Partial None None
The tutor_quiz_builder_get_question_form AJAX action from the Tutor LMS – eLearning and online course solution WordPress plugin before 1.8.3 was vulnerable to UNION based SQL injection that could be exploited by students.
30 CVE-2021-24182 89 Sql 2021-04-05 2021-04-09
4.0
None Remote Low ??? Partial None None
The tutor_quiz_builder_get_answers_by_question AJAX action from the Tutor LMS – eLearning and online course solution WordPress plugin before 1.8.3 was vulnerable to UNION based SQL injection that could be exploited by students.
31 CVE-2021-24181 89 Sql 2021-04-05 2021-04-09
4.0
None Remote Low ??? Partial None None
The tutor_mark_answer_as_correct AJAX action from the Tutor LMS – eLearning and online course solution WordPress plugin before 1.7.7 was vulnerable to blind and time based SQL injections that could be exploited by students.
32 CVE-2021-23276 89 Sql 2021-04-13 2021-04-21
6.5
None Remote Low ??? Partial Partial Partial
Eaton Intelligent Power Manager (IPM) prior to 1.69 is vulnerable to authenticated SQL injection. A malicious user can send a specially crafted packet to exploit the vulnerability. Successful exploitation of this vulnerability can allow attackers to add users in the data base.
33 CVE-2021-22207 89 DoS Sql 2021-04-23 2021-12-26
5.0
None Remote Low Not required None None Partial
Excessive memory consumption in MS-WSP dissector in Wireshark 3.4.0 to 3.4.4 and 3.2.0 to 3.2.12 allows denial of service via packet injection or crafted capture file
34 CVE-2021-21427 89 Sql 2021-04-21 2021-04-30
6.5
None Remote Low ??? Partial Partial Partial
Magento-lts is a long-term support alternative to Magento Community Edition (CE). A vulnerability in magento-lts versions before 19.4.13 and 20.0.9 potentially allows an administrator unauthorized access to restricted resources. This is a backport of CVE-2021-21024. The vulnerability is patched in versions 19.4.13 and 20.0.9.
35 CVE-2020-36195 89 Sql +Info 2021-04-17 2021-04-23
7.5
None Remote Low Not required Partial Partial Partial
An SQL injection vulnerability has been reported to affect QNAP NAS running Multimedia Console or the Media Streaming add-on. If exploited, the vulnerability allows remote attackers to obtain application information. QNAP has already fixed this vulnerability in the following versions of Multimedia Console and the Media Streaming add-on. QTS 4.3.3: Media Streaming add-on 430.1.8.10 and later QTS 4.3.6: Media Streaming add-on 430.1.8.8 and later QTS 4.4.x and later: Multimedia Console 1.3.4 and later We have also fixed this vulnerability in the following versions of QTS 4.3.3 and QTS 4.3.6, respectively: QTS 4.3.3.1624 Build 20210416 or later QTS 4.3.6.1620 Build 20210322 or later
36 CVE-2020-35430 89 Sql 2021-04-29 2021-04-30
7.5
None Remote Low Not required Partial Partial Partial
SQL Injection in com/inxedu/OS/edu/controller/letter/AdminMsgSystemController in Inxedu v2.0.6 via the ids parameter to admin/letter/delsystem.
37 CVE-2020-27241 77 Sql 2021-04-19 2021-04-23
7.5
None Remote Low Not required Partial Partial Partial
An exploitable SQL injection vulnerability exists in ‘getAssets.jsp’ page of OpenClinic GA 5.173.3. The serialnumber parameter in the getAssets.jsp page is vulnerable to unauthenticated SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerability.
38 CVE-2020-27240 77 Sql 2021-04-19 2021-04-23
7.5
None Remote Low Not required Partial Partial Partial
An exploitable SQL injection vulnerability exists in ‘getAssets.jsp’ page of OpenClinic GA 5.173.3. The componentStatus parameter in the getAssets.jsp page is vulnerable to unauthenticated SQL injection An attacker can make an authenticated HTTP request to trigger this vulnerability.
39 CVE-2020-27239 89 Sql 2021-04-15 2021-04-21
7.5
None Remote Low Not required Partial Partial Partial
An exploitable SQL injection vulnerability exists in ‘getAssets.jsp’ page of OpenClinic GA 5.173.3. The assetStatus parameter in the getAssets.jsp page is vulnerable to unauthenticated SQL injection An attacker can make an authenticated HTTP request to trigger this vulnerability.
40 CVE-2020-27238 89 Sql 2021-04-15 2021-04-21
7.5
None Remote Low Not required Partial Partial Partial
An exploitable SQL injection vulnerability exists in ‘getAssets.jsp’ page of OpenClinic GA 5.173.3. The code parameter in the getAssets.jsp page is vulnerable to unauthenticated SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerability.
41 CVE-2020-27237 89 Sql 2021-04-15 2021-04-21
7.5
None Remote Low Not required Partial Partial Partial
An exploitable SQL injection vulnerability exists in ‘getAssets.jsp’ page of OpenClinic GA 5.173.3. The code parameter in the The nomenclature parameter in the getAssets.jsp page is vulnerable to unauthenticated SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerability.
42 CVE-2020-27236 89 Sql 2021-04-13 2021-04-14
7.5
None Remote Low Not required Partial Partial Partial
An exploitable SQL injection vulnerability exists in ‘getAssets.jsp’ page of OpenClinic GA 5.173.3 in the compnomenclature parameter. An attacker can make an authenticated HTTP request to trigger this vulnerability.
43 CVE-2020-27235 89 Sql 2021-04-13 2021-04-14
7.5
None Remote Low Not required Partial Partial Partial
An exploitable SQL injection vulnerability exists in ‘getAssets.jsp’ page of OpenClinic GA 5.173.3 in the description parameter. An attacker can make an authenticated HTTP request to trigger this vulnerability.
44 CVE-2020-27234 89 Sql 2021-04-13 2021-04-14
7.5
None Remote Low Not required Partial Partial Partial
An exploitable SQL injection vulnerability exists in ‘getAssets.jsp’ page of OpenClinic GA 5.173.3 in the serviceUID parameter. An attacker can make an authenticated HTTP request to trigger this vulnerability.
45 CVE-2020-27233 89 Sql 2021-04-13 2021-04-14
7.5
None Remote Low Not required Partial Partial Partial
An exploitable SQL injection vulnerability exists in ‘getAssets.jsp’ page of OpenClinic GA 5.173.3 in the supplierUID parameter. An attacker can make an authenticated HTTP request to trigger this vulnerability.
46 CVE-2020-23763 89 Exec Code Sql Bypass 2021-04-09 2021-04-13
7.5
None Remote Low Not required Partial Partial Partial
SQL injection in admin.php in Online Book Store 1.0 allows remote attackers to execute arbitrary SQL commands and bypass authentication.
47 CVE-2020-22807 89 Sql 2021-04-29 2021-05-19
7.5
None Remote Low Not required Partial Partial Partial
An issue was dicovered in vtiger crm 7.2. Union sql injection in the calendar exportdata feature.
48 CVE-2020-18020 Exec Code Sql 2021-04-28 2021-04-28
0.0
None ??? ??? ??? ??? ??? ???
SQL Injection in PHPSHE Mall System v1.7 allows remote attackers to execute arbitrary code by injecting SQL commands into the "user_phone" parameter of a crafted HTTP request to the "admin.php" component.
49 CVE-2020-18019 Sql +Info 2021-04-28 2021-04-28
0.0
None ??? ??? ??? ??? ??? ???
SQL Injection in Xinhu OA System v1.8.3 allows remote attackers to obtain sensitive information by injecting arbitrary commands into the "typeid" variable of the "createfolderAjax" function in the "mode_worcAction.php" component.
50 CVE-2020-15153 89 Sql 2021-04-30 2021-04-30
0.0
None ??? ??? ??? ??? ??? ???
Ampache before version 4.2.2 allows unauthenticated users to perform SQL injection. Refer to the referenced GitHub Security Advisory for details and a workaround. This is fixed in version 4.2.2 and the development branch.
Total number of vulnerabilities : 55   Page : 1 (This Page)2
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.