CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  What's the CVSS score of your company?
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In June 2021(SQL Injection)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2021-35456 89 Sql 2021-06-28 2021-07-01
7.5
None Remote Low Not required Partial Partial Partial
Online Pet Shop We App 1.0 is vulnerable to remote SQL injection and shell upload
2 CVE-2021-35048 89 Sql 2021-06-25 2021-09-14
7.5
None Remote Low Not required Partial Partial Partial
Vulnerability in Fidelis Network and Deception CommandPost enables unauthenticated SQL injection through the web interface. The vulnerability could lead to exposure of authentication tokens in some versions of Fidelis software. The vulnerability is present in Fidelis Network and Deception versions prior to 9.3.7 and in version 9.4. Patches and updates are available to address this vulnerability.
3 CVE-2021-34187 89 Sql 2021-06-28 2021-07-01
7.5
None Remote Low Not required Partial Partial Partial
main/inc/ajax/model.ajax.php in Chamilo through 1.11.14 allows SQL Injection via the searchField, filters, or filters2 parameter.
4 CVE-2021-33894 89 Sql 2021-06-09 2021-06-22
6.5
None Remote Low ??? Partial Partial Partial
In Progress MOVEit Transfer before 2019.0.6 (11.0.6), 2019.1.x before 2019.1.5 (11.1.5), 2019.2.x before 2019.2.2 (11.2.2), 2020.x before 2020.0.5 (12.0.5), 2020.1.x before 2020.1.4 (12.1.4), and 2021.x before 2021.0.1 (13.0.1), a SQL injection vulnerability exists in SILUtility.vb in MOVEit.DMZ.WebApp in the MOVEit Transfer web app. This could allow an authenticated attacker to gain unauthorized access to the database. Depending on the database engine being used (MySQL, Microsoft SQL Server, or Azure SQL), an attacker may be able to infer information about the structure and contents of the database and/or execute SQL statements that alter or delete database elements.
5 CVE-2021-33180 89 Exec Code Sql 2021-06-01 2021-06-09
7.5
None Remote Low Not required Partial Partial Partial
Improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability in cgi component in Synology Media Server before 1.8.1-2876 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
6 CVE-2021-32932 89 Sql 2021-06-11 2021-06-21
5.0
None Remote Low Not required Partial None None
The affected product is vulnerable to a SQL injection, which may allow an unauthorized attacker to disclose information on the iView (versions prior to v5.7.03.6182).
7 CVE-2021-32704 89 Sql 2021-06-24 2021-07-08
6.5
None Remote Low ??? Partial Partial Partial
DHIS 2 is an information system for data capture, management, validation, analytics and visualization. A SQL injection security vulnerability has been found in specific versions of DHIS2. This vulnerability affects the /api/trackedEntityInstances API endpoint in DHIS2 versions 2.34.4, 2.35.2, 2.35.3, 2.35.4, and 2.36.0. Earlier versions, such as 2.34.3 and 2.35.1 and all versions 2.33 and older are unaffected. The system is vulnerable to attack only from users that are logged in to DHIS2, and there is no known way of exploiting the vulnerability without first being logged in as a DHIS2 user. A successful exploit of this vulnerability could allow the malicious user to read, edit and delete data in the DHIS2 instance. There are no known exploits of the security vulnerabilities addressed by these patch releases. However, we strongly recommend that all DHIS2 implementations using versions 2.34, 2.35 and 2.36 install these patches as soon as possible. There is no straightforward known workaround for DHIS2 instances using the Tracker functionality other than upgrading the affected DHIS2 server to one of the patches in which this vulnerability has been fixed. For implementations which do NOT use Tracker functionality, it may be possible to block all network access to POST to the /api/trackedEntityInstance endpoint as a temporary workaround while waiting to upgrade.
8 CVE-2021-32582 89 Sql 2021-06-17 2021-06-22
5.0
None Remote Low Not required Partial None None
An issue was discovered in ConnectWise Automate before 2021.5. A blind SQL injection vulnerability exists in core agent inventory communication that can enable an attacker to extract database information or administrative credentials from an instance via crafted monitor status responses.
9 CVE-2021-31818 89 Sql 2021-06-17 2021-06-21
4.0
None Remote Low ??? Partial None None
Affected versions of Octopus Server are prone to an authenticated SQL injection vulnerability in the Events REST API because user supplied data in the API request isn’t parameterised correctly. Exploiting this vulnerability could allow unauthorised access to database tables.
10 CVE-2021-31586 89 Sql 2021-06-23 2021-06-25
6.5
None Remote Low ??? Partial Partial Partial
Accellion Kiteworks before 7.4.0 allows an authenticated user to perform SQL Injection via LDAPGroup Search.
11 CVE-2021-29099 89 Sql 2021-06-07 2021-06-10
5.0
None Remote Low Not required Partial None None
A SQL injection vulnerability exists in some configurations of ArcGIS Server versions 10.8.1 and earlier. Specially crafted web requests can expose information that is not intended to be disclosed (not customer datasets). Web Services that use file based data sources (file Geodatabase or Shape Files or tile cached services) are unaffected by this issue.
12 CVE-2021-29090 89 Exec Code Sql 2021-06-02 2021-06-10
9.0
None Remote Low ??? Complete Complete Complete
Improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability in PHP component in Synology Photo Station before 6.8.14-3500 allows remote authenticated users to execute arbitrary SQL command via unspecified vectors.
13 CVE-2021-29089 89 Exec Code Sql 2021-06-02 2021-06-10
10.0
None Remote Low Not required Complete Complete Complete
Improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability in thumbnail component in Synology Photo Station before 6.8.14-3500 allows remote attackers users to execute arbitrary SQL commands via unspecified vectors.
14 CVE-2021-28993 89 Sql +Info 2021-06-30 2021-07-06
5.0
None Remote Low Not required Partial None None
Plixer Scrutinizer 19.0.2 is affected by: SQL Injection. The impact is: obtain sensitive information (remote).
15 CVE-2021-27828 89 Sql 2021-06-01 2021-06-09
6.4
None Remote Low Not required None Partial Partial
SQL injection in In4Suite ERP 3.2.74.1370 allows attackers to modify or delete data, causing persistent changes to the application's content or behavior by using malicious SQL queries.
16 CVE-2021-24361 89 Sql 2021-06-21 2021-06-24
7.5
None Remote Low Not required Partial Partial Partial
In the Location Manager WordPress plugin before 2.1.0.10, the AJAX action gd_popular_location_list did not properly sanitise or validate some of its POST parameters, which are then used in a SQL statement, leading to unauthenticated SQL Injection issues.
17 CVE-2021-24360 89 Sql 2021-06-14 2021-06-17
4.0
None Remote Low ??? Partial None None
The Yes/No Chart WordPress plugin before 1.0.12 did not sanitise its sid shortcode parameter before using it in a SQL statement, allowing medium privilege users (contributor+) to perform Blind SQL Injection attacks
18 CVE-2021-24348 89 Sql 2021-06-14 2021-06-21
6.5
None Remote Low ??? Partial Partial Partial
The menu delete functionality of the Side Menu – add fixed side buttons WordPress plugin before 3.1.5, available to Administrator users takes the did GET parameter and uses it into an SQL statement without proper sanitisation, validation or escaping, therefore leading to a SQL Injection issue
19 CVE-2021-24345 89 Sql 2021-06-14 2021-06-21
6.0
None Remote Medium ??? Partial Partial Partial
The page lists-management feature of the Sendit WP Newsletter WordPress plugin through 2.5.1, available to Administrator users does not sanitise, validate or escape the id_lista POST parameter before using it in SQL statement, therefore leading to Blind SQL Injection.
20 CVE-2021-24341 89 Sql 2021-06-14 2021-06-23
6.5
None Remote Low ??? Partial Partial Partial
When deleting a date in the Xllentech English Islamic Calendar WordPress plugin before 2.6.8, the year_number and month_number POST parameters are not sanitised, escaped or validated before being used in a SQL statement, leading to SQL injection.
21 CVE-2021-24340 89 Sql 2021-06-07 2021-06-14
5.0
None Remote Low Not required Partial None None
The WP Statistics WordPress plugin before 13.0.8 relied on using the WordPress esc_sql() function on a field not delimited by quotes and did not first prepare the query. Additionally, the page, which should have been accessible to administrator only, was also available to any visitor, including unauthenticated ones.
22 CVE-2021-24337 89 Sql 2021-06-07 2021-07-15
6.5
None Remote Low ??? Partial Partial Partial
The id GET parameter of one of the Video Embed WordPress plugin through 1.0's page (available via forced browsing) is not sanitised, validated or escaped before being used in a SQL statement, allowing low privilege users, such as subscribers, to perform SQL injection.
23 CVE-2021-24336 89 Sql 2021-06-07 2021-06-14
6.5
None Remote Low ??? Partial Partial Partial
The FlightLog WordPress plugin through 3.0.2 does not sanitise, validate or escape various POST parameters before using them a SQL statement, leading to SQL injections exploitable by editor and administrator users
24 CVE-2021-24321 89 Sql 2021-06-01 2021-08-12
7.5
None Remote Low Not required Partial Partial Partial
The Bello - Directory & Listing WordPress theme before 1.6.0 did not sanitise the bt_bb_listing_field_price_range_to, bt_bb_listing_field_now_open, bt_bb_listing_field_my_lng, listing_list_view and bt_bb_listing_field_my_lat parameters before using them in a SQL statement, leading to SQL Injection issues
25 CVE-2021-23230 89 Sql 2021-06-11 2021-06-22
3.5
None Remote Medium ??? None Partial None
A SQL Injection vulnerability in the OPCUA interface of Gallagher Command Centre allows a remote unprivileged Command Centre Operator to modify Command Centre databases undetected. This issue affects: Gallagher Command Centre 8.40 versions prior to 8.40.1888 (MR3); 8.30 versions prior to 8.30.1359 (MR3); 8.20 versions prior to 8.20.1259 (MR5); 8.10 versions prior to 8.10.1284 (MR7); version 8.00 and prior versions.
26 CVE-2021-20736 74 Sql +Info 2021-06-22 2021-07-01
6.4
None Remote Low Not required Partial Partial None
NoSQL injection vulnerability in GROWI versions prior to v4.2.20 allows a remote attacker to obtain and/or alter the information stored in the database via unspecified vectors.
27 CVE-2021-3604 89 Sql 2021-06-18 2021-06-24
7.5
None Remote Low Not required Partial Partial Partial
Secure 8 (Evalos) does not validate user input data correctly, allowing a remote attacker to perform a Blind SQL Injection. An attacker could exploit this vulnerability in order to extract information of users and administrator accounts stored in the database.
28 CVE-2021-3515 77 Exec Code Sql 2021-06-01 2021-06-14
7.2
None Local Low Not required Complete Complete Complete
A shell injection flaw was found in pglogical in versions before 2.3.4 and before 3.6.26. An attacker with CREATEDB privileges on a PostgreSQL server can craft a database name that allows execution of shell commands as the postgresql user when calling pglogical.create_subscription().
29 CVE-2020-36004 89 Sql +Info 2021-06-03 2021-06-08
4.0
None Remote Low ??? Partial None None
AppCMS 2.0.101 in /admin/download_frame.php has a SQL injection vulnerability which allows attackers to obtain sensitive database information.
30 CVE-2020-35441 89 Sql 2021-06-02 2021-06-10
7.5
None Remote Low Not required Partial Partial Partial
FDCMS (aka Fangfa Content Management System) 4.0 contains a front-end SQL injection via Admin/Lib/Action/FloginAction.class.php.
31 CVE-2020-29214 89 Sql Bypass 2021-06-15 2021-06-22
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in SourceCodester Alumni Management System 1.0 allows the user to inject SQL payload to bypass the authentication via admin/login.php.
32 CVE-2020-26668 89 Sql 2021-06-01 2021-06-09
6.5
None Remote Low ??? Partial Partial Partial
A SQL injection vulnerability was discovered in /core/feeds/custom.php in BigTree CMS 4.4.10 and earlier which allows an authenticated attacker to inject a malicious SQL query to the applications via the 'Create New Feed' function.
33 CVE-2020-25362 89 Sql 2021-06-02 2021-06-09
5.0
None Remote Low Not required Partial None None
The id paramater in Online Shopping Alphaware 1.0 has been discovered to be vulnerable to an Error-Based blind SQL injection in the /alphaware/details.php path. This allows an attacker to retrieve all databases.
34 CVE-2020-24862 89 Sql 2021-06-02 2021-06-09
5.0
None Remote Low Not required Partial None None
The catID parameter in Pharmacy Medical Store and Sale Point v1.0 has been found to be vulnerable to a Time-Based blind SQL injection via the /medical/inventories.php path which allows attackers to retrieve all databases.
35 CVE-2020-24671 89 Sql 2021-06-10 2021-06-11
6.5
None Remote Low ??? Partial Partial Partial
Trace Financial CRESTBridge <6.3.0.02 contains an authenticated SQL injection vulnerability, which was fixed in 6.3.0.03.
36 CVE-2020-24667 89 Sql 2021-06-10 2021-06-11
6.5
None Remote Low ??? Partial Partial Partial
Trace Financial CRESTBridge <6.3.0.02 contains an authenticated SQL injection vulnerability, which was fixed in 6.3.0.03.
37 CVE-2020-23711 89 Sql 2021-06-28 2021-07-01
7.5
None Remote Low Not required Partial Partial Partial
SQL Injection vulnerability in NavigateCMS 2.9 via the URL encoded GET input category in navigate.php.
38 CVE-2020-22212 89 Sql 2021-06-16 2021-06-21
7.5
None Remote Low Not required Partial Partial Partial
SQL Injection in 74cms 3.2.0 via the id parameter to wap/wap-company-show.php.
39 CVE-2020-22211 89 Sql 2021-06-16 2021-06-21
7.5
None Remote Low Not required Partial Partial Partial
SQL Injection in 74cms 3.2.0 via the key parameter to plus/ajax_street.php.
40 CVE-2020-22210 89 Sql 2021-06-16 2021-06-21
7.5
None Remote Low Not required Partial Partial Partial
SQL Injection in 74cms 3.2.0 via the x parameter to ajax_officebuilding.php.
41 CVE-2020-22209 89 Sql 2021-06-16 2021-06-21
7.5
None Remote Low Not required Partial Partial Partial
SQL Injection in 74cms 3.2.0 via the query parameter to plus/ajax_common.php.
42 CVE-2020-22208 89 Sql 2021-06-16 2021-06-21
7.5
None Remote Low Not required Partial Partial Partial
SQL Injection in 74cms 3.2.0 via the x parameter to plus/ajax_street.php.
43 CVE-2020-22206 89 Sql 2021-06-16 2021-06-21
7.5
None Remote Low Not required Partial Partial Partial
SQL Injection in ECShop 3.0 via the aid parameter to admin/affiliate_ck.php.
44 CVE-2020-22205 89 Sql 2021-06-16 2021-06-21
7.5
None Remote Low Not required Partial Partial Partial
SQL Injection in ECShop 3.0 via the id parameter to admin/shophelp.php.
45 CVE-2020-22204 89 Sql 2021-06-16 2021-06-21
7.5
None Remote Low Not required Partial Partial Partial
SQL Injection in ECShop 2.7.6 via the goods_number parameter to flow.php. .
46 CVE-2020-22203 89 Sql 2021-06-16 2021-06-21
7.5
None Remote Low Not required Partial Partial Partial
SQL Injection in phpCMS 2008 sp4 via the genre parameter to yp/job.php.
47 CVE-2020-22199 89 Sql 2021-06-16 2021-06-21
7.5
None Remote Low Not required Partial Partial Partial
SQL Injection vulnerability in phpCMS 2007 SP6 build 0805 via the digg_mod parameter to digg_add.php.
48 CVE-2020-22198 89 Sql 2021-06-16 2021-06-21
7.5
None Remote Low Not required Partial Partial Partial
SQL Injection vulnerability in DedeCMS 5.7 via mdescription parameter to member/ajax_membergroup.php.
49 CVE-2020-22175 89 Sql +Info 2021-06-22 2021-06-24
5.0
None Remote Low Not required Partial None None
PHPGurukul Hospital Management System in PHP v4.0 has a SQL injection vulnerability in \hms\admin\betweendates-detailsreports.php. Remote unauthenticated users can exploit the vulnerability to obtain database sensitive information.
50 CVE-2020-22174 89 Sql +Info 2021-06-22 2021-06-24
5.0
None Remote Low Not required Partial None None
PHPGurukul Hospital Management System in PHP v4.0 has a SQL injection vulnerability in \hms\book-appointment.php. Remote unauthenticated users can exploit the vulnerability to obtain database sensitive information.
Total number of vulnerabilities : 67   Page : 1 (This Page)2
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.