CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  What's the CVSS score of your company?
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In August 2021(SQL Injection)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2021-39376 89 Sql 2021-08-24 2021-08-31
6.5
None Remote Low ??? Partial Partial Partial
Philips Healthcare Tasy Electronic Medical Record (EMR) 3.06 allows SQL injection via the CorCad_F2/executaConsultaEspecifico IE_CORPO_ASSIST or CD_USUARIO_CONVENIO parameter.
2 CVE-2021-39375 89 Sql 2021-08-24 2021-09-14
6.5
None Remote Low ??? Partial Partial Partial
Philips Healthcare Tasy Electronic Medical Record (EMR) 3.06 allows SQL injection via the WAdvancedFilter/getDimensionItemsByCode FilterValue parameter.
3 CVE-2021-39302 89 Sql 2021-08-19 2021-08-23
6.8
None Remote Medium Not required Partial Partial Partial
MISP 2.4.148, in certain configurations, allows SQL injection via the app/Model/Log.php $conditions['org'] value.
4 CVE-2021-39165 287 Sql 2021-08-26 2021-09-01
5.0
None Remote Low Not required Partial None None
Cachet is an open source status page. With Cachet prior to and including 2.3.18, there is a SQL injection which is in the `SearchableTrait#scopeSearch()`. Attackers without authentication can utilize this vulnerability to exfiltrate sensitive data from the database such as administrator's password and session. The original repository of Cachet <https://github.com/CachetHQ/Cachet> is not active, the stable version 2.3.18 and it's developing 2.4 branch is affected.
5 CVE-2021-38754 89 Sql 2021-08-16 2021-11-02
7.5
None Remote Low Not required Partial Partial Partial
SQL Injection vulnerability in Hospital Management System due to lack of input validation in messearch.php.
6 CVE-2021-38574 89 Sql 2021-08-11 2021-08-12
7.5
None Remote Low Not required Partial Partial Partial
An issue was discovered in Foxit Reader and PhantomPDF before 10.1.4. It allows SQL Injection via crafted data at the end of a string.
7 CVE-2021-38393 89 Exec Code Sql 2021-08-30 2021-09-07
10.0
None Remote Low Not required Complete Complete Complete
A Blind SQL injection vulnerability exists in the /DataHandler/HandlerAlarmGroup.ashx endpoint of Delta Electronics DIAEnergie Version 1.7.5 and prior. The application does not properly validate the user-controlled value supplied through the parameter agid before using it as part of an SQL query. A remote, unauthenticated attacker can exploit this issue to execute arbitrary code in the context of NT SERVICE\MSSQLSERVER.
8 CVE-2021-38391 89 Exec Code Sql 2021-08-30 2021-09-07
10.0
None Remote Low Not required Complete Complete Complete
A Blind SQL injection vulnerability exists in the /DataHandler/AM/AM_Handler.ashx endpoint of Delta Electronics DIAEnergie Version 1.7.5 and prior. The application does not properly validate the user-controlled value supplied through the parameter type before using it as part of an SQL query. A remote, unauthenticated attacker can exploit this issue to execute arbitrary code in the context of NT SERVICE\MSSQLSERVER.
9 CVE-2021-38390 89 Exec Code Sql 2021-08-30 2021-09-07
10.0
None Remote Low Not required Complete Complete Complete
A Blind SQL injection vulnerability exists in the /DataHandler/HandlerEnergyType.ashx endpoint of Delta Electronics DIAEnergie Version 1.7.5 and prior. The application does not properly validate the user-controlled value supplied through the parameter egyid before using it as part of an SQL query. A remote, unauthenticated attacker can exploit this issue to execute arbitrary code in the context of NT SERVICE\MSSQLSERVER.
10 CVE-2021-38302 89 Sql 2021-08-13 2021-08-23
7.5
None Remote Low Not required Partial Partial Partial
The Newsletter extension through 4.0.0 for TYPO3 allows SQL Injection.
11 CVE-2021-38168 89 Sql 2021-08-07 2021-08-12
6.5
None Remote Low ??? Partial Partial Partial
Roxy-WI through 5.2.2.0 allows authenticated SQL injection via select_servers.
12 CVE-2021-38167 89 Sql Bypass 2021-08-07 2021-08-13
7.5
None Remote Low Not required Partial Partial Partial
Roxy-WI through 5.2.2.0 allows SQL Injection via check_login. An unauthenticated attacker can extract a valid uuid to bypass authentication.
13 CVE-2021-38159 89 Sql 2021-08-07 2021-08-14
7.5
None Remote Low Not required Partial Partial Partial
In certain Progress MOVEit Transfer versions before 2021.0.4 (aka 13.0.4), SQL injection in the MOVEit Transfer web application could allow an unauthenticated remote attacker to gain access to the database. Depending on the database engine being used (MySQL, Microsoft SQL Server, or Azure SQL), an attacker may be able to infer information about the structure and contents of the database, or execute SQL statements that alter or delete database elements, via crafted strings sent to unique MOVEit Transfer transaction types. The fixed versions are 2019.0.8 (11.0.8), 2019.1.7 (11.1.7), 2019.2.4 (11.2.4), 2020.0.7 (12.0.7), 2020.1.6 (12.1.6), and 2021.0.4 (13.0.4).
14 CVE-2021-38145 89 Sql 2021-08-31 2021-09-08
7.5
None Remote Low Not required Partial Partial Partial
An issue was discovered in Form Tools through 3.0.20. SQL Injection can occur via the export_group_id field when a low-privileged user (client) tries to export a form with data, e.g., manipulation of modules/export_manager/export.php?export_group_id=1&export_group_1_results=all&export_type_id=1.
15 CVE-2021-37832 89 Sql 2021-08-03 2021-08-11
7.5
None Remote Low Not required Partial Partial Partial
A SQL injection vulnerability exists in version 3.0.2 of Hotel Druid when SQLite is being used as the application database. A malicious attacker can issue SQL commands to the SQLite database through the vulnerable idappartamenti parameter.
16 CVE-2021-37749 89 Sql 2021-08-30 2021-09-01
10.0
None Remote Low Not required Complete Complete Complete
MapService.svc in Hexagon GeoMedia WebMap 2020 before Update 2 (aka 16.6.2.66) allows blind SQL Injection via the Id (within sourceItems) parameter to the GetMap method.
17 CVE-2021-37614 89 Sql 2021-08-05 2021-08-17
6.5
None Remote Low ??? Partial Partial Partial
In certain Progress MOVEit Transfer versions before 2021.0.3 (aka 13.0.3), SQL injection in the MOVEit Transfer web application could allow an authenticated remote attacker to gain access to the database. Depending on the database engine being used (MySQL, Microsoft SQL Server, or Azure SQL), an attacker may be able to infer information about the structure and contents of the database, or execute SQL statements that alter or delete database elements, via crafted strings sent to unique MOVEit Transfer transaction types. The fixed versions are 2019.0.7 (11.0.7), 2019.1.6 (11.1.6), 2019.2.3 (11.2.3), 2020.0.6 (12.0.6), 2020.1.5 (12.1.5), and 2021.0.3 (13.0.3).
18 CVE-2021-37599 89 Exec Code Sql 2021-08-12 2021-08-23
7.5
None Remote Low Not required Partial Partial Partial
The exporter/Login.aspx login form in the Exporter in Nuance Winscribe Dictation 4.1.0.99 is vulnerable to SQL injection that allows a remote, unauthenticated attacker to read the database (and execute code in some situations) via the txtPassword parameter.
19 CVE-2021-37558 89 Exec Code Sql 2021-08-03 2021-08-10
7.5
None Remote Low Not required Partial Partial Partial
A SQL injection vulnerability in a MediaWiki script in Centreon before 20.04.14, 20.10.8, and 21.04.2 allows remote unauthenticated attackers to execute arbitrary SQL commands via the host_name and service_description parameters. The vulnerability can be exploited only when a valid Knowledge Base URL is configured on the Knowledge Base configuration page and points to a MediaWiki instance. This relates to the proxy feature in class/centreon-knowledge/ProceduresProxy.class.php and include/configuration/configKnowledge/proxy/proxy.php.
20 CVE-2021-37557 89 Exec Code Sql 2021-08-03 2021-08-10
6.5
None Remote Low ??? Partial Partial Partial
A SQL injection vulnerability in image generation in Centreon before 20.04.14, 20.10.8, and 21.04.2 allows remote authenticated (but low-privileged) attackers to execute arbitrary SQL commands via the include/views/graphs/generateGraphs/generateImage.php index parameter.
21 CVE-2021-37556 89 Exec Code Sql 2021-08-03 2021-08-10
6.5
None Remote Low ??? Partial Partial Partial
A SQL injection vulnerability in reporting export in Centreon before 20.04.14, 20.10.8, and 21.04.2 allows remote authenticated (but low-privileged) attackers to execute arbitrary SQL commands via the include/reporting/dashboard/csvExport/csv_HostGroupLogs.php start and end parameters.
22 CVE-2021-37538 89 Exec Code Sql 2021-08-24 2021-08-31
7.5
None Remote Low Not required Partial Partial Partial
Multiple SQL injection vulnerabilities in SmartDataSoft SmartBlog for PrestaShop before 4.06 allow a remote unauthenticated attacker to execute arbitrary SQL commands via the day, month, or year parameter to the controllers/front/archive.php archive controller, or the id_category parameter to the controllers/front/category.php category controller.
23 CVE-2021-37358 89 Exec Code Sql 2021-08-18 2021-08-28
7.5
None Remote Low Not required Partial Partial Partial
SQL Injection in SEACMS v210530 (2021-05-30) allows remote attackers to execute arbitrary code via the component "admin_ajax.php?action=checkrepeat&v_name=".
24 CVE-2021-37350 89 Sql 2021-08-13 2021-08-23
7.5
None Remote Low Not required Partial Partial Partial
Nagios XI before version 5.8.5 is vulnerable to SQL injection vulnerability in Bulk Modifications Tool due to improper input sanitisation.
25 CVE-2021-36789 89 Sql 2021-08-13 2021-08-20
7.5
None Remote Low Not required Partial Partial Partial
The dated_news (aka Dated News) extension through 5.1.1 for TYPO3 allows SQL Injection.
26 CVE-2021-36748 89 Sql 2021-08-20 2021-08-30
5.0
None Remote Low Not required Partial None None
A SQL Injection issue in the list controller of the Prestahome Blog (aka ph_simpleblog) module before 1.7.8 for Prestashop allows a remote attacker to extract data from the database via the sb_category parameter.
27 CVE-2021-36455 89 Sql 2021-08-06 2021-08-13
6.5
None Remote Low ??? Partial Partial Partial
SQL Injection vulnerability in Naviwebs Navigate CMS 2.9 via the quicksearch parameter in \lib\packages\comments\comments.php.
28 CVE-2021-36385 89 Exec Code Sql 2021-08-24 2021-08-31
10.0
None Remote Low Not required Complete Complete Complete
A SQL Injection vulnerability in Cerner Mobile Care 5.0.0 allows remote unauthenticated attackers to execute arbitrary SQL commands via a Fullwidth Apostrophe (aka U+FF07) in the default.aspx User ID field. Arbitrary system commands can be executed through the use of xp_cmdshell.
29 CVE-2021-36351 89 Sql 2021-08-06 2021-08-12
7.5
None Remote Low Not required Partial Partial Partial
SQL Injection Vulnerability in Care2x Open Source Hospital Information Management 2.7 Alpha via the (1) pday, (2) pmonth, and (3) pyear parameters in GET requests sent to /modules/nursing/nursing-station.php.
30 CVE-2021-35212 89 Sql 2021-08-31 2021-11-05
9.0
None Remote Low ??? Complete Complete Complete
An SQL injection Privilege Escalation Vulnerability was discovered in the Orion Platform reported by the ZDI Team. A blind Boolean SQL injection which could lead to full read/write over the Orion database content including the Orion certificate for any authenticated user.
31 CVE-2021-32983 89 Exec Code Sql 2021-08-30 2021-09-07
10.0
None Remote Low Not required Complete Complete Complete
A Blind SQL injection vulnerability exists in the /DataHandler/Handler_CFG.ashx endpoint of Delta Electronics DIAEnergie Version 1.7.5 and prior. The application does not properly validate the user-controlled value supplied through the parameter keyword before using it as part of an SQL query. A remote, unauthenticated attacker can exploit this issue to execute arbitrary code in the context of NT SERVICE\MSSQLSERVER.
32 CVE-2021-32590 89 Exec Code Sql 2021-08-04 2021-08-11
9.0
None Remote Low ??? Complete Complete Complete
Multiple improper neutralization of special elements used in an SQL command vulnerabilities in FortiPortal 6.0.0 through 6.0.4, 5.3.0 through 5.3.5, 5.2.0 through 5.2.5, and 4.2.2 and earlier may allow an attacker with regular user's privileges to execute arbitrary commands on the underlying SQL database via specifically crafted HTTP requests.
33 CVE-2021-31869 89 Sql 2021-08-04 2021-08-12
5.0
None Remote Low Not required Partial None None
Pimcore AdminBundle version 6.8.0 and earlier suffers from a SQL injection issue in the specificID variable used by the application. This issue was fixed in version 6.9.4 of the product.
34 CVE-2021-31867 89 Sql 2021-08-04 2021-08-12
5.0
None Remote Low Not required Partial None None
Pimcore Customer Data Framework version 3.0.0 and earlier suffers from a Boolean-based blind SQL injection issue in the $id parameter of the SegmentAssignmentController.php component of the application. This issue was fixed in version 3.0.2 of the product.
35 CVE-2021-28890 89 Sql 2021-08-12 2021-08-23
7.5
None Remote Low Not required Partial Partial Partial
J2eeFAST 2.2.1 allows remote attackers to perform SQL injection via the (1) compId parameter to fast/sys/user/list, (2) deptId parameter to fast/sys/role/list, or (3) roleId parameter to fast/sys/role/authUser/list, related to the use of ${} to join SQL statements.
36 CVE-2021-27999 89 Sql 2021-08-19 2021-08-24
4.0
None Remote Low ??? None Partial None
A SQL injection vulnerability was discovered in the editid parameter in Local Services Search Engine Management System Project 1.0. This vulnerability gives admin users the ability to dump all data from the database.
37 CVE-2021-24580 89 Sql 2021-08-30 2021-09-02
6.5
None Remote Low ??? Partial Partial Partial
The Side Menu Lite WordPress plugin before 2.2.6 does not sanitise user input from the List page in the admin dashboard before using it in SQL statement, leading to a SQL Injection issue
38 CVE-2021-24557 89 Sql 2021-08-23 2021-08-30
6.5
None Remote Low ??? Partial Partial Partial
The update functionality in the rslider_page uses an rs_id POST parameter which is not validated, sanitised or escaped before being inserted in sql query, therefore leading to SQL injection for users having Administrator role.
39 CVE-2021-24555 89 Sql CSRF 2021-08-23 2021-08-26
6.5
None Remote Low ??? Partial Partial Partial
The daac_delete_booking_callback function, hooked to the daac_delete_booking AJAX action, takes the id POST parameter which is passed into the SQL statement without proper sanitisation, validation or escaping, leading to a SQL Injection issue. Furthermore, the ajax action is lacking any CSRF and capability check, making it available to any authenticated user.
40 CVE-2021-24554 89 Sql 2021-08-23 2021-08-26
6.5
None Remote Low ??? Partial Partial Partial
The Paytm – Donation Plugin WordPress plugin through 1.3.2 does not sanitise, validate or escape the id GET parameter before using it in a SQL statement when deleting donations, leading to an authenticated SQL injection issue
41 CVE-2021-24553 89 Sql 2021-08-23 2021-08-26
6.5
None Remote Low ??? Partial Partial Partial
The Timeline Calendar WordPress plugin through 1.2 does not sanitise, validate or escape the edit GET parameter before using it in a SQL statement when editing events, leading to an authenticated SQL injection issue. Other SQL Injections are also present in the plugin
42 CVE-2021-24552 89 Sql 2021-08-23 2021-08-26
6.5
None Remote Low ??? Partial Partial Partial
The Simple Events Calendar WordPress plugin through 1.4.0 does not sanitise, validate or escape the event_id POST parameter before using it in a SQL statement when deleting events, leading to an authenticated SQL injection issue
43 CVE-2021-24551 89 Sql 2021-08-23 2021-08-26
7.5
None Remote Low Not required Partial Partial Partial
The Edit Comments WordPress plugin through 0.3 does not sanitise, validate or escape the jal_edit_comments GET parameter before using it in a SQL statement, leading to a SQL injection issue
44 CVE-2021-24550 89 Sql 2021-08-23 2021-08-26
6.5
None Remote Low ??? Partial Partial Partial
The Broken Link Manager WordPress plugin through 0.6.5 does not sanitise, validate or escape the url GET parameter before using it in a SQL statement when retrieving an URL to edit, leading to an authenticated SQL injection issue
45 CVE-2021-24521 89 Sql 2021-08-09 2021-08-17
6.5
None Remote Low ??? Partial Partial Partial
The Side Menu Lite – add sticky fixed buttons WordPress plugin before 2.2.1 does not properly sanitize input values from the browser when building an SQL statement. Users with the administrator role or permission to manage this plugin could perform an SQL Injection attack.
46 CVE-2021-24520 89 Sql 2021-08-09 2021-08-16
6.5
None Remote Low ??? Partial Partial Partial
The Stock in & out WordPress plugin through 1.0.4 lacks proper sanitization before passing variables to an SQL request, making it vulnerable to SQL Injection attacks. Users with a role of contributor or higher can exploit this vulnerability.
47 CVE-2021-24507 89 Sql 2021-08-09 2021-08-17
7.5
None Remote Low Not required Partial Partial Partial
The Astra Pro Addon WordPress plugin before 3.5.2 did not properly sanitise or escape some of the POST parameters from the astra_pagination_infinite and astra_shop_pagination_infinite AJAX action (available to both unauthenticated and authenticated user) before using them in SQL statement, leading to an SQL Injection issues
48 CVE-2021-24506 89 Sql 2021-08-23 2021-08-26
6.5
None Remote Low ??? Partial Partial Partial
The Slider Hero with Animation, Video Background & Intro Maker WordPress plugin before 8.2.7 does not sanitise or escape the id attribute of its hero-button shortcode before using it in a SQL statement, allowing users with a role as low as Contributor to perform SQL injection.
49 CVE-2021-24497 89 Exec Code Sql 2021-08-23 2021-08-30
6.5
None Remote Low ??? Partial Partial Partial
The Giveaway WordPress plugin through 1.2.2 is vulnerable to an SQL Injection issue which allows an administrative user to execute arbitrary SQL commands via the $post_id on the options.php page.
50 CVE-2021-24492 89 Sql 2021-08-02 2021-08-10
6.5
None Remote Low ??? Partial Partial Partial
The hndtst_action_instance_callback AJAX call of the Handsome Testimonials & Reviews WordPress plugin before 2.1.1, available to any authenticated users, does not sanitise, validate or escape the hndtst_previewShortcodeInstanceId POST parameter before using it in a SQL statement, leading to an SQL Injection issue.
Total number of vulnerabilities : 84   Page : 1 (This Page)2
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.