CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  What's the CVSS score of your company?
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In September 2021(SQL Injection)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2021-41288 89 Sql 2021-09-30 2021-10-07
7.5
None Remote Low Not required Partial Partial Partial
Zoho ManageEngine OpManager version 125466 and below is vulnerable to SQL Injection in the getReportData API.
2 CVE-2021-40814 89 Sql 2021-09-08 2021-09-15
7.5
None Remote Low Not required Partial Partial Partial
The Customer Photo Gallery addon before 2.9.4 for PrestaShop is vulnerable to SQL injection.
3 CVE-2021-40674 89 Sql 2021-09-20 2021-09-28
7.5
None Remote Low Not required Partial Partial Partial
An SQL injection vulnerability exists in Wuzhi CMS v4.1.0 via the KeyValue parameter in coreframe/app/order/admin/index.php.
4 CVE-2021-40670 89 Sql 2021-09-16 2021-09-27
7.5
None Remote Low Not required Partial Partial Partial
SQL Injection vulnerability exists in Wuzhi CMS 4.1.0 via the keywords iparameter under the /coreframe/app/order/admin/card.php file.
5 CVE-2021-40669 89 Sql 2021-09-16 2021-09-27
7.5
None Remote Low Not required Partial Partial Partial
SQL Injection vulnerability exists in Wuzhi CMS 4.1.0 via the keywords parameter under the coreframe/app/promote/admin/index.php file.
6 CVE-2021-40353 89 Sql 2021-09-01 2021-09-09
7.5
None Remote Low Not required Partial Partial Partial
A SQL injection vulnerability exists in version 8.0 of openSIS when MySQL or MariaDB is used as the application database. An attacker can then issue the SQL command through the index.php USERNAME parameter. NOTE: this issue may exist because of an incomplete fix for CVE-2020-6637.
7 CVE-2021-40309 89 Sql 2021-09-24 2021-10-01
6.5
None Remote Low ??? Partial Partial Partial
A SQL injection vulnerability exists in the Take Attendance functionality of OS4Ed's OpenSIS 8.0. allows an attacker to inject their own SQL query. The cp_id_miss_attn parameter from TakeAttendance.php is vulnerable to SQL injection. An attacker can make an authenticated HTTP request as a user with access to "Take Attendance" functionality to trigger this vulnerability.
8 CVE-2021-39379 89 Sql 2021-09-01 2021-09-09
7.5
None Remote Low Not required Partial Partial Partial
A SQL Injection vulnerability exists in openSIS 8.0 when MySQL (MariaDB) is being used as the application database. A malicious attacker can issue SQL commands to the MySQL (MariaDB) database through the ResetUserInfo.php password_stn_id parameter.
9 CVE-2021-39378 89 Sql 2021-09-01 2021-09-16
7.5
None Remote Low Not required Partial Partial Partial
A SQL Injection vulnerability exists in openSIS 8.0 when MySQL (MariaDB) is being used as the application database. A malicious attacker can issue SQL commands to the MySQL (MariaDB) database through the NamesList.php str parameter.
10 CVE-2021-39377 89 Sql 2021-09-01 2021-09-09
7.5
None Remote Low Not required Partial Partial Partial
A SQL Injection vulnerability exists in openSIS 8.0 when MySQL (MariaDB) is being used as the application database. A malicious attacker can issue SQL commands to the MySQL (MariaDB) database through the index.php username parameter.
11 CVE-2021-38840 89 Sql 2021-09-07 2021-11-28
7.5
None Remote Low Not required Partial Partial Partial
SQL Injection can occur in Simple Water Refilling Station Management System 1.0 via the water_refilling/classes/Login.php username parameter.
12 CVE-2021-38833 89 Sql 2021-09-13 2021-11-05
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in PHPGurukul Apartment Visitors Management System (AVMS) v. 1.0 allows attackers to execute arbitrary SQL statements and to gain RCE.
13 CVE-2021-38727 89 Sql 2021-09-09 2021-11-28
7.5
None Remote Low Not required Partial Partial Partial
FUEL CMS 1.5.0 allows SQL Injection via parameter 'col' in /fuel/index.php/fuel/logs/items
14 CVE-2021-38723 89 Sql 2021-09-09 2021-09-20
6.5
None Remote Low ??? Partial Partial Partial
FUEL CMS 1.5.0 allows SQL Injection via parameter 'col' in /fuel/index.php/fuel/pages/items
15 CVE-2021-38706 89 Exec Code Sql 2021-09-07 2021-09-10
6.5
None Remote Low ??? Partial Partial Partial
messages_load.php in ClinicCases 7.3.3 suffers from a blind SQL injection vulnerability, which allows low-privileged attackers to execute arbitrary SQL commands through a vulnerable parameter.
16 CVE-2021-38324 89 Sql 2021-09-09 2021-09-22
5.0
None Remote Low Not required Partial None None
The SP Rental Manager WordPress plugin is vulnerable to SQL Injection via the orderby parameter found in the ~/user/shortcodes.php file which allows attackers to retrieve information contained in a site's database, in versions up to and including 1.5.3.
17 CVE-2021-38303 89 Sql 2021-09-28 2021-10-01
7.5
None Remote Low Not required Partial Partial Partial
A SQL injection vulnerability exists in Sureline SUREedge Migrator 7.0.7.29360.
18 CVE-2021-37422 89 Sql 2021-09-10 2021-09-17
7.5
None Remote Low Not required Partial Partial Partial
Zoho ManageEngine ADSelfService Plus 6111 and prior is vulnerable to SQL Injection while linking the databases.
19 CVE-2021-36880 89 Sql 2021-09-27 2021-10-01
7.5
None Remote Low Not required Partial Partial Partial
Unauthenticated SQL Injection (SQLi) vulnerability in WordPress uListing plugin (versions <= 2.0.3), vulnerable parameter: custom.
20 CVE-2021-33701 89 +Priv Sql 2021-09-15 2021-12-15
6.5
None Remote Low ??? Partial Partial Partial
DMIS Mobile Plug-In or SAP S/4HANA, versions - DMIS 2011_1_620, 2011_1_640, 2011_1_700, 2011_1_710, 2011_1_730, 710, 2011_1_731, 710, 2011_1_752, 2020, SAPSCORE 125, S4CORE 102, 102, 103, 104, 105, allows an attacker with access to highly privileged account to execute manipulated query in NDZT tool to gain access to Superuser account, leading to SQL Injection vulnerability, that highly impacts systems Confidentiality, Integrity and Availability.
21 CVE-2021-33688 89 Sql +Info 2021-09-14 2021-09-23
4.0
None Remote Low ??? Partial None None
SAP Business One allows an attacker with business privileges to execute crafted database queries, exposing the back-end database. Due to framework restrictions, only some information can be obtained.
22 CVE-2021-24741 89 Sql 2021-09-20 2021-10-01
7.5
None Remote Low Not required Partial Partial Partial
The Support Board WordPress plugin before 3.3.4 does not escape multiple POST parameters (such as status_code, department, user_id, conversation_id, conversation_status_code, and recipient_id) before using them in SQL statements, leading to SQL injections which are exploitable by unauthenticated users.
23 CVE-2021-24728 79 Sql XSS 2021-09-13 2021-09-23
6.5
None Remote Low ??? Partial Partial Partial
The Membership & Content Restriction – Paid Member Subscriptions WordPress plugin before 2.4.2 did not sanitise, validate or escape its order and orderby parameters before using them in SQL statement, leading to Authenticated SQL Injections in the Members and Payments pages.
24 CVE-2021-24727 89 Sql 2021-09-13 2021-09-23
6.5
None Remote Low ??? Partial Partial Partial
The StopBadBots WordPress plugin before 6.60 did not validate or escape the order and orderby GET parameter in some of its admin dashboard pages, leading to Authenticated SQL Injections
25 CVE-2021-24726 89 Sql 2021-09-13 2021-09-23
6.5
None Remote Low ??? Partial Partial Partial
The WP Simple Booking Calendar WordPress plugin before 2.0.6 did not escape, validate or sanitise the orderby parameter in its Search Calendars action, before using it in a SQL statement, leading to an authenticated SQL injection issue
26 CVE-2021-24666 89 Sql 2021-09-27 2021-10-05
6.8
None Remote Medium Not required Partial Partial Partial
The Podlove Podcast Publisher WordPress plugin before 3.5.6 contains a 'Social & Donations' module (not activated by default), which adds the rest route '/services/contributor/(?P<id>[\d]+), takes an 'id' and 'category' parameters as arguments. Both parameters can be used for the SQLi.
27 CVE-2021-24606 89 Sql 2021-09-20 2021-10-01
6.5
None Remote Low ??? Partial Partial Partial
The Availability Calendar WordPress plugin before 1.2.1 does not escape the category attribute from its shortcode before using it in a SQL statement, leading to a SQL Injection issue, which can be exploited by any user able to add shortcode to posts/pages, such as contributor+
28 CVE-2021-24511 89 Sql 2021-09-20 2021-09-29
6.5
None Remote Low ??? Partial Partial Partial
The fetch_product_ajax functionality in the Product Feed on WooCommerce WordPress plugin before 3.3.1.0 uses a `product_id` POST parameter which is not properly sanitised, escaped or validated before inserting to a SQL statement, leading to SQL injection.
29 CVE-2021-24404 89 Sql 2021-09-20 2021-09-28
6.5
None Remote Low ??? Partial Partial Partial
The options.php file of the WP-Board WordPress plugin through 1.1 beta accepts a postid parameter which is not sanitised, escaped or validated before inserting to a SQL statement, leading to SQL injection. This is a time based SQLI and in the same function vulnerable parameter is passed twice so if we pass time as 5 seconds it takes 10 seconds to return since the query ran twice.
30 CVE-2021-24403 89 Sql 2021-09-20 2021-09-29
6.5
None Remote Low ??? Partial Partial Partial
The Orders functionality in the WordPress Page Contact plugin through 1.0 has an order_id parameter which is not sanitised, escaped or validated before inserting to a SQL statement, leading to SQL injection. The feature is available to low privilege users such as contributors
31 CVE-2021-24402 89 Sql 2021-09-20 2021-09-29
6.5
None Remote Low ??? Partial Partial Partial
The Orders functionality in the WP iCommerce WordPress plugin through 1.1.1 has an `order_id` parameter which is not sanitised, escaped or validated before inserting to a SQL statement, leading to SQL injection. The feature is available to low privilege users such as contributors
32 CVE-2021-24401 89 Sql 2021-09-20 2021-09-29
6.5
None Remote Low ??? Partial Partial Partial
The Edit domain functionality in the WP Domain Redirect WordPress plugin through 1.0 has an `editid` parameter which is not sanitised, escaped or validated before inserting to a SQL statement, leading to SQL injection.
33 CVE-2021-24400 89 Sql 2021-09-20 2021-10-18
6.5
None Remote Low ??? Partial Partial Partial
The Edit Role functionality in the Display Users WordPress plugin through 2.0.0 had an `id` parameter which is not sanitised, escaped or validated before inserting to a SQL statement, leading to SQL injection.
34 CVE-2021-24399 89 Sql 2021-09-20 2021-09-28
6.5
None Remote Low ??? Partial Partial Partial
The check_order function of The Sorter WordPress plugin through 1.0 uses an `area_id` parameter which is not sanitised, escaped or validated before inserting to a SQL statement, leading to SQL injection.
35 CVE-2021-24398 89 Sql 2021-09-20 2021-09-29
6.5
None Remote Low ??? Partial Partial Partial
The Add new scene functionality in the Responsive 3D Slider WordPress plugin through 1.2 uses an id parameter which is not sanitised, escaped or validated before being inserted to a SQL statement, leading to SQL injection. This is a time based SQLI and in the same function vulnerable parameter is passed twice so if we pass time as 5 seconds it takes 10 seconds to return since the query is ran twice.
36 CVE-2021-24397 89 Sql 2021-09-20 2021-09-29
6.5
None Remote Low ??? Partial Partial Partial
The edit functionality in the MicroCopy WordPress plugin through 1.1.0 makes a get request to fetch the related option. The id parameter used is not sanitised, escaped or validated before inserting to a SQL statement, leading to SQL injection.
37 CVE-2021-24396 89 Sql 2021-09-20 2021-09-28
6.5
None Remote Low ??? Partial Partial Partial
A pageid GET parameter of the GSEOR – WordPress SEO Plugin WordPress plugin through 1.3 is not sanitised, escaped or validated before inserting to a SQL statement, leading to SQL injection.
38 CVE-2021-24395 89 Sql 2021-09-06 2021-09-09
6.5
None Remote Low ??? Partial Partial Partial
The editid GET parameter of the Embed Youtube Video WordPress plugin through 1.0 is not sanitised, escaped or validated before inserting to a SQL statement, leading to SQL injection.
39 CVE-2021-24394 89 Sql 2021-09-06 2021-09-09
6.5
None Remote Low ??? Partial Partial Partial
An id GET parameter of the Easy Testimonial Manager WordPress plugin through 1.2.0 is not sanitised, escaped or validated before inserting to a SQL statement, leading to SQL injection
40 CVE-2021-24393 89 Sql 2021-09-06 2021-09-09
6.5
None Remote Low ??? Partial Partial Partial
A c GET parameter of the Comment Highlighter WordPress plugin through 0.13 is not properly sanitised, escaped or validated before inserting to a SQL statement, leading to SQL injection.
41 CVE-2021-24392 89 Sql 2021-09-06 2021-09-09
6.5
None Remote Low ??? Partial Partial Partial
An id GET parameter of the WordPress Membership SwiftCloud.io WordPress plugin through 1.0 is not properly sanitised, escaped or validated before inserting to a SQL statement, leading to SQL injection.
42 CVE-2021-24391 89 Sql 2021-09-06 2021-09-09
6.5
None Remote Low ??? Partial Partial Partial
An editid GET parameter of the Cashtomer WordPress plugin through 1.0.0 is not properly sanitised, escaped or validated before inserting to a SQL statement, leading to SQL injection.
43 CVE-2021-24390 89 Sql 2021-09-06 2021-09-09
6.5
None Remote Low ??? Partial Partial Partial
A proid GET parameter of the WordPress支付�Alipay|财付通Tenpay|��PayPal集��件 WordPress plugin through 3.7.2 is not sanitised, properly escaped or validated before inserting to a SQL statement not delimited by quotes, leading to SQL injection.
44 CVE-2021-24303 89 Sql 2021-09-06 2021-09-09
6.5
None Remote Low ??? Partial Partial Partial
The JiangQie Official Website Mini Program WordPress plugin before 1.1.1 does not escape or validate the id GET parameter before using it in SQL statements, leading to SQL injection issues
45 CVE-2021-23040 89 Sql 2021-09-14 2021-09-24
6.5
None Remote Low ??? Partial Partial Partial
On BIG-IP AFM version 16.0.x before 16.0.1.2, 15.1.x before 15.1.3, 14.1.x before 14.1.4.2, 13.1.x before 13.1.4.1, and all versions of 12.1.x, a SQL injection vulnerability exists in an undisclosed page of the BIG-IP Configuration utility. This issue is exposed only when BIG-IP AFM is provisioned. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
46 CVE-2020-21127 89 Sql 2021-09-15 2021-09-23
7.5
None Remote Low Not required Partial Partial Partial
MetInfo 7.0.0 contains a SQL injection vulnerability via admin/?n=logs&c=index&a=dodel.
47 CVE-2020-21121 89 Sql 2021-09-15 2021-09-28
7.5
None Remote Low Not required Partial Partial Partial
Pligg CMS 2.0.2 contains a time-based SQL injection vulnerability via the $recordIDValue parameter in the admin_update_module_widgets.php file.
48 CVE-2020-20797 89 Sql 2021-09-30 2021-10-04
7.5
None Remote Low Not required Partial Partial Partial
FlameCMS 3.3.5 contains a time-based blind SQL injection vulnerability in /account/register.php.
49 CVE-2020-20796 89 Sql 2021-09-30 2021-10-04
7.5
None Remote Low Not required Partial Partial Partial
FlameCMS 3.3.5 contains a SQL injection vulnerability in /master/article.php via the "Id" parameter.
50 CVE-2020-20692 89 Sql 2021-09-27 2021-10-01
6.5
None Remote Low ??? Partial Partial Partial
GilaCMS v1.11.4 was discovered to contain a SQL injection vulnerability via the $_GET parameter in /src/core/controllers/cm.php.
Total number of vulnerabilities : 55   Page : 1 (This Page)2
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.