ReportizFlow
Filtered by vendor
Subscriptions
Total
17328 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2022-23305 | 6 Apache, Broadcom, Netapp and 3 more | 46 Log4j, Brocade Sannav, Snapmanager and 43 more | 2024-11-21 | 9.8 Critical |
| By design, the JDBCAppender in Log4j 1.2.x accepts an SQL statement as a configuration parameter where the values to be inserted are converters from PatternLayout. The message converter, %m, is likely to always be included. This allows attackers to manipulate the SQL by entering crafted strings into input fields or headers of an application that are logged allowing unintended SQL queries to be executed. Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default. Beginning in version 2.0-beta8, the JDBCAppender was re-introduced with proper support for parameterized SQL queries and further customization over the columns written to in logs. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions. | ||||
| CVE-2022-23169 | 1 Amodat | 1 Mobile Application Gateway | 2024-11-21 | 5.9 Medium |
| attacker needs to craft a SQL payload. the vulnerable parameter is "agentid" must be authenticated to the admin panel. | ||||
| CVE-2022-23168 | 1 Amodat | 1 Mobile Application Gateway | 2024-11-21 | 5.9 Medium |
| The attacker could get access to the database. The SQL injection is in the username parameter at the login panel: username: admin'-- | ||||
| CVE-2022-23046 | 1 Phpipam | 1 Phpipam | 2024-11-21 | 7.2 High |
| PhpIPAM v1.4.4 allows an authenticated admin user to inject SQL sentences in the "subnet" parameter while searching a subnet via app/admin/routing/edit-bgp-mapping-search.php | ||||
| CVE-2022-22897 | 1 Apollotheme | 1 Ap Pagebuilder | 2024-11-21 | 9.8 Critical |
| A SQL injection vulnerability in the product_all_one_img and image_product parameters of the ApolloTheme AP PageBuilder component through 2.4.4 for PrestaShop allows unauthenticated attackers to exfiltrate database data. | ||||
| CVE-2022-22881 | 1 Jeecg | 1 Jeecg Boot | 2024-11-21 | 9.8 Critical |
| Jeecg-boot v3.0 was discovered to contain a SQL injection vulnerability via the code parameter in /sys/user/queryUserComponentData. | ||||
| CVE-2022-22880 | 1 Jeecg | 1 Jeecg Boot | 2024-11-21 | 9.8 Critical |
| Jeecg-boot v3.0 was discovered to contain a SQL injection vulnerability via the code parameter in /jeecg-boot/sys/user/queryUserByDepId. | ||||
| CVE-2022-22794 | 1 Cybonet | 1 Pineapp Mail Secure | 2024-11-21 | 6.8 Medium |
| Cybonet - PineApp Mail Relay Unauthenticated Sql Injection. Attacker can send a request to: /manage/emailrichment/userlist.php?CUSTOMER_ID_INNER=1 /admin/emailrichment/userlist.php?CUSTOMER_ID_INNER=1 /manage/emailrichment/usersunlist.php?CUSTOMER_ID_INNER=1 /admin/emailrichment/usersunlist.php?CUSTOMER_ID_INNER=1 and by doing that, the attacker can run Remote Code Execution in one liner. | ||||
| CVE-2022-22735 | 1 Sedlex | 1 Simple Quotation | 2024-11-21 | 8.8 High |
| The Simple Quotation WordPress plugin through 1.3.2 does not have authorisation (and CSRF) checks in various of its AJAX actions and is lacking escaping of user data when using it in SQL statements, allowing any authenticated users, such as subscriber to perform SQL injection attacks | ||||
| CVE-2022-22540 | 1 Sap | 1 Netweaver Application Server Abap | 2024-11-21 | 7.5 High |
| SAP NetWeaver AS ABAP (Workplace Server) - versions 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 787, allows an attacker to execute crafted database queries, that could expose the backend database. Successful attacks could result in disclosure of a table of contents from the system, but no risk of modification possible. | ||||
| CVE-2022-22495 | 1 Ibm | 1 I | 2024-11-21 | 8.8 High |
| IBM i 7.3, 7.4, and 7.5 is vulnerable to SQL injection. A remote attacker could send specially crafted SQL statements, which could allow the attacker to view, add, modify or delete information in the back-end database. IBM X-Force ID: 226941. | ||||
| CVE-2022-22463 | 1 Ibm | 1 Security Verify Access | 2024-11-21 | 6.5 Medium |
| IBM Security Access Manager Appliance 10.0.0.0, 10.0.1.0, 10.0.2.0, and 10.0.3.0 is vulnerable to SQL injection. A remote attacker could send specially crafted SQL statements, which could allow the attacker to view, add, modify or delete information in the back-end database. IBM X-Force ID: 225079. | ||||
| CVE-2022-22413 | 1 Ibm | 1 Robotic Process Automation | 2024-11-21 | 9.8 Critical |
| IBM Robotic Process Automation 21.0.0, 21.0.1, and 21.0.2 is vulnerable to SQL injection. A remote attacker could send specially crafted SQL statements, which could allow the attacker to view, add, modify or delete information in the back-end database. IBM X-Force ID: 223022. | ||||
| CVE-2022-22389 | 4 Ibm, Linux, Microsoft and 1 more | 4 Db2, Linux Kernel, Windows and 1 more | 2024-11-21 | 6.5 Medium |
| IBM Db2 for Linux, UNIX and Windows 9.7, 10.1, 10.5, 11.1, and 11.5 is vulnerable to a denial of service as the server may terminate abnormally when executing specially crafted SQL statements by an authenticated user. IBM X-Force ID: 2219740. | ||||
| CVE-2022-22295 | 1 Metinfo | 1 Metinfo | 2024-11-21 | 9.8 Critical |
| Metinfo v7.5.0 was discovered to contain a SQL injection vulnerability in parameter_admin.class.php via the table_para parameter. | ||||
| CVE-2022-22294 | 1 Zfaka Project | 1 Zfaka | 2024-11-21 | 9.8 Critical |
| A SQL injection vulnerability exists in ZFAKA<=1.43 which an attacker can use to complete SQL injection in the foreground and add a background administrator account. | ||||
| CVE-2022-22280 | 1 Sonicwall | 2 Analytics, Global Management System | 2024-11-21 | 9.8 Critical |
| Improper Neutralization of Special Elements used in an SQL Command leading to Unauthenticated SQL Injection vulnerability, impacting SonicWall GMS 9.3.1-SP2-Hotfix1, Analytics On-Prem 2.5.0.3-2520 and earlier versions. | ||||
| CVE-2022-22055 | 1 Le-yan Dental Management System Project | 1 Le-yan Dental Management System | 2024-11-21 | 9.8 Critical |
| The Le-yan dental management system contains an SQL-injection vulnerability. An unauthenticated remote attacker can inject SQL commands into the input field of the login page to acquire administrator’s privilege and perform arbitrary operations on the system or disrupt service. | ||||
| CVE-2022-20867 | 1 Cisco | 3 Asyncos, Secure Email And Web Manager, Secure Email Gateway | 2024-11-21 | 5.4 Medium |
| A vulnerability in web-based management interface of the of Cisco Email Security Appliance and Cisco Secure Email and Web Manager could allow an authenticated, remote attacker to conduct SQL injection attacks as root on an affected system. The attacker must have the credentials of a high-privileged user account. This vulnerability is due to improper validation of user-submitted parameters. An attacker could exploit this vulnerability by authenticating to the application and sending malicious requests to an affected system. A successful exploit could allow the attacker to obtain data or modify data that is stored in the underlying database of the affected system. | ||||
| CVE-2022-20786 | 1 Cisco | 1 Unified Communications Manager Im And Presence Service | 2024-11-21 | 5.4 Medium |
| A vulnerability in the web-based management interface of Cisco Unified Communications Manager IM & Presence Service (Unified CM IM&P) could allow an authenticated, remote attacker to conduct SQL injection attacks on an affected system. This vulnerability is due to improper validation of user-submitted parameters. An attacker could exploit this vulnerability by authenticating to the application and sending malicious requests to an affected system. A successful exploit could allow the attacker to obtain data or modify data that is stored in the underlying database of the affected system. | ||||