| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| SQL injection vulnerability in the Search module in Tru-Zone Nuke ET 3.2, and possibly earlier versions, allows remote attackers to execute arbitrary SQL commands via the query parameter. |
| SQL injection vulnerability in admin/password_forgotten.php in Zen Cart 1.2.6d and earlier allows remote attackers to execute arbitrary SQL commands via the admin_email parameter. |
| SQL injection vulnerability in kb.php in Omnistar Live 5.2 and earlier allows remote attackers to execute arbitrary SQL commands via the (1) id and (2) category_id parameter. NOTE: due to a typo, an Internet Explorer issue was incorrectly assigned this identifier, but the correct identifier is CVE-2005-3240. |
| SQL injection vulnerability in the web-based administration interface for iisPROTECT 2.2-r4, and possibly earlier versions, allows remote attackers to insert arbitrary SQL and execute code via certain variables, as demonstrated using the GroupName variable in SiteAdmin.ASP. |
| Multiple SQL injection vulnerabilities in include.php in PHPKIT 1.6.1 R2 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) id parameter in conjunction with the login/userinfo.php path and (2) the session parameter (aka the PHPKITSID variable). |
| Multiple SQL injection vulnerabilities in Tiki CMS/Groupware (TikiWiki) 1.8.1 and earlier allow remote attackers to execute arbitrary SQL commands via the sort_mode parameter in (1) tiki-usermenu.php, (2) tiki-list_file_gallery.php, (3) tiki-directory_ranking.php, (4) tiki-browse_categories.php, (5) tiki-index.php, (6) tiki-user_tasks.php, (7) tiki-directory_ranking.php, (8) tiki-directory_search.php, (9) tiki-file_galleries.php, (10) tiki-list_faqs.php, (11) tiki-list_trackers.php, (12) tiki-list_blogs.php, or via the offset parameter in (13) tiki-usermenu.php, (14) tiki-browse_categories.php, (15) tiki-index.php, (16) tiki-user_tasks.php, (17) tiki-list_faqs.php, (18) tiki-list_trackers.php, or (19) tiki-list_blogs.php. |
| Multiple SQL injection vulnerabilities in DCP-Portal 6 and earlier allow remote attackers to execute arbitrary SQL commands, possibly requiring encoded characters, via (1) the name parameter in register.php, (2) the email parameter in lostpassword.php, (3) the year parameter in calendar.php, and the (4) cid parameter to index.php. NOTE: the mid parameter for forums.php is already associated with CVE-2005-0454. NOTE: the index.php/cid vector was later reported to affect 6.11. |
| Multiple SQL injection vulnerabilities in (1) acid_qry_main.php in Analysis Console for Intrusion Databases (ACID) 0.9.6b20 and (2) base_qry_main.php in Basic Analysis and Security Engine (BASE) 1.2, and unspecified other console scripts in these products, allow remote attackers to execute arbitrary SQL commands via the sig[1] parameter and possibly other parameters. |
| The server.php test script in ADOdb for PHP before 4.70, as used in multiple products including (1) Mantis, (2) PostNuke, (3) Moodle, (4) Cacti, (5) Xaraya, (6) PHPOpenChat, (7) MAXdev MD-Pro, and (8) MediaBeez, when the MySQL root password is empty, allows remote attackers to execute arbitrary SQL commands via the sql parameter. |
| SQL injection vulnerability in escribir.php in Foro Domus 2.10 allows remote attackers to execute arbitrary SQL commands via the email parameter. NOTE: the provenance of this information is unknown, although it may be based on post-disclosure analysis of CVE-2006-0110; the details are obtained solely from third party information. |
| SQL injection vulnerability in add_post.php3 in Venom Board 1.22 allows remote attackers to execute arbitrary SQL commands via the (1) parent, (2) root, and (3) topic_id parameters to post.php3. |
| Multiple SQL injection vulnerabilities in Wordcircle 2.17 allow remote attackers to (1) execute arbitrary SQL commands and bypass authentication via the password field in the login action to index.php (involving v_login.php and s_user.php) and (2) have other unknown impact via certain other fields in unspecified scripts. |
| Multiple SQL injection vulnerabilities in Oracle 10g Release 1 before CPU Jan 2006 allow remote attackers to execute arbitrary SQL commands via multiple parameters in (1) ATTACH_JOB, (2) HAS_PRIVS, and (3) OPEN_JOB functions in the SYS.KUPV$FT package; and (4) UPDATE_JOB, (5) ACTIVE_JOB, (6) ATTACH_POSSIBLE, (7) ATTACH_TO_JOB, (8) CREATE_NEW_JOB, (9) DELETE_JOB, (10) DELETE_MASTER_TABLE, (11) DETACH_JOB, (12) GET_JOB_INFO, (13) GET_JOB_QUEUES, (14) GET_SOLE_JOBNAME, (15) MASTER_TBL_LOCK, and (16) VALID_HANDLE functions in the SYS.KUPV$FT_INT package. NOTE: due to the lack of relevant details from the Oracle advisory, a separate CVE is being created since it cannot be conclusively proven that these issues has been addressed by Oracle. It is unclear which, if any, Oracle Vuln# identifiers apply to these issues. |
| SQL injection vulnerability in register.php for phpRaid 3.0.6 and possibly other versions, when the authorization type is phpraid, allows remote attackers to execute arbitrary SQL commands via the (1) username and (2) email parameters. |
| Multiple SQL injection vulnerabilities in lib-sessions.inc.php in phpAdsNew and phpPgAds 2.0.6 and possibly earlier versions allow remote attackers to execute arbitrary SQL commands via the sessionID parameter in (1) logout.php and (2) index.php. |
| SQL injection vulnerability in index.php in GeodesicSolutions (1) GeoAuctions Premier 2.0.3 and (2) GeoClassifieds Basic 2.0.3 allows remote attackers to execute arbitrary SQL commands via the b parameter. |
| Multiple SQL injection vulnerabilities in Zen Cart 1.3.0.2 and earlier allow remote attackers to execute arbitrary SQL commands via (1) GPC data to the ipn_get_stored_session function in ipn_main_handler.php, which can be leveraged to modify elements of $_SESSION; and allow remote authenticated users to execute arbitrary SQL commands via (2) a session id within a cookie to whos_online_session_recreate, (3) the quantity field to the add_cart function, (4) an id[] parameter when adding an item to a shopping cart, or (5) a redemption code when checking out (dc_redeem_code parameter to includes/modules/order_total/ot_coupon.php). |
| Multiple SQL injection vulnerabilities in trackback.php in myWebland myBloggie 2.1.4 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) title, (2) url, (3) excerpt, or (4) blog_name parameters. |
| SQL injection vulnerability in CitySoft Community Enterprise 4.x allows remote attackers to execute arbitrary SQL commands via the (1) nodeID, (2) pageID, (3) ID, and (4) parentid parameter to index.cfm; and (5) documentFormatId parameter to document/docWindow.cfm. |
| Multiple SQL injection vulnerabilities in eintragen.php in GaesteChaos 0.2 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) gastname, (2) gastwohnort, or (3) gasteintrag parameters. |
