Vulnerabilidades CVE
Base de datos de vulnerabilidades CVE enriquecida con datos de CISA KEV y NVD
| CVE ID | CVSS | Severidad | KEV | Avistamientos |
|---|---|---|---|---|
| CVE-2019-12351 An issue was discovered in zzcms 2019. SQL Injection exists in dl/dl_print.php via an id parameter value with a trailing comma. | 9.8 | CRITICAL | β | 0 |
| CVE-2022-30052 In Home Clean Service System 1.0, the password parameter is vulnerable to SQL injection attacks. | 9.8 | CRITICAL | β | 0 |
| CVE-2022-28568 Sourcecodester Doctor's Appointment System 1.0 is vulnerable to File Upload to RCE via Image upload from the administrator panel. An attacker can obtain remote command execution just by knowing the pa... | 9.8 | CRITICAL | β | 0 |
| CVE-2022-29347 An arbitrary file upload vulnerability in Web@rchiv 1.0 allows attackers to execute arbitrary commands via a crafted PHP file. | 9.8 | CRITICAL | β | 0 |
| CVE-2021-34082 OS Command Injection vulnerability in allenhwkim proctree through 0.1.1 and commit 0ac10ae575459457838f14e21d5996f2fa5c7593 for Node.js, allows attackers to execute arbitrary commands via the fix func... | 9.8 | CRITICAL | β | 0 |
| CVE-2022-30054 In Covid 19 Travel Pass Management 1.0, the code parameter is vulnerable to SQL injection attacks. | 9.8 | CRITICAL | β | 0 |
| CVE-2020-28246 A Server-Side Template Injection (SSTI) was discovered in Form.io 2.0.0. This leads to Remote Code Execution during deletion of the default Email template URL. NOTE: the email templating service was r... | 9.8 | CRITICAL | β | 0 |
| CVE-2022-30449 Hospital Management System in PHP with Source Code (HMS) 1.0 was discovered to contain a SQL injection vulnerability via the editid parameter in room.php. | 9.8 | CRITICAL | β | 0 |
| CVE-2021-26634 SQL injection and file upload attacks are possible due to insufficient validation of input values in some parameters and variables of files compromising Maxboard, which may lead to arbitrary code exec... | 9.8 | CRITICAL | β | 0 |
| CVE-2022-28461 mingyuefusu Library Management System all versions as of 03-27-2022 is vulnerable to SQL Injection. | 9.8 | CRITICAL | β | 0 |
| CVE-2021-42242 A command execution vulnerability exists in jfinal_cms 5.0.1 via com.jflyfox.component.controller.Ueditor. | 9.8 | CRITICAL | β | 0 |
| CVE-2022-28557 There is a command injection vulnerability at the /goform/setsambacfg interface of Tenda AC15 US_AC15V1.0BR_V15.03.05.20_multi_TDE01.bin device web, which can also cooperate with CVE-2021-44971 to cau... | 9.8 | CRITICAL | β | 0 |
| CVE-2022-26065 Delta Electronics DIAEnergie (All versions prior to 1.8.02.004) has a blind SQL injection vulnerability exists in GetLatestDemandNode. This allows an attacker to inject arbitrary SQL queries, retrieve... | 9.8 | CRITICAL | β | 0 |
| CVE-2022-26059 Delta Electronics DIAEnergie (All versions prior to 1.8.02.004) has a blind SQL injection vulnerability that exists in GetQueryData. This allows an attacker to inject arbitrary SQL queries, retrieve a... | 9.8 | CRITICAL | β | 0 |
| CVE-2021-42235 SQL injection in osTicket before 1.14.8 and 1.15.4 login and password reset process allows attackers to access the osTicket administration profile functionality. | 9.8 | CRITICAL | β | 0 |
| CVE-2021-34080 OS Command Injection vulnerability in es128 ssl-utils 1.0.0 for Node.js allows attackers to execute arbitrary commands via unsanitized shell metacharacters provided to the createCertRequest() and the ... | 9.8 | CRITICAL | β | 0 |
| CVE-2021-30064 On Schneider Electric ConneXium Tofino Firewall TCSEFEA23F3F22 before 03.23, TCSEFEA23F3F20/21, and Belden Tofino Xenon Security Appliance, an SSH login can succeed with hardcoded default credentials ... | 9.8 | CRITICAL | β | 0 |
| CVE-2021-34079 OS Command injection vulnerability in Mintzo Docker-Tester through 1.2.1 allows attackers to execute arbitrary commands via shell metacharacters in the 'ports' entry of a crafted docker-compose.yml fi... | 9.8 | CRITICAL | β | 0 |
| CVE-2022-29155 In OpenLDAP 2.x before 2.5.12 and 2.6.x before 2.6.2, a SQL injection vulnerability exists in the experimental back-sql backend to slapd, via a SQL statement within an LDAP query. This can occur durin... | 9.8 | CRITICAL | β | 0 |
| CVE-2021-43118 A Remote Command Injection vulnerability exists in DrayTek Vigor 2960 1.5.1.3, DrayTek Vigor 3900 1.5.1.3, and DrayTek Vigor 300B 1.5.1.3 via a crafted HTTP message containing malformed QUERY STRING i... | 9.8 | CRITICAL | β | 0 |
| CVE-2022-28381 Mediaserver.exe in ALLMediaServer 1.6 has a stack-based buffer overflow that allows remote attackers to execute arbitrary code via a long string to TCP port 888, a related issue to CVE-2017-17932. | 9.8 | CRITICAL | β | 0 |
| CVE-2022-31978 Online Fire Reporting System v1.0 is vulnerable to SQL Injection via /ofrs/classes/Master.php?f=delete_inquiry. | 9.8 | CRITICAL | β | 0 |
| CVE-2022-27177 A Python format string issue leading to information disclosure and potentially remote code execution in ConsoleMe for all versions prior to 1.2.2 | 9.8 | CRITICAL | β | 0 |
| CVE-2022-27534 Kaspersky Anti-Virus products for home and Kaspersky Endpoint Security with antivirus databases released before 12 March 2022 had a bug in a data parsing module that potentially allowed an attacker to... | 9.8 | CRITICAL | β | 0 |
| CVE-2022-26013 Delta Electronics DIAEnergie (All versions prior to 1.8.02.004) has a blind SQL injection vulnerability that exists in DIAE_dmdsetHandler.ashx. This allows an attacker to inject arbitrary SQL queries,... | 9.8 | CRITICAL | β | 0 |
| CVE-2022-28368 Dompdf 1.2.1 allows remote code execution via a .php file in the src:url field of an @font-face Cascading Style Sheets (CSS) statement (within an HTML input file). | 9.8 | CRITICAL | β | 0 |
| CVE-2022-30370 Air Cargo Management System 1.0 is vulnerable to SQL Injection via /acms/classes/Master.php?f=delete_cargo_type. | 9.8 | CRITICAL | β | 0 |
| CVE-2020-24770 SQL injection vulnerability in modrules.php in NexusPHP 1.5 allows remote attackers to execute arbitrary SQL commands via the id parameter. | 9.8 | CRITICAL | β | 0 |
| CVE-2022-29383 NETGEAR ProSafe SSL VPN firmware FVS336Gv2 and FVS336Gv3 was discovered to contain a SQL injection vulnerability via USERDBDomains.Domainname at cgi-bin/platform.cgi. | 9.8 | CRITICAL | β | 0 |
| CVE-2022-28206 An issue was discovered in MediaWiki through 1.37.1. ImportPlanValidator.php in the FileImporter extension mishandles the check for edit rights. | 9.8 | CRITICAL | β | 0 |
| CVE-2021-42967 Unrestricted file upload in /novel-admin/src/main/java/com/java2nb/common/controller/FileController.java in novel-plus all versions allows allows an attacker to upload malicious JSP files. | 9.8 | CRITICAL | β | 0 |
| CVE-2022-28022 Purchase Order Management System v1.0 was discovered to contain a SQL injection vulnerability via /purchase_order/classes/Master.php?f=delete_item. | 9.8 | CRITICAL | β | 0 |
| CVE-2020-24769 SQL injection vulnerability in takeconfirm.php in NexusPHP 1.5 allows remote attackers to execute arbitrary SQL commands via the classes parameter. | 9.8 | CRITICAL | β | 0 |
| CVE-2022-24108 The Skyoftech So Listing Tabs module 2.2.0 for OpenCart allows a remote attacker to inject a serialized PHP object via the setting parameter, potentially resulting in the ability to write to files on ... | 9.8 | CRITICAL | β | 0 |
| CVE-2022-28023 Purchase Order Management System v1.0 was discovered to contain a SQL injection vulnerability via /purchase_order/classes/Master.php?f=delete_supplier. | 9.8 | CRITICAL | β | 0 |
| CVE-2022-28028 Simple Real Estate Portal System v1.0 was discovered to contain a SQL injection vulnerability via /reps/classes/Master.php?f=delete_amenity. | 9.8 | CRITICAL | β | 0 |
| CVE-2022-29644 TOTOLINK A3100R V4.1.2cu.5050_B20200504 and V4.1.2cu.5247_B20211129 were discovered to contain a hard coded password for the telnet service stored in the component /web_cste/cgi-bin/product.ini. | 9.8 | CRITICAL | β | 0 |
| CVE-2022-28029 Simple Real Estate Portal System v1.0 was discovered to contain a SQL injection vulnerability via /reps/classes/Master.php?f=delete_type. | 9.8 | CRITICAL | β | 0 |
| CVE-2022-29645 TOTOLINK A3100R V4.1.2cu.5050_B20200504 and V4.1.2cu.5247_B20211129 were discovered to contain a hard coded password for root stored in the component /etc/shadow.sample. | 9.8 | CRITICAL | β | 0 |
| CVE-2022-26711 An integer overflow issue was addressed with improved input validation. This issue is fixed in tvOS 15.5, iTunes 12.12.4 for Windows, iOS 15.5 and iPadOS 15.5, watchOS 8.6, macOS Monterey 12.4. A remo... | 9.8 | CRITICAL | β | 0 |
| CVE-2022-28030 Simple Real Estate Portal System v1.0 was discovered to contain a SQL injection vulnerability via /reps/classes/Master.php?f=delete_estate. | 9.8 | CRITICAL | β | 0 |
| CVE-2022-28205 An issue was discovered in MediaWiki through 1.37.1. The CentralAuth extension mishandles a ttl issue for groups expiring in the future. | 9.8 | CRITICAL | β | 0 |
| CVE-2022-31951 Rescue Dispatch Management System v1.0 is vulnerable to SQL Injection via /rdms/classes/Master.php?f=delete_respondent_type. | 9.8 | CRITICAL | β | 0 |
| CVE-2022-28410 Simple Real Estate Portal System v1.0 was discovered to contain a SQL injection vulnerability via /reps/classes/Users.php?f=delete_agent. | 9.8 | CRITICAL | β | 0 |
| CVE-2022-28411 Simple Real Estate Portal System v1.0 was discovered to contain a SQL injection vulnerability via /reps/admin/?page=agents/manage_agent. | 9.8 | CRITICAL | β | 0 |
| CVE-2022-1731 Metasonic Doc WebClient 7.0.14.0 / 7.0.12.0 / 7.0.3.0 is vulnerable to a SQL injection attack in the username field. SSO or System authentication are required to be enabled for vulnerable conditions t... | 9.8 | CRITICAL | β | 0 |
| CVE-2022-30384 Merchandise Online Store v1.0 is vulnerable to SQL Injection via /vloggers_merch/classes/Master.php?f=delete_inventory. | 9.8 | CRITICAL | β | 0 |
| CVE-2022-23795 An issue was discovered in Joomla! 2.5.0 through 3.10.6 & 4.0.0 through 4.1.0. A user row was not bound to a specific authentication mechanism which could under very special circumstances allow an acc... | 9.8 | CRITICAL | β | 0 |
| CVE-2022-26836 Delta Electronics DIAEnergie (All versions prior to 1.8.02.004) has a blind SQL injection vulnerability that exists in HandlerExport.ashx/Calendar. This allows an attacker to inject arbitrary SQL quer... | 9.8 | CRITICAL | β | 0 |
| CVE-2022-23797 An issue was discovered in Joomla! 3.0.0 through 3.10.6 & 4.0.0 through 4.1.0. Inadequate filtering on the selected Ids on an request could resulted into an possible SQL injection. | 9.8 | CRITICAL | β | 0 |
This product uses data from the NVD API but is not endorsed or certified by the NVD.