Security
Headlines
HeadlinesLatestCVEs

Tag

#sql

GHSA-v9q5-9crp-92f9: FUXA SQL Injection vulnerability

A SQL Injection attack in FUXA <= 1.1.12 allows exfiltration of confidential information from the database.

ghsa
Open in Source
#sql#vulnerability#git
GHSA-p46g-8c3q-89p2: FUXA SQL Injection vulnerability

FUXA <= 1.1.12 is vulnerable to SQL Injection via `/api/signin`.

CVE-2023-31717

A SQL Injection attack in FUXA <= 1.1.12 allows exfiltration of confidential information from the database.

CVE-2023-31719: GitHub - MateusTesser/CVE-2023-31719

FUXA <= 1.1.12 is vulnerable to SQL Injection via /api/signin.

CVE-2023-34576: [CVE-2023-34576] Improper neutralization of SQL parameter in Opart Faq for PrestaShop

SQL injection vulnerability in updatepos.php in PrestaShop opartfaq through 1.0.3 allows remote attackers to run arbitrary SQL commands via unspedified vector.

CVE-2023-34577: [CVE-2023-34577] Improper neutralization of SQL parameter in Opart Planned popup for PrestaShop

SQL injection vulnerability in Prestashop opartplannedpopup 1.4.11 and earlier allows remote attackers to run arbitrary SQL commands via OpartPlannedPopupModuleFrontController::prepareHook() method.

CVE-2023-42807: Frappe LMS SQL Injection Issue on People Page

Frappe LMS is an open source learning management system. In versions 1.0.0 and prior, on the People Page of LMS, there was an SQL Injection vulnerability. The issue has been fixed in the `main` branch. Users won't face this issue if they are using the latest main branch of the app.

GHSA-v5wf-jg37-r9m5: SQLpage vulnerable to public exposure of database credentials

### Impact If - you are using a SQLPage version older than v0.11.1 - your SQLPage instance is exposed publicly - the database connection string is specified in the `sqlpage/sqlpage.json` configuration file (not in an environment variable) - the web_root is the current working directory (the default) - your database is exposed publicly then an attacker could retrieve the database connection information from SQLPage and use it to connect to your database directly. ### Patches Upgrade to [v0.11.1](https://github.com/lovasoa/SQLpage/releases/tag/v0.11.1) as soon as possible. ### Workarounds If you cannot upgrade immediately: - Using an environment variable instead of the configuration file to specify the database connection string prevents exposing it on vulnerable versions. - Using a different [web root](https://github.com/lovasoa/SQLpage/blob/main/configuration.md) (that is not a parent of the SQLPage configuration directory) fixes the issue. - And in any case, you should...