#sql

Elite CMS Pro version 2.01 suffers from a remote SQL injection vulnerability.

Elevel CMS version 1.0 suffers from a remote SQL injection vulnerability that allows for authentication bypass.

E-Journal Homoeo CMS version 2.0.3 suffers from a remote SQL injection vulnerability.

EI Tube YouTube API version 3 suffers from a remote SQL injection vulnerability.

WordPress Core version 5.6.2 appears to suffer from an xpath injection vulnerability via the log parameter.

An issue was discovered in Tigergraph Enterprise 3.7.0. The TigerGraph platform installs a full development toolchain within every TigerGraph deployment. An attacker is able to compile new executables on each Tigergraph system and modify system and Tigergraph binaries.

The InfiniteWP Client plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 1.11.1 via the 'admin_notice' function. This can allow authenticated attackers with subscriber-level permissions or above to extract sensitive data including configuration. It can only be exploited if the plugin has not been configured yet. If combined with another arbitrary plugin installation and activation vulnerability, it may be possible to connect a site to InfiniteWP which would make remote management possible and allow for elevation of privileges.

LiteSpeed OpenLiteSpeed before 1.7.18 does not strictly validate HTTP request headers.

The User Activity Log WordPress plugin before 1.6.5 does not correctly sanitise and escape several parameters before using it in a SQL statement as part of its exportation feature, allowing unauthenticated attackers to conduct SQL injection attacks.

An issue was discovered in Tigergraph Enterprise 3.7.0. There is unsecured write access to SSH authorized keys file. Any code running as the tigergraph user is able to add their SSH public key into the authorised keys file. This allows an attacker to obtain password-less SSH key access by using their own SSH key.