Security
Headlines
HeadlinesLatestCVEs

Tag

#sql

CVE-2023-22319: TALOS-2023-1701 || Cisco Talos Intelligence Group

A sql injection vulnerability exists in the requestHandlers.js LoginAuth functionality of Milesight VPN v2.0.2. A specially-crafted network request can lead to authentication bypass. An attacker can send a malicious packet to trigger this vulnerability.

CVE
Open in Source
#sql#vulnerability#web#cisco#js#intel#auth
CVE-2023-30325: ChatEngine/src/chatbotapp/chatWindow.java at fded8e710ad59f816867ad47d7fc4862f6502f3e · wliang6/ChatEngine

SQL Injection vulnerability in textMessage parameter in /src/chatbotapp/chatWindow.java in wliang6 ChatEngine v.1.0, allows attackers to gain sensitive information.

CVE-2023-30323: ChatEngine/src/chatbotapp/chatWindow.java at fded8e710ad59f816867ad47d7fc4862f6502f3e · wliang6/ChatEngine

SQL Injection vulnerability in username field in /src/chatbotapp/chatWindow.java in Payatu ChatEngine v.1.0, allows attackers to gain sensitive information.

CVE-2023-36968: GitHub - haxxorsid/food-ordering-system: Food or Item Order Management System

A SQL Injection vulnerability detected in Food Ordering System v1.0 allows attackers to run commands on the database by sending crafted SQL queries to the ID parameter.

CVE-2023-36189: Mitigate issue #5923 (Prompt injection -> SQL injection in SQLChain) by boazwasserman · Pull Request #6051 · hwchase17/langchain

SQL injection vulnerability in langchain v.0.0.64 allows a remote attacker to obtain sensitive information via the SQLDatabaseChain component.

CVE-2023-36813: Release Kanboard 1.2.31 · kanboard/kanboard

Kanboard is project management software that focuses on the Kanban methodology. In versions prior to 1.2.31authenticated user is able to perform a SQL Injection, leading to a privilege escalation or loss of confidentiality. It appears that in some insert and update operations, the code improperly uses the PicoDB library to update/insert new information. Version 1.2.31 contains a fix for this issue.

CVE-2023-36808: SQL injection through Computer Virtual Machine information

GLPI is a free asset and IT management software package. Starting in version 0.80 and prior to version 10.0.8, Computer Virtual Machine form and GLPI inventory request can be used to perform a SQL injection attack. Version 10.0.8 has a patch for this issue. As a workaround, one may disable native inventory.

CVE-2023-35924: SQL injection via inventory agent request

GLPI is a free asset and IT management software package. Starting in version 10.0.0 and prior to version 10.0.8, GLPI inventory endpoint can be used to drive a SQL injection attack. By default, GLPI inventory endpoint requires no authentication. Version 10.0.8 has a patch for this issue. As a workaround, one may disable native inventory.

CVE-2023-36934: Progress Customer Community

In Progress MOVEit Transfer before 2020.1.11 (12.1.11), 2021.0.9 (13.0.9), 2021.1.7 (13.1.7), 2022.0.7 (14.0.7), 2022.1.8 (14.1.8), and 2023.0.4 (15.0.4), a SQL injection vulnerability has been identified in the MOVEit Transfer web application that could allow an unauthenticated attacker to gain unauthorized access to the MOVEit Transfer database. An attacker could submit a crafted payload to a MOVEit Transfer application endpoint that could result in modification and disclosure of MOVEit database content.

Beauty Salon Management System 1.0 SQL Injection

Beauty Salon Management System version 1.0 suffers from a remote SQL injection vulnerability.