Security
Headlines
HeadlinesLatestCVEs

Tag

#sql

CVE-2023-32027: Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability

**According to the CVSS metric, the attack vector is local (AV:L). Why does the CVE title indicate that this is a remote code execution?** The word **Remote** in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out locally. For example, when the score indicates that the **Attack Vector** is **Local** and **User Interaction** is **Required**, this could describe an exploit in which an attacker, through social engineering, convinces a victim to download and open a specially crafted file from a website which leads to a local attack on their computer.

Microsoft Security Response Center
Open in Source
#sql#vulnerability#web#microsoft#rce#SQL Server#Security Vulnerability
CVE-2023-32026: Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability

**According to the CVSS metric, the attack vector is local (AV:L). Why does the CVE title indicate that this is a remote code execution?** The word **Remote** in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out locally. For example, when the score indicates that the **Attack Vector** is **Local** and **User Interaction** is **Required**, this could describe an exploit in which an attacker, through social engineering, convinces a victim to download and open a specially crafted file from a website which leads to a local attack on their computer.

CVE-2023-32028: Microsoft OLE DB Remote Code Execution Vulnerability

**How could an attacker exploit this vulnerability?** An attacker could exploit the vulnerability by tricking an authenticated user into attempting to connect to a malicious SQL server via OLEDB, which could result in the server receiving a malicious networking packet. This could allow the attacker to execute code remotely on the client.

CVE-2023-34251: Server Side Template Injection (SSTI)

Grav is a file-based Web platform. Versions prior to 1.7.42 are vulnerable to server side template injection. Remote code execution is possible by embedding malicious PHP code on the administrator screen by a user with page editing privileges. Version 1.7.42 contains a fix for this issue.

CVE-2023-31671: [CVE-2023-31671] Improper neutralization of SQL parameter in Postfinance module

PrestaShop postfinance <= 17.1.13 is vulnerable to SQL Injection via PostfinanceValidationModuleFrontController::postProcess().

CVE-2023-34756: bloofox v0.5.2.1 was discovered to contain many SQL injection vulnerability

bloofox v0.5.2.1 was discovered to contain a SQL injection vulnerability via the cid parameter at admin/index.php?mode=settings&page=charset&action=edit.

CVE-2023-34752

bloofox v0.5.2.1 was discovered to contain a SQL injection vulnerability via the lid parameter at admin/index.php?mode=settings&page=lang&action=edit.

Online Examination System Project 1.0 Cross Site Request Forgery

Online Examination System Project version 1.0 suffers from a cross site request forgery vulnerability.

Teachers Record Management System 1.0 Validation Bypass

Teachers Record Management System version 1.0 suffers from file upload validation bypass vulnerability.