#sql

AgileBio Electronic Lab Notebook v4.234 was discovered to contain a local file inclusion vulnerability.

In Moodle, an SQL injection risk was identified in the library fetching a user's recent courses.

In Moodle, an SQL injection risk was identified in the library fetching a user's enrolled courses.

In Moodle, an SQL injection risk was identified in the library fetching a user's recent courses.

PMB v7.4.6 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the query parameter at /admin/convert/export_z3950.php.

An arbitrary file upload vulnerability in the component /admin1/config/update of onekeyadmin v1.3.9 allows attackers to execute arbitrary code via a crafted PHP file.

In Moodle, an SQL injection risk was identified in the library fetching a user's enrolled courses.

In the module "Xen Forum" (xenforum) for PrestaShop, an authenticated user can perform SQL injection in versions up to 2.13.0.

jeecg-boot v3.4.4 was discovered to contain an authenticated SQL injection vulnerability via the building block report component.

Directus is a real-time API and App dashboard for managing SQL database content. Instances relying on an allow-listed reset URL are vulnerable to an HTML injection attack through the use of query parameters in the reset URL. An attacker could exploit this to email users urls to the servers domain but which may contain malicious code. The problem has been resolved and released under version 9.23.0. People relying on a custom password reset URL should upgrade to 9.23.0 or later, or remove the custom reset url from the configured allow list. Users are advised to upgrade. Users unable to upgrade may disable the custom reset URL allow list as a workaround.