#sql

Meshery is an open source, cloud native manager that enables the design and management of Kubernetes-based infrastructure and applications. A SQL injection vulnerability in Meshery prior to version 0.7.22 may lead to arbitrary file write by using a SQL injection stacked queries payload, and the ATTACH DATABASE command. Additionally, attackers may be able to access and modify any data stored in the database, like performance profiles (which may contain session cookies), Meshery application data, or any Kubernetes configuration added to the system. The Meshery project exposes the function `GetMeshSyncResourcesKinds` at the API URL `/api/system/meshsync/resources/kinds`. The order query parameter is directly used to build a SQL query in `meshync_handler.go`. Version 0.7.22 fixes this issue.

Meshery is an open source, cloud native manager that enables the design and management of Kubernetes-based infrastructure and applications. A SQL injection vulnerability in Meshery prior to version 0.7.17 allows a remote attacker to obtain sensitive information via the `order` parameter of `GetMeshSyncResources`. Version 0.7.17 contains a patch for this issue.

Online Shopping Portal Project version 2.0 suffers from a remote SQL injection vulnerability.

Dolphin version 7.4.2 suffers from a remote blind SQL injection vulnerability.

Blog Site version 1.0 suffers from a remote SQL injection vulnerability that allows for authentication bypass.

Best Courier Management System version 1.0 suffers from a remote SQL injection vulnerability that allows for authentication bypass.

This is the official vulnerability disclosure report for CVEs CVE-2024-38881 through CVE-2024-38891 by jTag Labs. This report details critical security vulnerabilities found within Caterease Software, a product of Horizon Business Services Inc. These vulnerabilities have significant implications for the confidentiality, integrity, and availability of the software and the sensitive data it handles. The issues include problems like remote SQL injection, command injection, authentication bypass, hard-coded credentials, and more.

Tourism Management System version 2.0 suffers from a cross site scripting vulnerability.

Computer Laboratory Management System version 1.0 suffers from an incorrect access control that allows for privilege escalation.

Leads Manager Tool suffers from remote SQL injection and cross site scripting vulnerabilities.