Security
Headlines
HeadlinesLatestCVEs

Tag

#sql

CVE-2022-36272: Mingsoft MCMS v5.2.8 SQL注入【后台】 · Issue #97 · ming-soft/MCMS

Mingsoft MCMS 5.2.8 was discovered to contain a SQL injection vulnerability in /mdiy/page/verify URI via fieldName parameter.

CVE
Open in Source
#sql#vulnerability
CVE-2022-36599: Mingsoft MCMS v5.2.8 自定义模板处存在SQL注入 · Issue #I5I1P5 · 铭飞/MCMS - Gitee.com

Mingsoft MCMS 5.2.8 was discovered to contain a SQL injection vulnerability in /mdiy/model/delete URI via models Lists.

Multiple cloud vendors impacted by PostgreSQL vulnerability that exposed enterprise databases

Flaws discovered in various PostgreSQL-as-a-Service offerings, including those from Microsoft and Google

CVE-2020-21642: ManageEngine Analytics Plus | Release Notes

Directory Traversal vulnerability ZDBQAREFSUBDIR parameter in /zropusermgmt API in Zoho ManageEngine Analytics Plus before 4350 allows remote attackers to run arbitrary code.

Inout RealEstate 2.1.2 SQL Injection

Inout RealEstate version 2.1.2 suffers from a remote SQL injection vulnerability.

Inout SiteSearch 2.0.1 Cross Site Scripting

Inout SiteSearch version 2.0.1 suffers from a cross site scripting vulnerability.

CVE-2022-2812

A vulnerability classified as critical was found in SourceCodester Guest Management System. This vulnerability affects unknown code of the file index.php. The manipulation of the argument username/pass leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. VDB-206398 is the identifier assigned to this vulnerability.

CVE-2022-35942: Improper Sanitization of `contains` Filter

Improper input validation on the `contains` LoopBack filter may allow for arbitrary SQL injection. When the extended filter property `contains` is permitted to be interpreted by the Postgres connector, it is possible to inject arbitrary SQL which may affect the confidentiality and integrity of data stored on the connected database. A patch was released in version 5.5.1. This affects users who does any of the following: - Connect to the database via the DataSource with `allowExtendedProperties: true` setting OR - Uses the connector's CRUD methods directly OR - Uses the connector's other methods to interpret the LoopBack filter. Users who are unable to upgrade should do the following if applicable: - Remove `allowExtendedProperties: true` DataSource setting - Add `allowExtendedProperties: false` DataSource setting - When passing directly to the connector functions, manually sanitize the user input for the `contains` LoopBack filter beforehand.

CVE-2022-35956: Release v0.1.3-stable · camilova/activerecord-update-by-case

This Rails gem adds two methods to the ActiveRecord::Base class that allow you to update many records on a single database hit, using a case sql statement for it. Before version 0.1.3 `update_by_case` gem used custom sql strings, and it was not sanitized, making it vulnerable to sql injection. Upgrade to version >= 0.1.3 that uses `Arel` instead to construct the resulting sql statement, with sanitized sql.

CVE-2022-37397: https://www.yugabyte.com/wp-content/uploads/2021/10/0624-YB-Homepage-New-Site-R2.png

An issue was discovered in the YugabyteDB 2.6.1 when using LDAP-based authentication in YCQL with Microsoft’s Active Directory. When anonymous or unauthenticated LDAP binding is enabled, it allows bypass of authentication with an empty password.