Export limit exceeded: 19863 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (19863 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2020-37226 | 1 Joomsky | 2 J2 Jobs, Js Jobs | 2026-07-15 | 7.1 High |
| Joomla J2 JOBS 1.3.0 contains an authenticated SQL injection vulnerability that allows authenticated attackers to manipulate database queries by injecting SQL code through the 'sortby' parameter. Attackers can send POST requests to the administrator index with malicious 'sortby' values to extract sensitive database information using automated tools. | ||||
| CVE-2020-37224 | 1 Joomsky | 2 J2 Jobs, Js Jobs | 2026-07-15 | 7.1 High |
| Joomla J2 JOBS 1.3.0 contains an authenticated SQL injection vulnerability that allows authenticated attackers to manipulate database queries by injecting SQL code through the 'sortby' parameter. Attackers can send POST requests to the administrator index with malicious 'sortby' values to extract sensitive database information. | ||||
| CVE-2020-37004 | 2 Codexcube, Rise | 2 Ultimate Project Manager Crm Pro, Ultimate Project Manager | 2026-07-15 | 8.2 High |
| The Ultimate Project Manager CRM PRO version 2.0.5 contains a blind SQL injection vulnerability that allows attackers to extract usernames and password hashes from the tbl_users database table. Attackers can exploit the /frontend/get_article_suggestion/ endpoint by crafting malicious search parameters to progressively guess and retrieve user credentials through boolean-based inference techniques. | ||||
| CVE-2019-25752 | 1 Cmsjunkie | 1 J-businessdirectory | 2026-07-15 | 8.2 High |
| Joomla! Component J-BusinessDirectory 4.9.7 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the type parameter. Attackers can send GET requests to index.php with the option=com_jbusinessdirectory&task=categories.getCategories parameters and inject UNION-based SQL statements in the type parameter to extract database information including schema names and sensitive data. | ||||
| CVE-2019-25751 | 1 Cmsjunkie | 1 J-classifiedsmanager | 2026-07-15 | 8.2 High |
| Joomla Component J-ClassifiedsManager 3.0.5 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through POST parameters. Attackers can submit crafted SQL payloads in the categorySearch, adType, and citySearch parameters to the displayads component to extract sensitive database information including usernames, databases, and version details. | ||||
| CVE-2019-25746 | 2 Slicedinvoices, Wordpress | 2 Sliced Invoices, Wordpress | 2026-07-15 | 7.1 High |
| WordPress Sliced Invoices 3.8.2 contains an authenticated SQL injection vulnerability that allows authenticated attackers to manipulate database queries by injecting SQL code through the 'post' parameter. Attackers can send requests to the admin.php endpoint with action=duplicate_quote_invoice and malicious 'post' values to extract sensitive database information or modify data. | ||||
| CVE-2019-25693 | 2 Montala, Resourcespace | 2 Resourcespace, Resourcespace | 2026-07-15 | 7.1 High |
| ResourceSpace 8.6 contains an SQL injection vulnerability that allows authenticated attackers to execute arbitrary SQL queries by injecting malicious code through the keywords parameter in collection_edit.php. Attackers can submit POST requests with crafted SQL payloads in the keywords field to extract sensitive database information including schema names, user credentials, and other confidential data. | ||||
| CVE-2019-25675 | 3 Arcasolutions, Edirectory, Microfocus | 3 Edirectory, Edirectory, Edirectory | 2026-07-15 | 8.2 High |
| eDirectory contains multiple SQL injection vulnerabilities that allow unauthenticated attackers to bypass administrator authentication and disclose sensitive files by injecting SQL code into parameters. Attackers can exploit the key parameter in the login endpoint with union-based SQL injection to authenticate as administrator, then leverage authenticated file disclosure vulnerabilities in language_file.php to read arbitrary PHP files from the server. | ||||
| CVE-2019-25643 | 1 Endonesia | 1 Endonesia | 2026-07-15 | 8.2 High |
| eNdonesia Portal v8.7 contains multiple SQL injection vulnerabilities that allow unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the bid parameter. Attackers can send GET requests to banners.php with crafted SQL payloads in the bid parameter to extract sensitive database information from the INFORMATION_SCHEMA tables. | ||||
| CVE-2019-25573 | 2 Greencms, Njtech | 2 Greencms, Greencms | 2026-07-15 | 7.1 High |
| Green CMS 2.x contains an SQL injection vulnerability that allows authenticated attackers to execute arbitrary SQL queries by injecting malicious code through the cat parameter. Attackers can send GET requests to index.php with m=admin, c=posts, a=index parameters and inject SQL code in the cat parameter to manipulate database queries and extract sensitive information. | ||||
| CVE-2019-25303 | 2 Cusg, Thejshen | 2 Content Management System, Contentmanagementsystem | 2026-07-15 | 7.1 High |
| TheJshen ContentManagementSystem 1.04 contains a SQL injection vulnerability that allows attackers to manipulate database queries through the 'id' GET parameter. Attackers can exploit boolean-based, time-based, and UNION-based SQL injection techniques to extract or manipulate database information by crafting malicious query payloads. | ||||
| CVE-2019-25260 | 2 Oxid-esales, Oxidforge | 2 Eshop, Oxid Eshop | 2026-07-15 | 8.2 High |
| OXID eShop versions 6.x prior to 6.3.4 contains a SQL injection vulnerability in the 'sorting' parameter that allows attackers to insert malicious database content. Attackers can exploit the vulnerability by manipulating the sorting parameter to inject PHP code into the database and execute arbitrary code through crafted URLs. | ||||
| CVE-2018-25407 | 1 Endonesia | 1 Endonesia | 2026-07-15 | 8.2 High |
| eNdonesia Portal 8.7 contains multiple SQL injection vulnerabilities that allow unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through parameters in mod.php. Attackers can inject SQL through the artid, cid, did, contid, and aboutid parameters across publisher, diskusi, galeri, content, and about modules to extract database information including usernames, database names, and version details. | ||||
| CVE-2018-25406 | 1 Endonesia | 1 Endonesia | 2026-07-15 | 8.2 High |
| eNdonesia Portal 8.7 contains multiple SQL injection vulnerabilities that allow unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through parameters in mod.php. Attackers can inject SQL through the artid, cid, did, contid, and aboutid parameters across publisher, diskusi, galeri, content, and about modules to extract database credentials, usernames, and version information. | ||||
| CVE-2018-25405 | 1 Endonesia | 1 Endonesia | 2026-07-15 | 8.2 High |
| eNdonesia Portal 8.7 contains multiple SQL injection vulnerabilities that allow unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through parameters in mod.php. Attackers can inject SQL through the artid, cid, did, contid, and aboutid parameters to extract sensitive database information including usernames, database names, and version details. | ||||
| CVE-2018-25207 | 2 Ays-pro, Hscripts | 2 Quiz Maker, Online Quiz Maker | 2026-07-15 | 7.1 High |
| Online Quiz Maker 1.0 contains SQL injection vulnerabilities in the catid and usern parameters that allow authenticated attackers to execute arbitrary SQL commands. Attackers can submit malicious POST requests to quiz-system.php or add-category.php with crafted SQL payloads in POST parameters to extract sensitive database information or bypass authentication. | ||||
| CVE-2018-25203 | 2 Online Store System Project, Wecodex | 2 Online Store System, Online Store System Cms | 2026-07-15 | 8.2 High |
| Online Store System CMS 1.0 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the email parameter. Attackers can send POST requests to index.php with the action=clientaccess parameter using boolean-based blind or time-based blind SQL injection payloads in the email field to extract sensitive database information. | ||||
| CVE-2017-20273 | 2 Joomlashowroom, Vcita | 2 Event Registration Pro Calendar, Event Registration Calendar By Vcita | 2026-07-15 | 8.2 High |
| Joomla Event Registration Pro Calendar 4.1.3 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the id parameter. Attackers can send GET requests to index.php with option=com_registrationpro&view=category&id parameter containing SQL injection payloads to extract sensitive database information. | ||||
| CVE-2017-20268 | 2 Apereo, Zcontent | 2 Bw-calendar-engine, Zap Calendar Lite | 2026-07-15 | 8.2 High |
| Joomla! Component Zap Calendar Lite 4.3.4 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the 'eid' parameter. Attackers can send GET requests to the RSVP plugin endpoint with crafted SQL payloads to extract sensitive database information including database names and table structures. | ||||
| CVE-2016-20069 | 3 Codepeople, Dwbooster, Wordpress | 3 Booking Calendar Contact Form, Booking Calendar Contact Form, Wordpress | 2026-07-15 | 8.2 High |
| WordPress Booking Calendar Contact Form 1.0.23 contains an unauthenticated blind SQL injection vulnerability in the shortcode function that fails to sanitize the calendar parameter before using it in database queries. Attackers can inject SQL commands through the calendar shortcode parameter to execute arbitrary SQL queries and extract sensitive database information. | ||||