Injection SQL

An issue was discovered in WUZHI CMS 4.1.0. The vulnerable file is coreframe/app/order/admin/goods.php. The $keywords parameter is taken directly into execution without any filtering, leading to SQL injection. (CVSS:0.0) (Last Update:2018-07-20)

In Msvod Cms v10, SQL Injection exists via an images/lists?cid= URI. (CVSS:0.0) (Last Update:2018-07-19)

The content://wappush content provider in com.android.provider.telephony, as found in some custom ROMs for Android phones, allows SQL injection. One consequence is that an application without the READ_SMS permission can read SMS messages. This affects Infinix X571 phones, as well as various Lenovo phones (such as the A7020) that have since been fixed by Lenovo. (CVSS:0.0) (Last Update:2018-07-15)

There is a time-based blind SQL injection vulnerability in the Access Manager component before 9.18.040 and 10.x before 10.18.040 in ELO ELOenterprise 9 and 10 and ELOprofessional 9 and 10 that makes it possible to read all database content. The vulnerability exists in the ticket HTTP GET parameter. For example, one can succeed in reading the password hash of the administrator user in the "userdata" table from the "eloam" database. (CVSS:0.0) (Last Update:2018-07-11)

An issue was discovered in cckevincyh SSH CompanyWebsite through 2018-05-03. SQL injection exists via the admin/noticeManageAction_queryNotice.action noticeInfo parameter. (CVSS:0.0) (Last Update:2018-07-19)

joyplus-cms 1.6.0 has SQL Injection via the manager/admin_ajax.php val parameter. (CVSS:0.0) (Last Update:2018-07-18)

WolfSight CMS 3.2 allows SQL injection via the PATH_INFO to the default URI. (CVSS:0.0) (Last Update:2018-07-12)

The "Firebase Cloud Messaging (FCM) + Advance Admin Panel" component supporting Firebase Push Notification on iOS (through 2017-10-26) allows SQL injection via the /advance_push/public/login username parameter. (CVSS:0.0) (Last Update:2018-07-10)