CVEs

CMS Auditor Website 1.0 has SQL Injection via the PATH_INFO to /news-detail.

Co-work Space Search Script 1.0 has SQL Injection via the /list city parameter.

Consumer Complaints Clone Script 1.0 has SQL Injection via the other-user-profile.php id parameter.

Entrepreneur Bus Booking Script 3.0.4 has SQL Injection via the booker_details.php sourcebus parameter.

Advanced Real Estate Script 4.0.7 has SQL Injection via the search-results.php Projectmain, proj_type, searchtext, sell_price, or maxprice parameter.

Advance B2B Script 2.1.3 has SQL Injection via the tradeshow-list-detail.php show_id or view-product.php pid parameter.

Cab Booking Script 1.0 has SQL Injection via the /service-list city parameter.

Basic B2B Script 2.0.8 has SQL Injection via the product_details.php id parameter.

Advance Online Learning Management Script 3.1 has SQL Injection via the courselist.php subcatid or popcourseid parameter.

Affiliate MLM Script 1.0 has SQL Injection via the product-category.php key parameter.

Nearbuy Clone Script 3.2 has SQL Injection via the category_list.php search parameter.

Entrepreneur Job Portal Script 2.0.6 has SQL Injection via the jobsearch_all.php rid1 parameter.

Beauty Parlour Booking Script 1.0 has SQL Injection via the /list gender or city parameter.

DomainSale PHP Script 1.0 has SQL Injection via the domain.php id parameter.

Website Auction Marketplace 2.0.5 has SQL Injection via the search.php cat_id parameter.

Realestate Crowdfunding Script 2.7.2 has SQL Injection via the single-cause.php pid parameter.

FS Stackoverflow Clone 1.0 has SQL Injection via the /question keywords parameter.

FS Thumbtack Clone 1.0 has SQL Injection via the browse-category.php cat parameter or the browse-scategory.php sc parameter.

FS IMDB Clone 1.0 has SQL Injection via the movie.php f parameter, tvshow.php s parameter, or show_misc_video.php id parameter.

FS Indiamart Clone 1.0 has SQL Injection via the catcompany.php token parameter, buyleads-details.php id parameter, or company/index.php c parameter.

FS Olx Clone 1.0 has SQL Injection via the subpage.php scat parameter or the message.php pid parameter.

FS Monster Clone 1.0 has SQL Injection via the Employer_Details.php id parameter.

FS Makemytrip Clone 1.0 has SQL Injection via the show-flight-result.php fl_orig or fl_dest parameter.

FS Shutterstock Clone 1.0 has SQL Injection via the /Category keywords parameter.

FS Grubhub Clone 1.0 has SQL Injection via the /food keywords parameter.

FS Quibids Clone 1.0 has SQL Injection via the itechd.php productid parameter.

FS Linkedin Clone 1.0 has SQL Injection via the group.php grid parameter, profile.php fid parameter, or company_details.php id parameter.

FS Freelancer Clone 1.0 has SQL Injection via the profile.php u parameter.

FS Crowdfunding Script 1.0 has SQL Injection via the latest_news_details.php id parameter.

FS Trademe Clone 1.0 has SQL Injection via the search_item.php search parameter or the general_item_details.php id parameter.

FS Gigs Script 1.0 has SQL Injection via the browse-category.php cat parameter, browse-scategory.php sc parameter, or service-provider.php ser parameter.

FS Groupon Clone 1.0 has SQL Injection via the item_details.php id parameter or the vendor_details.php id parameter.

FS Care Clone 1.0 has SQL Injection via the searchJob.php jobType or jobFrequency parameter.

FS Ebay Clone 1.0 has SQL Injection via the product.php id parameter, or the search.php category_id or sub_category_id parameter.

FS Amazon Clone 1.0 has SQL Injection via the PATH_INFO to /VerAyari.

FS Foodpanda Clone 1.0 has SQL Injection via the /food keywords parameter.

FS Expedia Clone 1.0 has SQL Injection via the pages.php or content.php id parameter, or the show-flight-result.php fl_orig or fl_dest parameter.

Ametys before 4.0.3 requires authentication only for URIs containing a /cms/ substring, which allows remote attackers to bypass intended access restrictions via a direct request to /plugins/core-ui/servercomm/messages.xml, as demonstrated by changing the admin password by obtaining account details via a users/search.json request, and then modifying the account via an editUser request.

Multiple SQL injection vulnerabilities in Fiyo CMS 2.0_1.9.1 allow remote attackers to execute arbitrary SQL commands via the (1) id parameter to apps/app_article/controller/rating.php or (2) user parameter to user/login.

In CMS Made Simple 2.1.6, there is Server-Side Template Injection via the cntnt01detailtemplate parameter.

The installer in MyBB before 1.8.13 allows remote attackers to execute arbitrary code by writing to the configuration file.

Buffer overflow in the SoftConsole client in Avaya IP Office before 10.1.1 allows remote servers to execute arbitrary code via a long response.

Multiple SQL injection vulnerabilities in inc/lib/User.class.php in MetalGenix GeniXCMS before 0.0.3-patch allow remote attackers to execute arbitrary SQL commands via the (1) email parameter or (2) userid parameter to register.php.

Zoho ManageEngine Applications Manager 13 before build 13500 allows SQL injection via GraphicalView.do, as demonstrated by a crafted viewProps yCanvas field or viewid parameter.

Zomato Clone Script allows SQL Injection via the restaurant-menu.php resid parameter.

Website Broker Script allows SQL Injection via the 'status_id' Parameter to status_list.php.

Vastal I-Tech Agent Zone (aka The Real Estate Script) allows SQL Injection in searchCommercial.php via the property_type, city, or posted_by parameter, or searchResidential.php via the property_type, city, or bedroom parameter, a different vulnerability than CVE-2008-3951, CVE-2009-3497, and CVE-2012-0982.

Php Inventory & Invoice Management System allows Arbitrary File Upload via dashboard/edit_myaccountdetail/.

Online Exam Test Application allows SQL Injection via the resources.php sort parameter in a category action.

Nice PHP FAQ Script allows SQL Injection via the index.php nice_theme parameter, a different vulnerability than CVE-2008-6525.