CWE-89

SQL injection vulnerability in the autoDetectRegion function in doceboCore/lib/lib.regset.php in Docebo 3.5.0.3 and earlier allows remote attackers to execute arbitrary SQL commands via the Accept-Language HTTP header. NOTE: this can be leveraged to execute arbitrary PHP code using the INTO DUMPFILE command.

SQL injection vulnerability in machine.php in Open Computer and Software (OCS) Inventory NG 1.02.1 allows remote attackers to execute arbitrary SQL commands via the systemid parameter, a different vector than CVE-2009-3040.

Multiple SQL injection vulnerabilities in Open Computer and Software (OCS) Inventory NG 1.02 for Unix allow remote attackers to execute arbitrary SQL commands via the (1) N, (2) DL, (3) O and (4) V parameters to download.php and the (5) SYSTEMID parameter to group_show.php.

Multiple SQL injection vulnerabilities in index.php in CoronaMatrix phpAddressBook 2.0 allow remote attackers to execute arbitrary SQL commands via the (1) username or (2) parameters.

SQL injection vulnerability in Mr. CGI Guy Hot Links SQL-PHP 3 and earlier allows remote attackers to execute arbitrary SQL commands via the news.php parameter.

SQL injection vulnerability in item.php in WeBid auction script 0.5.4 allows remote attackers to execute arbitrary SQL commands via the id parameter.

SQL injection vulnerability in the admin panel (admin/) in WeBid auction script 0.5.4 allows remote attackers to execute arbitrary SQL commands via the username.

SQL injection vulnerability in members_search.php in iFusion Services iFdate 2.0.3 and earlier allows remote attackers to execute arbitrary SQL commands via the name field.

Multiple SQL injection vulnerabilities in Qsoft K-Rate Premium allow remote attackers to execute arbitrary SQL commands via (1) the $id variable in admin/includes/dele_cpac.php, (2) $ord[order_id] variable in payments/payment_received.php, (3) $id variable in includes/functions.php, and (4) unspecified variables in modules/chat.php, as demonstrated via the (a) show parameter in an online action to index.php; (b) PATH_INTO to the room/ handler; (c) image and (d) id parameters in a vote action to index.php; (e) PATH_INFO to the blog/ handler; and (f) id parameter in a blog_edit action to index.php.

Multiple SQL injection vulnerabilities in Pligg 9.9 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) id parameter to vote.php, which is not properly handled in libs/link.php; (2) id parameter to trackback.php; (3) an unspecified parameter to submit.php; (4) requestTitle variable in a query to story.php; (5) requestID and (6) requestTitle variables in recommend.php; (7) categoryID parameter to cloud.php; (8) title parameter to out.php; (9) username parameter to login.php; (10) id parameter to cvote.php; and (11) commentid parameter to edit.php.

Multiple SQL injection vulnerabilities in TheHockeyStop HockeySTATS Online 2.0 Basic and Advanced allow remote attackers to execute arbitrary SQL commands via the (1) id parameter in the viewpage action to the default URI, probably index.php, or (2) divid parameter in the schedule action to index.php.

Multiple SQL injection vulnerabilities in ReVou Micro Blogging Twitter clone allow remote attackers to execute arbitrary SQL commands via the (1) username and (2) password fields.

Multiple SQL injection vulnerabilities in SailPlanner 0.3a allow remote attackers to execute arbitrary SQL commands via the (1) username and (2) password fields.

Multiple SQL injection vulnerabilities in Kalptaru Infotech Ltd. Star Articles 6.0 allow remote attackers to inject arbitrary SQL commands via (1) the subcatid parameter to article.list.php; or the artid parameter to (2) article.print.php, (3) article.comments.php, (4) article.publisher.php, or (5) article.download.php; and (6) the PATH_INFO to article.download.php. NOTE: some of these details are obtained from third party information.

SQL injection vulnerability in authenticate.php in Chipmunk Topsites allows remote attackers to execute arbitrary SQL commands via the username parameter, related to login.php. NOTE: some of these details are obtained from third party information.

SQL injection vulnerability in index.php in One-News Beta 2 allows remote attackers to execute arbitrary SQL commands via the q parameter.

Multiple SQL injection vulnerabilities in login.asp in NatterChat 1.1 and 1.12 allow remote attackers to execute arbitrary SQL commands via the (1) txtUsername parameter (aka Username) and (2) txtPassword parameter (aka Password) in a form generated by home.asp. NOTE: due to lack of details, it is not clear whether this is related to CVE-2004-2206.

SQL injection vulnerability in admin/include/newpoll.php in AJ Square Free Polling Script (AJPoll) Database version allows remote attackers to execute arbitrary SQL commands via the ques parameter.

SQL injection vulnerability in ahah/sf-profile.php in the Yellow Swordfish Simple Forum module for Wordpress allows remote attackers to execute arbitrary SQL commands via the u parameter. NOTE: this issue was disclosed by an unreliable researcher, so the details might be incorrect.

SQL injection vulnerability in the My_eGallery module for PHP-Nuke allows remote attackers to execute arbitrary SQL commands via the gid parameter in a showgall action to modules.php. NOTE: this issue was disclosed by an unreliable researcher, so the details might be incorrect.