Security Vulnerabilities, CVEs, Published In May 2009 (Sql injection)

SQL injection vulnerability in product.php in 2daybiz Custom T-shirt Design Script allows remote attackers to execute arbitrary SQL commands via the id parameter.

SQL injection vulnerability in admin/admin_manager.asp in MaxCMS 2.0 allows remote attackers to execute arbitrary SQL commands via an m_username cookie in an add action.

SQL injection vulnerability in admin.php in My Game Script 2.0 allows remote attackers to execute arbitrary SQL commands via the user parameter (aka the username field). NOTE: some of these details are obtained from third party information.

SQL injection vulnerability in mail.php in PHPenpals 1.1 and earlier allows remote attackers to execute arbitrary SQL commands via the ID parameter. NOTE: the profile.php vector is already covered by CVE-2006-0074.

Multiple SQL injection vulnerabilities in admin/index.php in Submitter Script 2 allow remote attackers to execute arbitrary SQL commands via (1) the uNev parameter (aka the username field) or (2) the uJelszo parameter (aka the Password field).

Multiple SQL injection vulnerabilities in myGesuad 0.9.14 (aka 0.9) allow remote attackers to execute arbitrary SQL commands via (1) the formUser parameter (aka the Name field) to common/login.php, and allow remote authenticated users to execute arbitrary SQL commands via the ID parameter in a Detail action to (2) kategorie.php, (3) budget.php, (4) zahlung.php, or (5) adresse.php in modules/, related to classes/class.perform.php.

Multiple SQL injection vulnerabilities in myColex 1.4.2 allow remote attackers to execute arbitrary SQL commands via (1) the formUser parameter (aka the Name field) to common/login.php, and allow remote authenticated users to execute arbitrary SQL commands via the ID parameter in a Detail action to (2) kategorie.php, (3) medium.php, (4) person.php, or (5) schlagwort.php in modules/, related to classes/class.perform.php.

Multiple SQL injection vulnerabilities in admin/index.php in VideoScript.us YouTube Video Script allow remote attackers to execute arbitrary SQL commands via the (1) username and (2) password parameters.

Multiple SQL injection vulnerabilities in the getGalleryImage function in st_admin/gallery_output.php in ST-Gallery 0.1 alpha, when magic_quotes_gpc is disabled, allow remote attackers to execute arbitrary SQL commands via the (1) gallery_category or (2) gallery_show parameter to example.php.

Multiple SQL injection vulnerabilities in PHP Dir Submit (aka WebsiteSubmitter and Submitter Script) allow remote attackers to bypass authentication and gain administrative access via the (1) username and (2) password parameters.

SQL injection vulnerability in the new user registration feature in BigACE CMS 2.5, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the username parameter.

SQL injection vulnerability in index.php in LightOpenCMS 0.1 allows remote attackers to execute arbitrary SQL commands via the id parameter.

SQL injection vulnerability in inc/ajax.asp in MaxCMS 2.0 allows remote attackers to execute arbitrary SQL commands via the id parameter in a digg action.

SQL injection vulnerability in list_list.php in Realty Webware Technologies Web-Base 1.0 allows remote attackers to execute arbitrary SQL commands via the id parameter.

SQL injection vulnerability in index.php in 26th Avenue bSpeak 1.10 allows remote attackers to execute arbitrary SQL commands via the forumid parameter in a post action.

SQL injection vulnerability in berita.php in Dian Gemilang DGNews 3.0 Beta allows remote attackers to execute arbitrary SQL commands via the id parameter in a detail action.

code.php in PC4Arb Pc4 Uploader 9.0 and earlier makes it easier for remote attackers to conduct SQL injection attacks via crafted keyword sequences that are removed from a filter in the id parameter in a banner action, as demonstrated via the "UNIunionON" string, which is collapsed into "UNION" by the filter_sql function.

Multiple SQL injection vulnerabilities in login.php in DM FileManager 3.9.2, when magic_quotes_gpc is disabled, allow remote attackers to execute arbitrary SQL commands via the (1) Username and (2) Password fields.

SQL injection vulnerability in the GridSupport (GS) Ticket System (com_gsticketsystem) component for Joomla! allows remote attackers to execute arbitrary SQL commands via the catid parameter in a viewCategory action to index.php.

SQL injection vulnerability in listing_video.php in VidSharePro allows remote attackers to execute arbitrary SQL commands via the catid parameter.

SQL injection vulnerability in panel/index.php in MLFFAT 2.1 allows remote attackers to execute arbitrary SQL commands via a base64-encoded supervisor cookie.

Multiple SQL injection vulnerabilities in admin/login.php in Wright Way Services Recipe Script 5 allow remote attackers to execute arbitrary SQL commands via the (1) username and (2) Password fields, as reachable from admin/index.php.

SQL injection vulnerability in admin/utopic.php in uTopic 1.0, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the rating parameter to index.php.

Multiple SQL injection vulnerabilities in admin/admin.php in Realty Webware Technologies Realty Web-Base 1.0 allow remote attackers to execute arbitrary SQL commands via the (1) user (username) and (2) password parameters. NOTE: some of these details are obtained from third party information.

Multiple SQL injection vulnerabilities in the Starrating plugin before 0.7.7 for b2evolution allow remote attackers to execute arbitrary SQL commands via unspecified vectors.