This issue exists in core\admin\modules\developer\extensions\install\and core\admin\modules\developer\packages\install\ NOTE: the vendor states "You must implicitly trust any package or extension you install as they all have the ability to write PHP files." SQL injection vulnerability in Big Tree CMS through 4.2.18 allows remote authenticated users to execute arbitrary SQL commands via core\admin\modules\developer\modules\designer\ NET Agent before 184.108.40.206 adds SQL injection flaws to safe applications via vectors involving failure to escape quotes during use of the Slow Queries feature, as demonstrated by a mishandled quote in a VALUES clause of an INSERT statement, after bypassing a SET SHOWPLAN_ALL ON protection mechanism.
The attacker creates a crafted table name at admin/developer/modules/designer/ and the injection is visible at admin/dashboard/vitals-statistics/integrity/check/? SQL injection exists on Peplink Balance 305, 380, 580, 710, 1350, and 2500 devices with firmware before fw-b305hw2_380hw6_580hw2_710hw3_1350hw2_2500-7.0.1-build2093.
The attacker creates a crafted table name at admin/developer/modules/views/create/ and the injection is visible at admin/ajax/auto-modules/views/searchable-page/ or admin/modules_name.
** DISPUTED ** Big Tree CMS through 4.2.18 allows remote authenticated users to conduct SQL injection attacks via a crafted tables object in in an uploaded package.
An attack vector is the bauth cookie to cgi-bin/MANGA/
One impact is enumeration of user accounts by observing whether a session ID can be retrieved from the sessions database.
Apache Open Meetings 1.0.0 is vulnerable to SQL injection.