All news with #sql injection tag

🔒 A SQL injection vulnerability in the Quiz and Survey Master (QSM) WordPress plugin affected more than 40,000 sites running versions 10.3.1 and earlier. The flaw allowed any logged-in user with Subscriber-level privileges or higher to supply crafted input to a REST API parameter named is_linking, which was concatenated into a database query without sanitisation. Patchstack credited Doan Dinh Van for the report and QSM released version 10.3.2 to enforce integer casting (intval) and mitigate the issue; the defect is tracked as CVE-2025-67987. There is no public evidence of active exploitation, but the bug underscores risks from trusting request data and the need for prepared statements.

⚠️ AVEVA has released patches for multiple vulnerabilities in Process Optimization that could allow remote code execution, SQL injection, privilege escalation, and disclosure of sensitive data. The most severe, CVE-2025-61937, permits unauthenticated remote code execution at OS System privileges (CVSS 10.0). AVEVA's remediation requires updating to Process Optimization v2025; CISA and the vendor also recommend firewall restrictions, ACLs, and ensuring encrypted channels.

🔒 A SQL injection vulnerability (CVE-2025-12807) in Rockwell Automation's FactoryTalk DataMosaix Private Cloud could allow low-privilege users to perform unauthorized, sensitive database operations through exposed API endpoints. Affected versions include 7.11, 8.00, and 8.01; vendor updates are available. Rockwell Automation and CISA advise updating to Version 8.01.02 or later and applying network isolation and secure remote access mitigations.

🔒 CISA disclosed multiple vulnerabilities in Advantech WebAccess/SCADA affecting version 9.2.1 that could allow an authenticated attacker to read, modify, or delete remote database files. Reported issues include path traversal, unrestricted file upload, absolute path traversal, and SQL injection across several CVEs. Advantech has released WebAccess/SCADA 9.2.2 to address these flaws; operators should prioritize applying the update and hardening network access.

🔒 FreePBX has released patches addressing several high‑severity vulnerabilities, including an authentication bypass that may be triggered when the legacy AUTHTYPE is set to webserver. Horizon3.ai reported authenticated SQL injection flaws and an arbitrary file upload that can be used to deploy a PHP web shell and achieve remote code execution. Administrators should apply the provided updates, ensure Authorization Type is set to usermanager, remove the legacy AUTHTYPE option from Advanced Settings, rotate credentials, and perform forensic checks if legacy settings were enabled.

🛡️MITRE has published its annual CWE Top 25, ranking the most dangerous software weaknesses identified from 39,080 CVEs. Cross-site scripting (XSS) remains top, with SQL injection and cross-site request forgery following; several memory- and injection-related flaws shifted positions. New entries include classic, stack and heap buffer overflows, improper access control, authorization bypass via user-controlled keys, and resource allocation issues. Experts warn that weak credential protection and authorization failures are driving growing real-world risk in SaaS and API-driven environments.

⚠️ Advantech iView versions 5.7.05.7057 and earlier are affected by an SQL injection vulnerability in SNMP v1 trap handling (port 162) that can be exploited remotely with low attack complexity. CISA assigns CVE-2025-13373 with a CVSS v4 base score of 8.7 (and CVSS v3.1 7.5). Successful exploitation could disclose, modify, or delete data. Advantech recommends updating to iView v5.8.1; CISA advises network isolation, firewalls, and secure remote access.

🛡️ This advisory details an SQL injection vulnerability in Siemens SINEC NMS (versions prior to V4.0 SP1) affecting the getTotalAndFilterCounts endpoint. Assigned CVE-2025-40755 with high severity (CVSS v3.1 8.8 / CVSS v4 8.7), an authenticated low-privilege attacker could inject SQL to insert data and escalate privileges. Siemens advises updating to V4.0 SP1 or later and applying network protections such as segmentation and firewalls; CISA reports no known public exploitation.

🔍 Researchers at ESET disclosed a previously undocumented campaign named GhostRedirector that has compromised at least 65 Windows servers mainly in Brazil, Thailand and Vietnam. The intruders deployed a passive C++ backdoor, Rungan, alongside a native IIS module, Gamshen, which selectively alters responses for Googlebot to perform SEO fraud. Initial access appears linked to SQL injection and abuse of xp_cmdshell, with subsequent PowerShell retrievals from a staging host.

🔒 A critical unauthenticated SQL injection vulnerability (CVE-2025-49870) was discovered in the WordPress Paid Memberships Subscriptions plugin affecting versions up to 2.15.1, used by over 10,000 sites. Patchstack Alliance researcher ChuongVN reported the flaw, which stems from unsafe handling of PayPal IPN payment IDs. The vendor released 2.15.2 to enforce numeric validation of payment IDs, adopt prepared statements and strengthen input handling; administrators should update immediately.