Vulnerability List

0 High Impact Tests
0 Medium Impact Tests
0 Low Impact Tests
0 Informational Impact Tests

List of issues SmartScanner can test

Apache Expect Header Cross Site Scripting

Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user within the output it generates without validating or encoding it. OWASP

Apache server-info enabled

Sensitive information is exposed on this page. Attackers can use this information to extend their attack.

Apache server-status enabled

Sensitive information is exposed on this page. Attackers can use this information to extend their attack.

Application Error

Unhandled exceptions have two primary risks. Denial of service: When an unhandled exception occurs, it might cause memory leakage or consume server resources by performing more process than usual. Leaking information: Unhandled exceptions can generate error messages with sensitive information. When these error messages are shown to users, attackers can take advantage of them to develop their attack on the target.

Arbitrary Source Code Disclosure

Source code on a web server often contains sensitive information and should not be accessible to users.

Auto Complete Enabled Password Input

The user browser can save and remember the entered values for user input fields with autocomplete enabled attributes. This might reveal sensitive information like passwords, especially in public and multi-user computers.

Basic Authentication Over HTTP

HTTP traffic can often be sniffed and captured by an attacker who has access to a network interface. In HTTP basic authentication, user credentials are sent in Base64 encoding which, can easily be decoded into plain text.

Blind OS Command Execution

Command injection is an attack in which the goal is execution of arbitrary commands on the host operating system via a vulnerable application. Command injection attacks are possible when an application passes unsafe user supplied data (forms, cookies, HTTP headers etc.) to a system shell. In this attack, the attacker-supplied operating system commands are usually executed with the privileges of the vulnerable application. Command injection attacks are possible largely due to insufficient input validation. OWASP

Blind SQL Injection

A SQL injection attack consists of insertion or “injection” of a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system and in some cases issue commands to the operating system. SQL injection attacks are a type of injection attack, in which SQL commands are injected into data-plane input in order to effect the execution of predefined SQL commands. OWASP

BREACH attack

BREACH is an instance of the CRIME attack against HTTP compression—the use of gzip or DEFLATE data compression algorithms via the content-encoding option within HTTP by many web browsers and servers. Given this compression oracle, the rest of the BREACH attack follows the same general lines as the CRIME exploit, by performing an initial blind brute-force search to guess a few bytes, followed by divide-and-conquer search to expand a correct guess to an arbitrarily large amount of content. Wikipedia

Broken Link

Broken hyperlinks in web pages can create a bad experience for the users. It can also affect the web page ranking in web search results.

Brute Force Prevention Bypassed

The software does not implement sufficient measures to prevent multiple failed authentication attempts within in a short time frame, making it more susceptible to brute force attacks. MITRE

Content Character Encoding is not Defined

Web browsers need to be aware of the encoding of characters to display it right. When the character encoding is not explicitly defined, the browser has to either guess the encoding or use a default encoding. This will allow attackers to use different encodings like UTF-7 to exploit vulnerabilities like XSS.

Content-Security-Policy Header is Missing

Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross Site Scripting (XSS) and data injection attacks. These attacks are used for everything from data theft to site defacement to distribution of malware. Mozilla

Cookie without HttpOnly Flag

The HttpOnly cookie flag prevents JavaScript Document.cookie API from accessing the cookie. When this flag is set, the cookie is only sent to the server. In many cases, cookies are not needed on the client-side. Session cookies are a good example of cookies that don’t need to be available to JavaScript. Using the HttpOnly flag can help to mitigate Cross-Site-Scripting(XSS) attacks.

Cookie without SameSite Flag

The SameSite cookie flag with the right value prevents the browser from sending the cookie in cross-origin requests. It provides some protection against cross-site request forgery attacks (CSRF).

Cookie without Secure Flag

The Secure cookie flag prevents the browser from sending the cookie over an unencrypted connection. A cookie with a Secure flag is sent to the server only with an encrypted request over the HTTPS protocol. Therefore it can’t easily be accessed by a man-in-the-middle attacker.

Cross-Origin Resource Sharing Allowed

Cross-Origin Resource Sharing (CORS) is a mechanism that uses additional HTTP headers to tell browsers to give a web application running at one origin, access to selected resources from a different origin. A web application executes a cross-origin HTTP request when it requests a resource that has a different origin (domain, protocol, or port) from its own. MozillaCross-origin resource sharing should not be allowed unless specifically needed to minimize disclosure of sensitive information to foreign origins.

Cross Site Scripting

Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user within the output it generates without validating or encoding it. OWASP

Database Error

Unhandled exceptions have two primary risks. Denial of service: When an unhandled exception occurs, it might cause memory leakage or consume server resources by performing more process than usual. Leaking information: Unhandled exceptions can generate error messages with sensitive information. When these error messages are shown to users, attackers can take advantage of them to develop their attack on the target.

Directory Listing of Sensitive Files

A directory listing provides an attacker with the complete index of all the resources located inside of the directory. The specific risks and consequences vary depending on which files are listed and accessible. MITRE

Directory Listing

A directory listing provides an attacker with the complete index of all the resources located inside of the directory. The specific risks and consequences vary depending on which files are listed and accessible. MITRE

Email Address Disclosure

Spambots can harvest email addresses from webpages and use them for sending spam emails.

Expression Language Injection

In programming languages, Expressions are constants, variables, operators, or functions that can perform actions and produce values. Web applications often use dynamic Expressions in their templates to create different pages easily.When user input is used in these dynamic Expressions and templates without proper validation, a malicious user can provide crafted inputs to change the server-side Expressions. This is called Expression Language Injection (aka EL Injection) or Template Injection.EL injections are serious vulnerabilities that allow attackers to extract pieces of information such as session tokens or execute commands on the remote server.

Hidden Resource in Robots.txt

The robots.txt file specifies how to inform the web robot about which areas of the website should not be processed or scanned. Robots are often used by search engines to categorize websites. Not all robots cooperate with the standard; email harvesters, spambots, malware, and robots that scan for security vulnerabilities may even start with the portions of the website where they have been told to stay out. Wikipedia

HTTP Response Splitting

HTTP response splitting is the result of the failure of a web application to properly sanitize CR (ASCII 0x0D) and LF (ASCII 0x0A) character in HTTP headers. Per the HTTP standard (RFC 2616) headers are separated by one CRLF and the response’s headers are separated from its body by two. Therefore, the failure to remove CRs and LFs allows the attacker to set arbitrary headers, take control of the body, or break the response into two or more separate responses. Wikipedia

Nginx Null Byte Code Execution

Null byte character (ASCII 0x00) is allowed in the URL. If the user can control the contents of files on the server, this can result in the arbitrary PHP code execution.

No HTTPS

In HTTP communications, traffic is not encrypted and can be captured by an attacker who has access to a network interface.

No Redirection from HTTP to HTTPS

When HTTPS is enabled but, HTTP requests are not redirected to HTTPS automatically, users have to open the HTTPS URL explicitly. Otherwise, communication is not encrypted and can be captured by an attacker who has access to a network interface.

Old/Backup Resource Found

Backup files can disclose important information like an application’s source code, administrative interfaces, or even credentials to connect to the administrative interface or the database server.

OS Command Execution

Command injection is an attack in which the goal is execution of arbitrary commands on the host operating system via a vulnerable application. Command injection attacks are possible when an application passes unsafe user supplied data (forms, cookies, HTTP headers etc.) to a system shell. In this attack, the attacker-supplied operating system commands are usually executed with the privileges of the vulnerable application. Command injection attacks are possible largely due to insufficient input validation. OWASP

Password Input on HTTP

Attackers can sniff and capture sensitive information like passwords when they’re served and transmitted over the unencrypted HTTP traffic.

Password Sent in HTTP Query

URLs are stored in log files and might be sent in the referer HTTP request header to other websites. Passing sensitive information like passwords as part of the URL might disclose this information to an unauthorized actor. This risk is increased when the traffic is not encrypted.

Password Sent in Query

URLs are stored in log files and might be sent in the referer HTTP request header to other websites. Passing sensitive information like passwords as part of the URL might disclose this information to an unauthorized actor. This risk is increased when the traffic is not encrypted.

Password Sent Over HTTP

Attackers can sniff and capture sensitive information like passwords when they’re served and transmitted over the unencrypted HTTP traffic.

Path Disclosure in Robots.txt

The robots.txt file specifies how to inform the web robot about which areas of the website should not be processed or scanned. Robots are often used by search engines to categorize websites. Not all robots cooperate with the standard; email harvesters, spambots, malware, and robots that scan for security vulnerabilities may even start with the portions of the website where they have been told to stay out. Wikipedia

PHP Version Disclosure

Knowing the PHP version used by the server, attackers can find vulnerabilities easier. This information exposes the server to attackers.

phpinfo() Found

The phpinfo() method in the PHP programming language discloses a large amount of information about the PHP, extensions, server, and environments. Since different environments have a different setup, the phpinfo() can help to figure out the configurations. It can also facilitate the debugging process. Using this function call in the production environment can be dangerous because the provided information is valuable for attackers to develop their attack.

Possible SQL Injection

A SQL injection attack consists of insertion or “injection” of a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system and in some cases issue commands to the operating system. SQL injection attacks are a type of injection attack, in which SQL commands are injected into data-plane input in order to effect the execution of predefined SQL commands. OWASP

Private IPv4 Address Disclosure

Private IP addresses are used in private networks like local area networks (LANs). A private IP address can reveal information about the IP planning scheme used in the private network.This information does not create any direct impact on the target, though it can help attackers develop their attack.

Private IPv6 Address Disclosure

Private IP addresses are used in private networks like local area networks (LANs). A private IP address can reveal information about the IP planning scheme used in the private network.This information does not create any direct impact on the target, though it can help attackers develop their attack.

Profanity

Profanity in web pages can create a bad experience for the users. It can also affect the web page ranking in web search results.

Public-Key-Pins Header is Set

The HTTP Public-Key-Pins response header used to associate a specific cryptographic public key with a certain web server to decrease the risk of MITM attacks with forged certificates. However, it has been removed from modern browsers and is no longer supported.Use Certificate Transparency and Expect-CT header instead. Mozilla

Referrer-Policy Header is Missing

The Referrer-Policy HTTP header controls how much referrer information (sent via the Referer header) should be included with requests. MozillaThe Referer (sic) header contains the address of the previous web page from which a link to the currently requested page was followed, which has lots of fairly innocent uses including analytics, logging, or optimized caching. However, there are more problematic uses such as tracking or stealing information, or even just side effects such as inadvertently leaking sensitive information. Mozilla

Robots.txt Found

The robots.txt file specifies how to inform the web robot about which areas of the website should not be processed or scanned. Robots are often used by search engines to categorize websites. Not all robots cooperate with the standard; email harvesters, spambots, malware, and robots that scan for security vulnerabilities may even start with the portions of the website where they have been told to stay out. Wikipedia

Sensitive Old/Backup Resource Found

Backup files can disclose important information like an application’s source code, administrative interfaces, or even credentials to connect to the administrative interface or the database server.

Sensitive Unreferenced Resource Found

Attackers can often predict unreferenced resources on web applications. These files may disclose sensitive information that can facilitate a focused attack against the application. Unreferenced pages may contain powerful functionality that can be used to attack the application. OWASP

Server Version Disclosure

The Server header describes the server application that handled the request. Detailed information in this header can expose the server to attackers. Using the information in this header, attackers can find vulnerabilities easier.

Session Cookie without HttpOnly Flag

The HttpOnly cookie flag prevents JavaScript Document.cookie API from accessing the cookie. When this flag is set, the cookie is only sent to the server. In many cases, cookies are not needed on the client-side. Session cookies are a good example of cookies that don’t need to be available to JavaScript. Using the HttpOnly flag can help to mitigate Cross-Site-Scripting(XSS) attacks.

Session Cookie without SameSite Flag

The SameSite cookie flag with the right value prevents the browser from sending the cookie in cross-origin requests. It provides some protection against cross-site request forgery attacks (CSRF).

Session Cookie without Secure Flag

The Secure cookie flag prevents the browser from sending the cookie over an unencrypted connection. A cookie with a Secure flag is sent to the server only with an encrypted request over the HTTPS protocol. Therefore it can’t easily be accessed by a man-in-the-middle attacker.

Source Code Disclosure

Source code on a web server often contains sensitive information and should not be accessible to users.

SQL Command Disclosure

SQL commands reveal information about the structure of the underlying database.This information does not create any direct impact on the target, though it provides valuable information attackers can use in their attack.

SQL Injection

A SQL injection attack consists of insertion or “injection” of a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system and in some cases issue commands to the operating system. SQL injection attacks are a type of injection attack, in which SQL commands are injected into data-plane input in order to effect the execution of predefined SQL commands. OWASP

SSL 2 enabled

SSL version 2 has several flaws and is considered vulnerable.

SSL 3 enabled

SSL version 3 is vulnerable to padding attacks.

Strict-Transport-Security Header is Missing

The HTTP Strict-Transport-Security response header (often abbreviated as HSTS) lets a web site tell browsers that it should only be accessed using HTTPS, instead of using HTTP. Mozilla

The Heartbleed Bug

Heartbleed is a security bug in the OpenSSL cryptography library, which is used for implementing the Transport Layer Security (TLS) protocol. This bug allows remote attackers to obtain sensitive information from process memory via crafted packets.

Time Based SQL Injection

A SQL injection attack consists of insertion or “injection” of a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system and in some cases issue commands to the operating system. SQL injection attacks are a type of injection attack, in which SQL commands are injected into data-plane input in order to effect the execution of predefined SQL commands. OWASP

TLS 1.0 enabled

TLS version 1.0 has several flaws and is considered vulnerable.

TLS 1.1 enabled

TLS version 1.1 has several flaws and is considered not secure.

Unix Path Disclosure

File and directory paths reveal information about the structure of the file system of the underlying OS.This information does not create any direct impact on the target, though it provides valuable information attackers can use in their attack.

Unreferenced Login Page Found

Attackers can often predict unreferenced resources on web applications. These files may disclose sensitive information that can facilitate a focused attack against the application. Unreferenced pages may contain powerful functionality that can be used to attack the application. OWASP

Unreferenced Repository Found

A repository keeps the versioning information of different documents. They are usually used to maintain the source code of applications. The most common version control systems are Git, SVN, CVS, and Mercurial.Repositories contain the contents of the documents, usernames, history of the changes and, other important information.Attackers can often find unreferenced repositories not directly referenced in the website.

Unreferenced Resource Found

Attackers can often predict unreferenced resources on web applications. These files may disclose sensitive information that can facilitate a focused attack against the application. Unreferenced pages may contain powerful functionality that can be used to attack the application. OWASP

Unreferenced Source Code Disclosure

Source code on a web server often contains sensitive information and should not be accessible to users.

Unvalidated Redirection

Unvalidated redirects and forwards are possible when a web application accepts untrusted input that could cause the web application to redirect the request to a URL contained within untrusted input. By modifying untrusted URL input to a malicious site, an attacker may successfully launch a phishing scam and steal user credentials. OWASP

User Enumeration

Often, web applications reveal when a username exists on system, either as a consequence of mis-configuration or as a design decision. For example, sometimes, when we submit wrong credentials, we receive a message that states that either the username is present on the system or the provided password is wrong. The information obtained can be used by an attacker to gain a list of users on system. This information can be used to attack the web application, for example, through a brute force or default username and password attack. OWASP

Vulnerable IIS Version

The Internet Information Services (IIS) version used is outdated and has security flaws.

Weak Password

The application does not enforce using a strong password, which makes it easier for attackers to find users’ passwords.

Windows Path Disclosure

File and directory paths reveal information about the structure of the file system of the underlying OS.This information does not create any direct impact on the target, though it provides valuable information attackers can use in their attack.

WordPress Login Page Found

WordPress wp-login.php is a well-known login page for both users and administrators. Password guessing and Brute Force attacks are the main methods attackers use to break into WordPress using this page. Another common attack is sending too many requests to this page and causing Denial Of Service.

WordPress Theme Akal XSS

Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user within the output it generates without validating or encoding it. OWASP

WordPress User Enumeration

Often, web applications reveal when a username exists on system, either as a consequence of mis-configuration or as a design decision. For example, sometimes, when we submit wrong credentials, we receive a message that states that either the username is present on the system or the provided password is wrong. The information obtained can be used by an attacker to gain a list of users on system. This information can be used to attack the web application, for example, through a brute force or default username and password attack. OWASP

X-Content-Type-Options Header is Missing

The X-Content-Type-Options response HTTP header is used by the server to prevent browsers from guessing the media type ( MIME type).This is known as MIME sniffing in which the browser guesses the correct MIME type by looking at the contents of the resource.The absence of this header might cause browsers to transform non-executable content into executable content.

X-Frame-Options Header is Missing

The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a <frame>, <iframe>, <embed> or <object>. Sites can use this to avoid click-jacking attacks, by ensuring that their content is not embedded into other sites. Mozilla

X-Powered-By Header Found

The X-Powered-By header describes the technologies used by the webserver. This information exposes the server to attackers. Using the information in this header, attackers can find vulnerabilities easier.

X-XSS-Protection Header is Missing

The HTTP X-XSS-Protection response header is a feature of Internet Explorer, Chrome and Safari that stops pages from loading when they detect reflected cross-site scripting (XSS) attacks. Mozilla

TRACE Method Allowed

HTTP TRACE method allows a client to see the whole request that the webserver has received. The main purpose of this feature is for testing or diagnostic information.This method can reveal sensitive information like Cookies and Authorization tokens to clients when they’re not supposed to access these data. This is often called a Cross-Site Tracing (XST) attack.

TRACK Method Allowed

HTTP TRACK and TRACE methods allow the client to see the whole request that the webserver has received. The main purpose of this feature is for testing or diagnostic information.These methods can reveal sensitive information like Cookies and Authorization tokens to clients when they’re not supposed to access these data. This is often called a Cross-Site Tracing (XST) attack.The TRACK HTTP method is specific to the Microsoft IIS web server.

CRIME (SPDY) attack

The SPDY protocol 3 and earlier, as used in Mozilla Firefox, Google Chrome, and other products, can perform TLS encryption of compressed data without properly obfuscating the length of the unencrypted data, which allows man-in-the-middle attackers to obtain plaintext HTTP headers by observing length differences during a series of guesses in which a string in an HTTP request potentially matches an unknown string in an HTTP header, aka a “CRIME” attack. MITRE

CRIME (SSL/TLS) attack

CRIME (Compression Ratio Info-leak Made Easy) is a security exploit against secret web cookies over connections using the HTTPS and SPDY protocols that also use data compression. When used to recover the content of secret authentication cookies, it allows an attacker to perform session hijacking on an authenticated web session, allowing the launching of further attacks. Wikipedia

Drupal 'Drupalgeddon2' Remote Code Execution

An issue in multiple subsystems of Drupal allows remote attackers to execute arbitrary OS commands on the server.

Joomla! 'J2Store < 3.3.7' SQL Injection

A vulnerability in Joomla! J2Store component allows attackers to inject and execute SQL commands on the website’s database.

The POODLE attack

The POODLE attack (which stands for “Padding Oracle On Downgraded Legacy Encryption”) is a man-in-the-middle exploit which takes advantage of Internet and security software clients’ fallback to SSL 3.0. If attackers successfully exploit this vulnerability, on average, they only need to make 256 SSL 3.0 requests to reveal one byte of encrypted messages. Wikipedia

Vulnerable OpenSSL Version

The OpenSSL version used is outdated and has security flaws.

Application and Database Error

Unhandled exceptions have two primary risks. Denial of service: When an unhandled exception occurs, it might cause memory leakage or consume server resources by performing more process than usual. Leaking information: Unhandled exceptions can generate error messages with sensitive information. When these error messages are shown to users, attackers can take advantage of them to develop their attack on the target.

Buffer Overflow

Buffer overflow can occur when an application accepts data more than the space it has for it. It will cause the data to overflow the container which is usually the memory. Buffer overflow can be very dangerous because it can end up with command execution attacks.

The ShellShock Bug

Shellshock, also known as Bashdoor is a bug in Unix Bash shell that allows an attacker to execute arbitrary commands and gain unauthorized access using Bash.

File Upload Functionality

An <input> element with type="file" lets user choose one or more files from their device storage. Then, the files can be uploaded to a remote server.An unrestricted file upload functionality can cause an arbitrary file upload vulnerability where malicious users can upload (and execute) any file to the server.

HTTP Protocol Stack Remote Code Execution Vulnerability (DOS)

A vulnerability in Microsoft Windows HTTP Protocol Stack (HTTP.sys) allows remote attackers to execute code or cause a crash on the host OS.

Redirection with Body

An HTTP redirection (3XX status code) does not require a body. The presence of the body in a redirection HTTP response indicates execution of code after redirection. Redirection with a body can cause serious information leakage or expose access to sensitive functionalities. For example, consider an admin page that redirects unauthorized users to a login page. Without proper implementation of the redirection function, the response can show the admin page contents with all links and functionalities to an unauthorized user.

ViewState is not Encrypted

The ViewState is a hidden form input in ASP.NET pages which is used automatically to persist information such as non-default values of controls.It is also possible to store application data specific to a page in the ViewState.If the ViewState is not encrypted, anyone can see stored values in it.

Vulnerable Apache Version

The Apache HTTP Server version used is outdated and has security flaws.

Vulnerable Nginx Version

The Nginx version used is outdated and has security flaws.

Vulnerable PHP Version

The PHP version used is outdated and has security flaws.

Vulnerable WordPress Version

The WordPress version used is outdated and has security flaws.

Passive Mixed Content

When a user visits a page served over HTTPS, their connection with the web server is encrypted with TLS and is therefore safeguarded from most sniffers and man-in-the-middle attacks. An HTTPS page that includes content fetched using cleartext HTTP is called a mixed content page. Pages like this are only partially encrypted, leaving the unencrypted content accessible to sniffers and man-in-the-middle attackers. That leaves the pages unsafe. MoillaPassive contents are like images, audio, or videos. This type of content controls the appearance of the web page. That’s why they are also called display content.

WordPress Plugin AdRotate 3.6.5 SQLI

A SQL injection attack consists of insertion or “injection” of a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system and in some cases issue commands to the operating system. SQL injection attacks are a type of injection attack, in which SQL commands are injected into data-plane input in order to effect the execution of predefined SQL commands. OWASP

WordPress Plugin AdRotate 3.6.6 SQLI

A SQL injection attack consists of insertion or “injection” of a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system and in some cases issue commands to the operating system. SQL injection attacks are a type of injection attack, in which SQL commands are injected into data-plane input in order to effect the execution of predefined SQL commands. OWASP

WordPress Plugin AdRotate 3.9.4 SQLI

A SQL injection attack consists of insertion or “injection” of a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system and in some cases issue commands to the operating system. SQL injection attacks are a type of injection attack, in which SQL commands are injected into data-plane input in order to effect the execution of predefined SQL commands. OWASP

WordPress Plugin All Video Gallery 1.1 SQLI

A SQL injection attack consists of insertion or “injection” of a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system and in some cases issue commands to the operating system. SQL injection attacks are a type of injection attack, in which SQL commands are injected into data-plane input in order to effect the execution of predefined SQL commands. OWASP

WordPress Plugin Bannerize 2.8.6 SQLI

A SQL injection attack consists of insertion or “injection” of a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system and in some cases issue commands to the operating system. SQL injection attacks are a type of injection attack, in which SQL commands are injected into data-plane input in order to effect the execution of predefined SQL commands. OWASP

WordPress Plugin Bannerize 2.8.7 SQLI

A SQL injection attack consists of insertion or “injection” of a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system and in some cases issue commands to the operating system. SQL injection attacks are a type of injection attack, in which SQL commands are injected into data-plane input in order to effect the execution of predefined SQL commands. OWASP

WordPress Plugin Business Intelligence SQLI

A SQL injection attack consists of insertion or “injection” of a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system and in some cases issue commands to the operating system. SQL injection attacks are a type of injection attack, in which SQL commands are injected into data-plane input in order to effect the execution of predefined SQL commands. OWASP

WordPress Plugin Chained Quiz 1.0.8 SQLI

A SQL injection attack consists of insertion or “injection” of a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system and in some cases issue commands to the operating system. SQL injection attacks are a type of injection attack, in which SQL commands are injected into data-plane input in order to effect the execution of predefined SQL commands. OWASP

WordPress Plugin Community Events 1.2.1 SQLI

A SQL injection attack consists of insertion or “injection” of a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system and in some cases issue commands to the operating system. SQL injection attacks are a type of injection attack, in which SQL commands are injected into data-plane input in order to effect the execution of predefined SQL commands. OWASP

WordPress Plugin CP Multi View Event Calendar 1.01 SQLI

A SQL injection attack consists of insertion or “injection” of a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system and in some cases issue commands to the operating system. SQL injection attacks are a type of injection attack, in which SQL commands are injected into data-plane input in order to effect the execution of predefined SQL commands. OWASP

WordPress Plugin CP Multi View Event Calendar 1.1.4 SQLI

A SQL injection attack consists of insertion or “injection” of a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system and in some cases issue commands to the operating system. SQL injection attacks are a type of injection attack, in which SQL commands are injected into data-plane input in order to effect the execution of predefined SQL commands. OWASP

WordPress Plugin CP Multi View Event Calendar 1.1.7 SQLI

A SQL injection attack consists of insertion or “injection” of a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system and in some cases issue commands to the operating system. SQL injection attacks are a type of injection attack, in which SQL commands are injected into data-plane input in order to effect the execution of predefined SQL commands. OWASP

WordPress Plugin DS FAQ 1.3.2 SQLI

A SQL injection attack consists of insertion or “injection” of a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system and in some cases issue commands to the operating system. SQL injection attacks are a type of injection attack, in which SQL commands are injected into data-plane input in order to effect the execution of predefined SQL commands. OWASP

WordPress Plugin Easy Contact Form Lite 1.0.7 SQLI

A SQL injection attack consists of insertion or “injection” of a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system and in some cases issue commands to the operating system. SQL injection attacks are a type of injection attack, in which SQL commands are injected into data-plane input in order to effect the execution of predefined SQL commands. OWASP

WordPress Plugin Event Registration 5.4.3 SQLI

A SQL injection attack consists of insertion or “injection” of a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system and in some cases issue commands to the operating system. SQL injection attacks are a type of injection attack, in which SQL commands are injected into data-plane input in order to effect the execution of predefined SQL commands. OWASP

WordPress Plugin Eventify Simple Events 1.7.f SQLI

A SQL injection attack consists of insertion or “injection” of a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system and in some cases issue commands to the operating system. SQL injection attacks are a type of injection attack, in which SQL commands are injected into data-plane input in order to effect the execution of predefined SQL commands. OWASP

WordPress Plugin Facebook Promotions 1.3.3 SQLI

A SQL injection attack consists of insertion or “injection” of a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system and in some cases issue commands to the operating system. SQL injection attacks are a type of injection attack, in which SQL commands are injected into data-plane input in order to effect the execution of predefined SQL commands. OWASP

WordPress Plugin File Groups 1.1.2 SQLI

A SQL injection attack consists of insertion or “injection” of a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system and in some cases issue commands to the operating system. SQL injection attacks are a type of injection attack, in which SQL commands are injected into data-plane input in order to effect the execution of predefined SQL commands. OWASP

WordPress Plugin FireStorm Professional Real Estate 2.06.01 SQLI

A SQL injection attack consists of insertion or “injection” of a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system and in some cases issue commands to the operating system. SQL injection attacks are a type of injection attack, in which SQL commands are injected into data-plane input in order to effect the execution of predefined SQL commands. OWASP

WordPress Plugin Forum Server 1.7 SQLI

A SQL injection attack consists of insertion or “injection” of a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system and in some cases issue commands to the operating system. SQL injection attacks are a type of injection attack, in which SQL commands are injected into data-plane input in order to effect the execution of predefined SQL commands. OWASP

WordPress Plugin Glossary SQLI

A SQL injection attack consists of insertion or “injection” of a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system and in some cases issue commands to the operating system. SQL injection attacks are a type of injection attack, in which SQL commands are injected into data-plane input in order to effect the execution of predefined SQL commands. OWASP

WordPress Plugin Google Document Embedder 2.5.14 SQLI

A SQL injection attack consists of insertion or “injection” of a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system and in some cases issue commands to the operating system. SQL injection attacks are a type of injection attack, in which SQL commands are injected into data-plane input in order to effect the execution of predefined SQL commands. OWASP

WordPress Plugin Google Document Embedder 2.5.16 SQLI

A SQL injection attack consists of insertion or “injection” of a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system and in some cases issue commands to the operating system. SQL injection attacks are a type of injection attack, in which SQL commands are injected into data-plane input in order to effect the execution of predefined SQL commands. OWASP

WordPress Plugin Hitasoft_player Ripe HD FLV Player 1.1 SQLI

A SQL injection attack consists of insertion or “injection” of a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system and in some cases issue commands to the operating system. SQL injection attacks are a type of injection attack, in which SQL commands are injected into data-plane input in order to effect the execution of predefined SQL commands. OWASP

WordPress Plugin Jetpack SQLI

A SQL injection attack consists of insertion or “injection” of a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system and in some cases issue commands to the operating system. SQL injection attacks are a type of injection attack, in which SQL commands are injected into data-plane input in order to effect the execution of predefined SQL commands. OWASP

WordPress Plugin JTRT Responsive Tables 4.1 SQLI

A SQL injection attack consists of insertion or “injection” of a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system and in some cases issue commands to the operating system. SQL injection attacks are a type of injection attack, in which SQL commands are injected into data-plane input in order to effect the execution of predefined SQL commands. OWASP

WordPress Plugin KNR Author List Widget 2.0.0 SQLI

A SQL injection attack consists of insertion or “injection” of a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system and in some cases issue commands to the operating system. SQL injection attacks are a type of injection attack, in which SQL commands are injected into data-plane input in order to effect the execution of predefined SQL commands. OWASP

WordPress Plugin LeagueManager 3.8 SQLI

An SQL Injection vulnerability exists in the league_id parameter of a function call made by the leaguemanager_export page

WordPress Plugin Link Library 5.2.1 SQLI

A SQL injection attack consists of insertion or “injection” of a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system and in some cases issue commands to the operating system. SQL injection attacks are a type of injection attack, in which SQL commands are injected into data-plane input in order to effect the execution of predefined SQL commands. OWASP

WordPress Plugin NEX Forms 3.0 SQLI

A SQL injection attack consists of insertion or “injection” of a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system and in some cases issue commands to the operating system. SQL injection attacks are a type of injection attack, in which SQL commands are injected into data-plane input in order to effect the execution of predefined SQL commands. OWASP

WordPress Plugin Olimometer 2.56 SQLI

A SQL injection attack consists of insertion or “injection” of a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system and in some cases issue commands to the operating system. SQL injection attacks are a type of injection attack, in which SQL commands are injected into data-plane input in order to effect the execution of predefined SQL commands. OWASP

WordPress Plugin OQey Headers 0.3 SQLI

A SQL injection attack consists of insertion or “injection” of a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system and in some cases issue commands to the operating system. SQL injection attacks are a type of injection attack, in which SQL commands are injected into data-plane input in order to effect the execution of predefined SQL commands. OWASP

WordPress Plugin Paid Downloads 2.01 SQLI

A SQL injection attack consists of insertion or “injection” of a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system and in some cases issue commands to the operating system. SQL injection attacks are a type of injection attack, in which SQL commands are injected into data-plane input in order to effect the execution of predefined SQL commands. OWASP

WordPress Plugin Post Highlights 2.2 SQLI

A SQL injection attack consists of insertion or “injection” of a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system and in some cases issue commands to the operating system. SQL injection attacks are a type of injection attack, in which SQL commands are injected into data-plane input in order to effect the execution of predefined SQL commands. OWASP

WordPress Plugin SCORM Cloud 1.0.6.6 SQLI

A SQL injection attack consists of insertion or “injection” of a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system and in some cases issue commands to the operating system. SQL injection attacks are a type of injection attack, in which SQL commands are injected into data-plane input in order to effect the execution of predefined SQL commands. OWASP

WordPress Plugin SH Slideshow 3.1.4 SQLI

A SQL injection attack consists of insertion or “injection” of a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system and in some cases issue commands to the operating system. SQL injection attacks are a type of injection attack, in which SQL commands are injected into data-plane input in order to effect the execution of predefined SQL commands. OWASP

WordPress Plugin Smart Google Code Inserter 3.5 SQLI

A SQL injection attack consists of insertion or “injection” of a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system and in some cases issue commands to the operating system. SQL injection attacks are a type of injection attack, in which SQL commands are injected into data-plane input in order to effect the execution of predefined SQL commands. OWASP

WordPress Plugin Tune Library 2.17 SQLI

A SQL injection attack consists of insertion or “injection” of a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system and in some cases issue commands to the operating system. SQL injection attacks are a type of injection attack, in which SQL commands are injected into data-plane input in order to effect the execution of predefined SQL commands. OWASP

WordPress Plugin Users Ultra 1.5.50 Blind SQLI

A SQL injection attack consists of insertion or “injection” of a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system and in some cases issue commands to the operating system. SQL injection attacks are a type of injection attack, in which SQL commands are injected into data-plane input in order to effect the execution of predefined SQL commands. OWASP

WordPress Plugin VideoWhisper Video Presentation 1.1 SQLI

A SQL injection attack consists of insertion or “injection” of a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system and in some cases issue commands to the operating system. SQL injection attacks are a type of injection attack, in which SQL commands are injected into data-plane input in order to effect the execution of predefined SQL commands. OWASP

WordPress Plugin WP Fastest Cache 0.8.4.8 Blind SQLI

A SQL injection attack consists of insertion or “injection” of a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system and in some cases issue commands to the operating system. SQL injection attacks are a type of injection attack, in which SQL commands are injected into data-plane input in order to effect the execution of predefined SQL commands. OWASP

WordPress Plugin WP Statistics 13.0.7 Time Based SQLI

A SQL injection attack consists of insertion or “injection” of a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system and in some cases issue commands to the operating system. SQL injection attacks are a type of injection attack, in which SQL commands are injected into data-plane input in order to effect the execution of predefined SQL commands. OWASP

WordPress Plugin WP Support Plus Responsive Ticket System 7.1.3 SQLI

A SQL injection attack consists of insertion or “injection” of a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system and in some cases issue commands to the operating system. SQL injection attacks are a type of injection attack, in which SQL commands are injected into data-plane input in order to effect the execution of predefined SQL commands. OWASP

WordPress Plugin Yolink Search 1.1.4 SQLI

A SQL injection attack consists of insertion or “injection” of a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system and in some cases issue commands to the operating system. SQL injection attacks are a type of injection attack, in which SQL commands are injected into data-plane input in order to effect the execution of predefined SQL commands. OWASP

WordPress Plugin Zotpress 4.4 SQLI

A SQL injection attack consists of insertion or “injection” of a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system and in some cases issue commands to the operating system. SQL injection attacks are a type of injection attack, in which SQL commands are injected into data-plane input in order to effect the execution of predefined SQL commands. OWASP

Local File Inclusion

The File Inclusion vulnerability allows an attacker to include a file, usually exploiting a “dynamic file inclusion” mechanisms implemented in the target application. The vulnerability occurs due to the use of user-supplied input without proper validation. OWASP

Remote File Disclosure

The File Inclusion vulnerability allows an attacker to include a file, usually exploiting a “dynamic file inclusion” mechanisms implemented in the target application. The vulnerability occurs due to the use of user-supplied input without proper validation. OWASP

Remote File Inclusion

The File Inclusion vulnerability allows an attacker to include a file, usually exploiting a “dynamic file inclusion” mechanisms implemented in the target application. The vulnerability occurs due to the use of user-supplied input without proper validation. OWASP

Remote URL Inclusion

The File Inclusion vulnerability allows an attacker to include a file, usually exploiting a “dynamic file inclusion” mechanisms implemented in the target application. The vulnerability occurs due to the use of user-supplied input without proper validation. OWASP

Secure Renegotiation is not supported

It is possible to inject content into the start of sessions when the server does not support secure renegotiation in the SSL/TLS connections. The server should also support client-initiated renegotiations to be vulnerable to this vulnerability.

Drupal 4.1/4.2 XSS

Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user within the output it generates without validating or encoding it. OWASP

Drupal Module Cumulus Cross Site Scripting

Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user within the output it generates without validating or encoding it. OWASP

Joomla! 1.5 < 3.4.5 RCE

Command injection is an attack in which the goal is execution of arbitrary commands on the host operating system via a vulnerable application. Command injection attacks are possible when an application passes unsafe user supplied data (forms, cookies, HTTP headers etc.) to a system shell. In this attack, the attacker-supplied operating system commands are usually executed with the privileges of the vulnerable application. Command injection attacks are possible largely due to insufficient input validation. OWASP

Joomla! < 1.7.0 XSS

Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user within the output it generates without validating or encoding it. OWASP

Joomla! 3.2.1 SQLI

A SQL injection attack consists of insertion or “injection” of a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system and in some cases issue commands to the operating system. SQL injection attacks are a type of injection attack, in which SQL commands are injected into data-plane input in order to effect the execution of predefined SQL commands. OWASP

Joomla! Component Com_contenthistory SQLI

A SQL injection attack consists of insertion or “injection” of a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system and in some cases issue commands to the operating system. SQL injection attacks are a type of injection attack, in which SQL commands are injected into data-plane input in order to effect the execution of predefined SQL commands. OWASP

Joomla! Component Com_fields 3.7 SQLI

A SQL injection attack consists of insertion or “injection” of a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system and in some cases issue commands to the operating system. SQL injection attacks are a type of injection attack, in which SQL commands are injected into data-plane input in order to effect the execution of predefined SQL commands. OWASP

Joomla! Component com_hdwplayer 4.2 SQLI

A SQL injection attack consists of insertion or “injection” of a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system and in some cases issue commands to the operating system. SQL injection attacks are a type of injection attack, in which SQL commands are injected into data-plane input in order to effect the execution of predefined SQL commands. OWASP

Joomla! Component Com_newsfeeds 1.0 SQLI

A SQL injection attack consists of insertion or “injection” of a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system and in some cases issue commands to the operating system. SQL injection attacks are a type of injection attack, in which SQL commands are injected into data-plane input in order to effect the execution of predefined SQL commands. OWASP

Joomla! Component File Download Tracker 3.0 SQLI

A SQL injection attack consists of insertion or “injection” of a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system and in some cases issue commands to the operating system. SQL injection attacks are a type of injection attack, in which SQL commands are injected into data-plane input in order to effect the execution of predefined SQL commands. OWASP

Joomla! Component Form Maker 3.6.12 SQLI

A SQL injection attack consists of insertion or “injection” of a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system and in some cases issue commands to the operating system. SQL injection attacks are a type of injection attack, in which SQL commands are injected into data-plane input in order to effect the execution of predefined SQL commands. OWASP

Joomla! Component JCK Editor 6.4.4 SQLI

A SQL injection attack consists of insertion or “injection” of a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system and in some cases issue commands to the operating system. SQL injection attacks are a type of injection attack, in which SQL commands are injected into data-plane input in order to effect the execution of predefined SQL commands. OWASP

Joomla! Component JquickContact 1.3.2.2.1 SQLI

A SQL injection attack consists of insertion or “injection” of a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system and in some cases issue commands to the operating system. SQL injection attacks are a type of injection attack, in which SQL commands are injected into data-plane input in order to effect the execution of predefined SQL commands. OWASP

Subresource Integrity is Missing

Subresource Integrity (SRI) is a security feature that enables browsers to verify that resources they fetch (for example, from a CDN) are delivered without unexpected manipulation. It works by allowing you to provide a cryptographic hash that a fetched resource must match. Moilla

ASP.NET Version Disclosure

The X-AspNet-Version and X-AspNetMvc-Version headers reveal the version of ASP.NET used by the webserver. This information exposes the server to attackers. Using the information in this header, attackers can find vulnerabilities easier.

Detailed Application and Database Error

Unhandled exceptions have two primary risks. Denial of service: When an unhandled exception occurs, it might cause memory leakage or consume server resources by performing more process than usual. Leaking information: Unhandled exceptions can generate error messages with sensitive information. When these error messages are shown to users, attackers can take advantage of them to develop their attack on the target.

Detailed Application Error

Unhandled exceptions have two primary risks. Denial of service: When an unhandled exception occurs, it might cause memory leakage or consume server resources by performing more process than usual. Leaking information: Unhandled exceptions can generate error messages with sensitive information. When these error messages are shown to users, attackers can take advantage of them to develop their attack on the target.

Internal Server Error

Unhandled exceptions have two primary risks. Denial of service: When an unhandled exception occurs, it might cause memory leakage or consume server resources by performing more process than usual. Leaking information: Unhandled exceptions can generate error messages with sensitive information. When these error messages are shown to users, attackers can take advantage of them to develop their attack on the target.

Download free web application security scanner

Download