Search
Total
1733 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2017-9418 | 1 Goldplugins | 1 Testimonials Plugin Easy Testimonials | 2017-08-13 | 6.5 MEDIUM | 8.8 HIGH |
| SQL injection vulnerability in the WP-Testimonials plugin 3.4.1 for WordPress allows an authenticated user to execute arbitrary SQL commands via the testid parameter to wp-admin/admin.php. | |||||
| CVE-2017-7952 | 1 Infor | 1 Enterprise Asset Management | 2017-08-13 | 6.5 MEDIUM | 8.8 HIGH |
| INFOR EAM V11.0 Build 201410 has SQL injection via search fields, related to the filtervalue parameter. | |||||
| CVE-2016-7508 | 1 Glpi-project | 1 Glpi | 2017-08-12 | 6.0 MEDIUM | 7.5 HIGH |
| Multiple SQL injection vulnerabilities in GLPI 0.90.4 allow an authenticated remote attacker to execute arbitrary SQL commands by using a certain character when the database is configured to use Big5 Asian encoding. | |||||
| CVE-2017-11388 | 1 Trendmicro | 1 Control Manager | 2017-08-06 | 6.5 MEDIUM | 8.8 HIGH |
| SQL Injection in Trend Micro Control Manager 6.0 causes Remote Code Execution when RestfulServiceUtility.NET.dll doesn't properly validate user provided strings before constructing SQL queries. Formerly ZDI-CAN-4639 and ZDI-CAN-4638. | |||||
| CVE-2017-11678 | 1 Hashtopus Project | 1 Hashtopus | 2017-08-03 | 6.5 MEDIUM | 8.8 HIGH |
| SQL injection vulnerability in Hashtopus 1.5g allows remote authenticated users to execute arbitrary SQL commands via the format parameter in admin.php. | |||||
| CVE-2017-11736 | 1 Bigtreecms | 1 Bigtree Cms | 2017-08-02 | 6.5 MEDIUM | 8.8 HIGH |
| SQL injection vulnerability in core\admin\auto-modules\forms\process.php in BigTree 4.2.18 allows remote authenticated users to execute arbitrary SQL commands via the tags array parameter. | |||||
| CVE-2016-6453 | 1 Cisco | 1 Identity Services Engine | 2017-07-29 | 4.9 MEDIUM | 7.3 HIGH |
| A vulnerability in the web framework code of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to execute arbitrary SQL commands on the database. More Information: CSCva46542. Known Affected Releases: 1.3(0.876). | |||||
| CVE-2016-9283 | 1 Exponentcms | 1 Exponent Cms | 2017-07-28 | 5.0 MEDIUM | 7.5 HIGH |
| SQL Injection in framework/core/subsystems/expRouter.php in Exponent CMS v2.4.0 allows remote attackers to read database information via address/addContentToSearch/id/ and a trailing string, related to a "sef URL" issue. | |||||
| CVE-2016-9282 | 1 Exponentcms | 1 Exponent Cms | 2017-07-28 | 5.0 MEDIUM | 7.5 HIGH |
| SQL Injection in framework/modules/search/controllers/searchController.php in Exponent CMS v2.4.0 allows remote attackers to read database information via action=search&module=search with the search_string parameter. | |||||
| CVE-2017-3835 | 1 Cisco | 1 Identity Services Engine Software | 2017-07-25 | 6.5 MEDIUM | 8.8 HIGH |
| A vulnerability in the sponsor portal of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to access notices owned by other users, because of SQL Injection. More Information: CSCvb15627. Known Affected Releases: 1.4(0.908). | |||||
| CVE-2017-1000067 | 1 Modx | 1 Revolution | 2017-07-21 | 6.5 MEDIUM | 8.8 HIGH |
| MODX Revolution version 2.x - 2.5.6 is vulnerable to blind SQL injection caused by improper sanitization by the escape method resulting in authenticated user accessing database and possibly escalating privileges. | |||||
| CVE-2017-1183 | 1 Ibm | 1 Tivoli Monitoring | 2017-07-20 | 5.4 MEDIUM | 7.5 HIGH |
| IBM Tivoli Monitoring Portal v6 could allow a local (network adjacent) attacker to modify SQL commands to the Portal Server, when default client-server communications, HTTP, are being used. IBM X-Force ID: 123494. | |||||
| CVE-2017-7681 | 1 Apache | 1 Openmeetings | 2017-07-19 | 6.5 MEDIUM | 8.8 HIGH |
| Apache OpenMeetings 1.0.0 is vulnerable to SQL injection. This allows authenticated users to modify the structure of the existing query and leak the structure of other queries being made by the application in the back-end. | |||||
| CVE-2017-1000031 | 1 Cacti | 1 Cacti | 2017-07-19 | 6.5 MEDIUM | 8.8 HIGH |
| SQL injection vulnerability in graph_templates_inputs.php in Cacti 0.8.8b allows remote attackers to execute arbitrary SQL commands via the graph_template_input_id and graph_template_id parameters. | |||||
| CVE-2017-8002 | 1 Emc | 1 Data Protection Advisor | 2017-07-17 | 6.5 MEDIUM | 8.8 HIGH |
| EMC Data Protection Advisor prior to 6.4 contains multiple blind SQL injection vulnerabilities. A remote authenticated attacker may potentially exploit these vulnerabilities to gain information about the application by causing execution of arbitrary SQL commands. | |||||
| CVE-2017-2195 | 1 Multi Feed Reader Project | 1 Multi Feed Reader | 2017-07-17 | 6.5 MEDIUM | 8.8 HIGH |
| SQL injection vulnerability in the Multi Feed Reader prior to version 2.2.4 allows authenticated attackers to execute arbitrary SQL commands via unspecified vectors. | |||||
| CVE-2017-11200 | 1 Finecms Project | 1 Finecms | 2017-07-16 | 6.5 MEDIUM | 8.8 HIGH |
| SQL Injection exists in FineCMS through 2017-07-12 via the application/core/controller/excludes.php visitor_ip parameter. | |||||
| CVE-2016-6617 | 1 Phpmyadmin | 1 Phpmyadmin | 2017-07-01 | 6.8 MEDIUM | 8.1 HIGH |
| An issue was discovered in phpMyAdmin. A specially crafted database and/or table name can be used to trigger an SQL injection attack through the export functionality. All 4.6.x versions (prior to 4.6.4) are affected. | |||||
| CVE-2016-9864 | 1 Phpmyadmin | 1 Phpmyadmin | 2017-07-01 | 6.0 MEDIUM | 7.5 HIGH |
| An issue was discovered in phpMyAdmin. With a crafted username or a table name, it was possible to inject SQL statements in the tracking functionality that would run with the privileges of the control user. This gives read and write access to the tables of the configuration storage database, and if the control user has the necessary privileges, read access to some tables of the MySQL database. All 4.6.x versions (prior to 4.6.5), 4.4.x versions (prior to 4.4.15.9), and 4.0.x versions (prior to 4.0.10.18) are affected. | |||||
| CVE-2016-6611 | 1 Phpmyadmin | 1 Phpmyadmin | 2017-07-01 | 5.1 MEDIUM | 8.1 HIGH |
| An issue was discovered in phpMyAdmin. A specially crafted database and/or table name can be used to trigger an SQL injection attack through the export functionality. All 4.6.x versions (prior to 4.6.4), 4.4.x versions (prior to 4.4.15.8), and 4.0.x versions (prior to 4.0.10.17) are affected. | |||||
| CVE-2017-1347 | 1 Ibm | 1 Sterling B2b Integrator | 2017-06-27 | 6.5 MEDIUM | 8.8 HIGH |
| IBM Sterling B2B Integrator Standard Edition 5.2 is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements, which could allow the attacker to view, add, modify or delete information in the back-end database. IBM X-Force ID: 126462. | |||||
| CVE-2017-9759 | 1 Zenbership | 1 Zenbership | 2017-06-22 | 6.5 MEDIUM | 8.8 HIGH |
| SQL Injection exists in admin/index.php in Zenbership 1.0.8 via the filters array parameter, exploitable by a privileged account. | |||||
| CVE-2017-9437 | 1 Openbravo | 1 Openbravo Erp | 2017-06-13 | 6.5 MEDIUM | 8.8 HIGH |
| Openbravo Business Suite 3.0 is affected by SQL injection. This vulnerability could allow remote authenticated attackers to inject arbitrary SQL code. | |||||
| CVE-2016-7803 | 1 Cybozu | 1 Garoon | 2017-06-13 | 6.5 MEDIUM | 8.8 HIGH |
| SQL injection vulnerability in the Cybozu Garoon 3.0.0 to 4.2.2 allows remote authenticated attackers to execute arbitrary SQL commands via "MultiReport" function. | |||||
| CVE-2017-9449 | 1 Bigtreecms | 1 Bigtree Cms | 2017-06-12 | 6.5 MEDIUM | 8.8 HIGH |
| SQL injection vulnerability in BigTree CMS through 4.2.18 allows remote authenticated users to execute arbitrary SQL commands via core/admin/modules/developer/modules/views/create.php. The attacker creates a crafted table name at admin/developer/modules/views/create/ and the injection is visible at admin/ajax/auto-modules/views/searchable-page/ or admin/modules_name. | |||||
| CVE-2017-9443 | 1 Bigtreecms | 1 Bigtree Cms | 2017-06-09 | 6.5 MEDIUM | 8.8 HIGH |
| ** DISPUTED ** BigTree CMS through 4.2.18 allows remote authenticated users to conduct SQL injection attacks via a crafted tables object in manifest.json in an uploaded package. This issue exists in core\admin\modules\developer\extensions\install\process.php and core\admin\modules\developer\packages\install\process.php. NOTE: the vendor states "You must implicitly trust any package or extension you install as they all have the ability to write PHP files." | |||||
| CVE-2016-10379 | 1 Virtuemart | 1 Virtuemart | 2017-06-08 | 6.5 MEDIUM | 7.2 HIGH |
| The VirtueMart com_virtuemart component 3.0.14 for Joomla! allows SQL injection by remote authenticated administrators via the virtuemart_paymentmethod_id or virtuemart_shipmentmethod_id parameter to administrator/index.php. | |||||
| CVE-2016-10378 | 1 E107 | 1 E107 | 2017-06-07 | 6.5 MEDIUM | 7.2 HIGH |
| e107 2.1.1 allows SQL injection by remote authenticated administrators via the pagelist parameter to e107_admin/menus.php, related to the menuSaveVisibility function. | |||||
| CVE-2017-9427 | 1 Bigtreecms | 1 Bigtree Cms | 2017-06-06 | 6.5 MEDIUM | 8.8 HIGH |
| SQL injection vulnerability in BigTree CMS through 4.2.18 allows remote authenticated users to execute arbitrary SQL commands via core\admin\modules\developer\modules\designer\form-create.php. The attacker creates a crafted table name at admin/developer/modules/designer/ and the injection is visible at admin/dashboard/vitals-statistics/integrity/check/?external=true. | |||||
| CVE-2017-7236 | 1 Netapp | 1 Oncommand Unified Manager Core Package | 2017-06-02 | 5.0 MEDIUM | 7.5 HIGH |
| SQL injection vulnerability in NetApp OnCommand Unified Manager Core Package 5.x before 5.2.2P1 allows remote attackers to execute arbitrary SQL commands via unspecified vectors. | |||||
| CVE-2016-4893 | 1 Setucocms Project | 1 Setucocms | 2017-05-23 | 6.5 MEDIUM | 8.8 HIGH |
| SQL injection vulnerability in the SetsucoCMS all versions allows remote authenticated attackers to execute arbitrary SQL commands via unspecified vectors. | |||||
| CVE-2017-6557 | 1 Xirrus | 1 Arrayos | 2017-05-17 | 6.5 MEDIUM | 8.8 HIGH |
| SQL injection vulnerability in ArrayOS before AG 9.4.0.135, when the portal bookmark function is enabled, allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors. | |||||
| CVE-2017-8377 | 1 Genixcms | 1 Genixcms | 2017-05-10 | 6.5 MEDIUM | 8.8 HIGH |
| GeniXCMS 1.0.2 has SQL Injection in inc/lib/Control/Backend/menus.control.php via the menuid parameter. | |||||
| CVE-2017-2120 | 1 Wbce | 1 Wbce Cms | 2017-05-03 | 6.0 MEDIUM | 7.2 HIGH |
| SQL injection vulnerability in the WBCE CMS 1.1.10 and earlier allows attacker with administrator rights to execute arbitrary SQL commands via unspecified vectors. | |||||
| CVE-2016-1218 | 1 Cybozu | 1 Garoon | 2017-04-25 | 6.5 MEDIUM | 8.8 HIGH |
| SQL injection vulnerability in Cybozu Garoon before 4.2.2. | |||||
| CVE-2017-7879 | 1 Flatcore | 1 Flatcore-cms | 2017-04-21 | 5.0 MEDIUM | 7.5 HIGH |
| SQL Injection vulnerability in flatCore version 1.4.6 allows an attacker to read the content database. | |||||
| CVE-2016-10096 | 1 Genixcms | 1 Genixcms | 2017-04-11 | 7.5 HIGH | 7.3 HIGH |
| SQL injection vulnerability in register.php in GeniXCMS before 1.0.0 allows remote attackers to execute arbitrary SQL commands via the activation parameter. | |||||
| CVE-2017-7290 | 1 Xoops | 1 Xoops | 2017-04-03 | 6.5 MEDIUM | 7.2 HIGH |
| SQL injection vulnerability in XOOPS 2.5.7.2 and other versions before 2.5.8.1 allows remote authenticated administrators to execute arbitrary SQL commands via the url parameter to findusers.php. An example attack uses "into outfile" to create a backdoor program. | |||||
| CVE-2016-1000116 | 1 Huge-it | 1 Portfolio Gallery Manager | 2017-03-28 | 6.5 MEDIUM | 7.2 HIGH |
| Huge-IT Portfolio Gallery manager v1.1.0 SQL Injection and XSS | |||||
| CVE-2017-6492 | 1 Admidio | 1 Admidio | 2017-03-25 | 9.0 HIGH | 7.2 HIGH |
| SQL Injection was discovered in adm_program/modules/dates/dates_function.php in Admidio 3.2.5. The POST parameter dat_cat_id is concatenated into a SQL query without any input validation/sanitization. | |||||
| CVE-2016-9728 | 1 Ibm | 1 Qradar Security Information And Event Manager | 2017-03-08 | 5.0 MEDIUM | 7.5 HIGH |
| IBM Qradar 7.2 is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements, which could allow the attacker to view, information in the back-end database. IBM Reference #: 1999543. | |||||
| CVE-2017-5218 | 1 Sagecrm | 1 Sagecrm | 2017-03-02 | 6.5 MEDIUM | 8.8 HIGH |
| A SQL Injection issue was discovered in SageCRM 7.x before 7.3 SP3. The AP_DocumentUI.asp web resource includes Utilityfuncs.js when the file is opened or viewed. This file crafts a SQL statement to identify the database that is to be in use with the current user's session. The database variable can be populated from the URL, and when supplied non-expected characters, can be manipulated to obtain access to the underlying database. The /CRM/CustomPages/ACCPAC/AP_DocumentUI.asp?SID=<VALID-SID>&database=1';WAITFOR DELAY '0:0:5'-- URI is a Proof of Concept. | |||||
| CVE-2016-9993 | 1 Ibm | 1 Kenexa Lcms Premier | 2017-03-01 | 6.5 MEDIUM | 7.1 HIGH |
| IBM Kenexa LCMS Premier on Cloud 9.0, and 10.0.0 is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements, which could allow the attacker to view, add, modify or delete information in the back-end database. IBM Reference #: 1992067. | |||||
| CVE-2016-9994 | 1 Ibm | 1 Kenexa Lcms Premier | 2017-03-01 | 6.5 MEDIUM | 7.1 HIGH |
| IBM Kenexa LCMS Premier on Cloud 9.0, and 10.0.0 is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements, which could allow the attacker to view, add, modify or delete information in the back-end database. IBM Reference #: 1976805. | |||||
| CVE-2016-9992 | 1 Ibm | 1 Kenexa Lcms Premier | 2017-03-01 | 6.5 MEDIUM | 7.1 HIGH |
| IBM Kenexa LCMS Premier on Cloud 9.0, and 10.0.0 is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements, which could allow the attacker to view, add, modify or delete information in the back-end database. IBM Reference #: 1992067. | |||||
| CVE-2017-6065 | 1 Metalgenix | 1 Genixcms | 2017-02-23 | 6.5 MEDIUM | 8.8 HIGH |
| SQL injection vulnerability in inc/lib/Control/Backend/menus.control.php in GeniXCMS through 1.0.2 allows remote authenticated users to execute arbitrary SQL commands via the order parameter. | |||||
| CVE-2016-5952 | 1 Ibm | 1 Kenexa Lcms Premier | 2017-02-08 | 6.5 MEDIUM | 8.8 HIGH |
| IBM Kenexa LCMS Premier on Cloud is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements, which could allow the attacker to view, add, modify or delete information in the back-end database. | |||||
| CVE-2016-8928 | 1 Ibm | 1 Kenexa Lms | 2017-02-07 | 6.5 MEDIUM | 7.6 HIGH |
| IBM Kenexa LMS on Cloud is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements, which could allow the attacker to view, add, modify or delete information in the back-end database. | |||||
| CVE-2016-8930 | 1 Ibm | 1 Kenexa Lms | 2017-02-07 | 6.5 MEDIUM | 7.6 HIGH |
| IBM Kenexa LMS on Cloud is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements, which could allow the attacker to view, add, modify or delete information in the back-end database. | |||||
| CVE-2017-5598 | 1 Eclinicalworks | 1 Patient Portal | 2017-02-01 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered in eClinicalWorks healow@work 8.0 build 8. This is a blind SQL injection within the EmployeePortalServlet, which can be exploited by un-authenticated users via an HTTP POST request and which can be used to dump database data out to a malicious server, using an out-of-band technique, such as select_loadfile(). The vulnerability affects the EmployeePortalServlet page and the following parameter: employer. | |||||