Search
Total
280 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-8143 | 1 Magento | 1 Magento | 2019-11-06 | 4.0 MEDIUM | 6.5 MEDIUM |
| A SQL injection vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user with access to email templates can send malicious SQL queries and obtain access to sensitive information stored in the database. | |||||
| CVE-2019-6658 | 1 F5 | 1 Big-ip Advanced Firewall Manager | 2019-11-05 | 4.0 MEDIUM | 4.3 MEDIUM |
| On BIG-IP AFM 15.0.0-15.0.1, 14.0.0-14.1.2, 13.1.0-13.1.3.1, and 12.1.0-12.1.5, a vulnerability in the AFM configuration utility may allow any authenticated BIG-IP user to run an SQL injection attack. | |||||
| CVE-2019-4224 | 1 Ibm | 1 Pureapplication System | 2019-10-09 | 6.5 MEDIUM | 6.3 MEDIUM |
| IBM PureApplication System 2.2.3.0 through 2.2.5.3 is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements, which could allow the attacker to view, add, modify or delete information in the back-end database. IBM X-Force ID: 159240. | |||||
| CVE-2019-1942 | 1 Cisco | 1 Identity Services Engine | 2019-10-09 | 4.0 MEDIUM | 6.5 MEDIUM |
| A vulnerability in the sponsor portal web interface for Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to impact the integrity of an affected system by executing arbitrary SQL queries. The vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by sending crafted input that includes SQL statements to an affected system. A successful exploit could allow the attacker to modify entries in some database tables, affecting the integrity of the data. At the time of publication, this vulnerability affected Cisco ISE running software releases 2.6.0 and prior. | |||||
| CVE-2019-12710 | 1 Cisco | 1 Unified Communications Manager | 2019-10-09 | 4.0 MEDIUM | 4.9 MEDIUM |
| A vulnerability in the web-based interface of Cisco Unified Communications Manager and Cisco Unified Communications Manager Session Management Edition (SME) could allow an authenticated, remote attacker to impact the confidentiality of an affected system by executing arbitrary SQL queries. The vulnerability exists because the affected software improperly validates user-supplied input in SQL queries. An attacker could exploit this vulnerability by sending crafted requests that contain malicious SQL statements to the affected application. A successful exploit could allow the attacker to determine the presence of certain values in the database, impacting the confidentiality of the system. | |||||
| CVE-2018-5404 | 1 Quest | 2 Kace Systems Management Appliance, Kace Systems Management Appliance Firmware | 2019-10-09 | 4.0 MEDIUM | 6.5 MEDIUM |
| The Quest Kace K1000 Appliance, versions prior to 9.0.270, allows an authenticated, remote attacker with least privileges ('User Console Only' role) to potentially exploit multiple Blind SQL Injection vulnerabilities to retrieve sensitive information from the database or copy the entire database. An authenticated remote attacker could leverage Blind SQL injections to obtain sensitive data. | |||||
| CVE-2018-5443 | 1 Advantech | 1 Webaccess\/scada | 2019-10-09 | 5.0 MEDIUM | 5.3 MEDIUM |
| A SQL Injection issue was discovered in Advantech WebAccess/SCADA versions prior to V8.2_20170817. WebAccess/SCADA does not properly sanitize its inputs for SQL commands. | |||||
| CVE-2018-1096 | 2 Redhat, Theforeman | 2 Satellite, Foreman | 2019-10-09 | 4.0 MEDIUM | 6.5 MEDIUM |
| An input sanitization flaw was found in the id field in the dashboard controller of Foreman before 1.16.1. A user could use this flaw to perform an SQL injection attack on the back end database. | |||||
| CVE-2018-17542 | 1 Hgiga | 1 Oaklouds Mailsherlock | 2019-10-09 | 5.0 MEDIUM | 5.3 MEDIUM |
| SQL Injection exists in MailSherlock before 1.5.235 for OAKlouds allows an unauthenticated user to extract the subjects of the emails of other users within the enterprise via the select_mid parameter in an letgo.cgi request. | |||||
| CVE-2018-14623 | 1 Theforeman | 1 Katello | 2019-10-09 | 4.0 MEDIUM | 4.3 MEDIUM |
| A SQL injection flaw was found in katello's errata-related API. An authenticated remote attacker can craft input data to force a malformed SQL query to the backend database, which will leak internal IDs. This is issue is related to an incomplete fix for CVE-2016-3072. Version 3.10 and older is vulnerable. | |||||
| CVE-2018-11065 | 1 Rsa | 1 Archer | 2019-10-09 | 4.0 MEDIUM | 4.3 MEDIUM |
| The WorkPoint component, which is embedded in all RSA Archer, versions 6.1.x, 6.2.x, 6.3.x prior to 6.3.0.7 and 6.4.x prior to 6.4.0.1, contains a SQL injection vulnerability. A malicious user could potentially exploit this vulnerability to execute SQL commands on the back-end database to read certain data. Embedded WorkPoint is upgraded to version 4.10.16, which contains a fix for the vulnerability. | |||||
| CVE-2018-10595 | 1 Bd | 6 Database Manager, Inoqula\+, Kiestra Tla and 3 more | 2019-10-09 | 4.9 MEDIUM | 6.3 MEDIUM |
| A vulnerability in ReadA version 1.1.0.2 and previous allows an authorized user with access to a privileged account on a BD Kiestra system (Kiestra TLA, Kiestra WCA, and InoqulA+ specimen processor) to issue SQL commands, which may result in loss or corruption of data. | |||||
| CVE-2018-10593 | 1 Bd | 6 Database Manager, Inoqula\+, Kiestra Tla and 3 more | 2019-10-09 | 3.8 LOW | 5.6 MEDIUM |
| A vulnerability in DB Manager version 3.0.1.0 and previous and PerformA version 3.0.0.0 and previous allows an authorized user with access to a privileged account on a BD Kiestra system (Kiestra TLA, Kiestra WCA, and InoqulA+ specimen processor) to issue SQL commands, which may result in data corruption. | |||||
| CVE-2018-0120 | 1 Cisco | 1 Unified Communications Manager | 2019-10-09 | 4.0 MEDIUM | 4.3 MEDIUM |
| A vulnerability in the web framework of Cisco Unified Communications Manager could allow an authenticated, remote attacker to conduct an SQL injection attack against an affected system. The vulnerability exists because the affected software fails to validate user-supplied input in certain SQL queries that bypass protection filters. An attacker could exploit this vulnerability by submitting crafted HTTP requests that contain malicious SQL statements to an affected system. A successful exploit could allow the attacker to determine the presence of certain values in the database of the affected system. Cisco Bug IDs: CSCvg74810. | |||||
| CVE-2017-6754 | 1 Cisco | 1 Smart Net Total Care Collector Appliance | 2019-10-09 | 4.0 MEDIUM | 6.5 MEDIUM |
| A vulnerability in the web-based management interface of the Cisco Smart Net Total Care (SNTC) Software Collector Appliance 3.11 could allow an authenticated, remote attacker to perform a read-only, blind SQL injection attack, which could allow the attacker to compromise the confidentiality of the system through SQL timing attacks. The vulnerability is due to insufficient input validation of certain user-supplied fields that are subsequently used by the affected software to build SQL queries. An attacker could exploit this vulnerability by submitting crafted URLs, which are designed to exploit the vulnerability, to the affected software. To execute an attack successfully, the attacker would need to submit a number of requests to the affected software. A successful exploit could allow the attacker to determine the presence of values in the SQL database of the affected software. Cisco Bug IDs: CSCvf07617. | |||||
| CVE-2017-12364 | 1 Cisco | 1 Prime Service Catalog | 2019-10-09 | 6.4 MEDIUM | 6.5 MEDIUM |
| A SQL Injection vulnerability in the web framework of Cisco Prime Service Catalog could allow an unauthenticated, remote attacker to execute unauthorized Structured Query Language (SQL) queries. The vulnerability is due to a failure to validate user-supplied input that is used in SQL queries. An attacker could exploit this vulnerability by sending a crafted SQL statement to an affected system. Successful exploitation could allow the attacker to read entries in some database tables. Cisco Bug IDs: CSCvg30333. | |||||
| CVE-2017-12227 | 1 Cisco | 1 Emergency Responder | 2019-10-09 | 5.5 MEDIUM | 5.4 MEDIUM |
| A vulnerability in the SQL database interface for Cisco Emergency Responder could allow an authenticated, remote attacker to conduct a blind SQL injection attack. The vulnerability is due to a failure to validate user-supplied input used in SQL queries that bypass protection filters. An attacker could exploit this vulnerability by sending crafted URLs that include SQL statements. An exploit could allow the attacker to view or modify entries in some database tables, affecting the integrity of the data. Cisco Bug IDs: CSCvb58973. | |||||
| CVE-2017-12302 | 1 Cisco | 1 Unified Communications Domain Manager | 2019-10-09 | 4.0 MEDIUM | 4.3 MEDIUM |
| A vulnerability in the Cisco Unified Communications Manager SQL database interface could allow an authenticated, remote attacker to impact the confidentiality of the system by executing arbitrary SQL queries, aka SQL Injection. The vulnerability is due to a lack of input validation on user-supplied input in SQL queries. An attacker could exploit this vulnerability by sending crafted URLs that contain malicious SQL statements to the affected system. An exploit could allow the attacker to determine the presence of certain values in the database. Cisco Bug IDs: CSCvf36682. | |||||
| CVE-2019-17271 | 1 Vbulletin | 1 Vbulletin | 2019-10-09 | 4.0 MEDIUM | 4.9 MEDIUM |
| vBulletin 5.5.4 allows SQL Injection via the ajax/api/hook/getHookList or ajax/api/widget/getWidgetList where parameter. | |||||
| CVE-2018-17092 | 1 I4a | 1 Donlinkage | 2019-10-03 | 5.5 MEDIUM | 5.4 MEDIUM |
| An issue was discovered in DonLinkage 6.6.8. SQL injection in /pages/proxy/php.php and /pages/proxy/add.php can be exploited via specially crafted input, allowing an attacker to obtain information from a database. The vulnerability can only be triggered by an authorized user. | |||||
| CVE-2019-14430 | 1 Youphptube | 1 Youphptube | 2019-08-26 | 5.0 MEDIUM | 5.3 MEDIUM |
| plugin/Audit/Objects/AuditTable.php in YouPHPTube through 7.2 allows SQL Injection. | |||||
| CVE-2019-1010034 | 1 Deepsoft | 1 Weblibrarian | 2019-08-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| Deepwoods Software WebLibrarian 3.5.2 and earlier is affected by: SQL Injection. The impact is: Exposing the entire database. The component is: Function "AllBarCodes" (defined at database_code.php line 1018) is vulnerable to a boolean-based blind sql injection. This function call can be triggered by any user logged-in with at least Volunteer role or manage_circulation capabilities. PoC : /wordpress/wp-admin/admin.php?page=weblib-circulation-desk&orderby=title&order=DESC. | |||||
| CVE-2019-1010201 | 1 Jeesite | 1 Jeesite | 2019-07-24 | 4.0 MEDIUM | 6.5 MEDIUM |
| Jeesite 1.2.7 is affected by: SQL Injection. The impact is: sensitive information disclosure. The component is: updateProcInsIdByBusinessId() function in src/main/java/com.thinkgem.jeesite/modules/act/ActDao.java has SQL Injection vulnerability. The attack vector is: network connectivity,authenticated. The fixed version is: 4.0 and later. | |||||
| CVE-2018-15892 | 1 Freepbx | 1 Disa | 2019-06-24 | 6.0 MEDIUM | 4.3 MEDIUM |
| FreePBX 13 and 14 has SQL Injection in the DISA module via the hangup variable on the /admin/config.php?display=disa&view=form page. | |||||
| CVE-2018-16251 | 1 Creatiwity | 1 Witycms | 2019-06-21 | 4.0 MEDIUM | 4.3 MEDIUM |
| A "search for user discovery" injection issue exists in Creatiwity wityCMS 0.6.2 via the "Utilisateur" menu. No input parameters are filtered, e.g., the /admin/user/users Nickname, email, firstname, lastname, and groupe parameters. | |||||
| CVE-2019-11620 | 1 Doorgets | 1 Doorgets Cms | 2019-05-01 | 4.0 MEDIUM | 4.9 MEDIUM |
| doorGets 7.0 has a SQL injection vulnerability in /doorgets/app/requests/user/modulecategoryRequest.php. A remote background administrator privilege user (or a user with permission to manage modulecategory) could exploit the vulnerability to obtain database sensitive information via modulecategory_add_titre. | |||||
| CVE-2019-11621 | 1 Doorgets | 1 Doorgets Cms | 2019-05-01 | 4.0 MEDIUM | 4.9 MEDIUM |
| doorGets 7.0 has a SQL injection vulnerability in /doorgets/app/requests/user/configurationRequest.php when action=network. A remote background administrator privilege user (or a user with permission to manage network configuration) could exploit the vulnerability to obtain database sensitive information. | |||||
| CVE-2019-11622 | 1 Doorgets | 1 Doorgets Cms | 2019-05-01 | 4.0 MEDIUM | 4.9 MEDIUM |
| doorGets 7.0 has a SQL injection vulnerability in /doorgets/app/requests/user/modulecategoryRequest.php. A remote background administrator privilege user (or a user with permission to manage modulecategory) could exploit the vulnerability to obtain database sensitive information via modulecategory_edit_titre. | |||||
| CVE-2019-11623 | 1 Doorgets | 1 Doorgets Cms | 2019-05-01 | 4.0 MEDIUM | 4.9 MEDIUM |
| doorGets 7.0 has a SQL injection vulnerability in /doorgets/app/requests/user/configurationRequest.php when action=siteweb. A remote background administrator privilege user (or a user with permission to manage configuration siteweb) could exploit the vulnerability to obtain database sensitive information. | |||||
| CVE-2019-11625 | 1 Doorgets | 1 Doorgets Cms | 2019-05-01 | 4.0 MEDIUM | 4.9 MEDIUM |
| doorGets 7.0 has a SQL injection vulnerability in /doorgets/app/requests/user/emailingRequest.php. A remote background administrator privilege user (or a user with permission to manage emailing) could exploit the vulnerability to obtain database sensitive information. | |||||
| CVE-2019-11613 | 1 Doorgets | 1 Doorgets Cms | 2019-05-01 | 4.0 MEDIUM | 6.5 MEDIUM |
| doorGets 7.0 has a SQL injection vulnerability in /doorgets/app/views/ajax/contactView.php. A remote normal registered user could exploit the vulnerability to obtain database sensitive information. | |||||
| CVE-2019-11619 | 1 Doorgets | 1 Doorgets Cms | 2019-05-01 | 4.0 MEDIUM | 4.9 MEDIUM |
| doorGets 7.0 has a SQL injection vulnerability in /doorgets/app/requests/user/configurationRequest.php when action=analytics. A remote background administrator privilege user (or a user with permission to manage configuration analytics) could exploit the vulnerability to obtain database sensitive information. | |||||
| CVE-2019-9568 | 1 Wpmudev | 1 Forminator Contact Form\, Poll \& Quiz Builder | 2019-03-07 | 4.0 MEDIUM | 6.5 MEDIUM |
| The "Forminator Contact Form, Poll & Quiz Builder" plugin before 1.6 for WordPress has SQL Injection via the wp-admin/admin.php?page=forminator-entries entry[] parameter if the attacker has the delete permission. | |||||
| CVE-2018-9493 | 1 Google | 1 Android | 2018-11-21 | 2.1 LOW | 5.5 MEDIUM |
| In the content provider of the download manager, there is a possible SQL injection due to improper input validation. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android Versions: Android-7.0 Android-7.1.1 Android-7.1.2 Android-8.0 Android-8.1 Android-9.0 Android ID: A-111085900 | |||||
| CVE-2018-17129 | 1 Metinfo | 1 Metinfo | 2018-11-09 | 4.0 MEDIUM | 4.9 MEDIUM |
| MetInfo 6.1.0 has SQL injection in doexport() in app/system/feedback/admin/feedback_admin.class.php via the class1 field. | |||||
| CVE-2018-16389 | 1 E107 | 1 E107 | 2018-11-02 | 5.5 MEDIUM | 6.5 MEDIUM |
| e107_admin/banlist.php in e107 2.1.8 allows SQL injection via the old_ip parameter. | |||||
| CVE-2018-16410 | 1 Vanillaforums | 1 Vanilla | 2018-10-25 | 4.0 MEDIUM | 6.5 MEDIUM |
| Vanilla before 2.6.1 allows SQL injection via an invitationID array to /profile/deleteInvitation, related to applications/dashboard/models/class.invitationmodel.php and applications/dashboard/controllers/class.profilecontroller.php. | |||||
| CVE-2018-14058 | 1 Pimcore | 1 Pimcore | 2018-10-12 | 4.0 MEDIUM | 6.5 MEDIUM |
| Pimcore before 5.3.0 allows SQL Injection via the REST web service API. | |||||
| CVE-2018-2447 | 1 Sap | 1 Businessobjects Business Intelligence | 2018-10-11 | 4.0 MEDIUM | 6.5 MEDIUM |
| SAP BusinessObjects Business Intelligence (Launchpad Web Intelligence), version 4.2, allows an attacker to execute crafted InfoObject queries, exposing the CMS InfoObjects database. | |||||
| CVE-2018-1000558 | 1 Ocsinventory-ng | 1 Ocsinventory Ng | 2018-08-20 | 4.0 MEDIUM | 6.5 MEDIUM |
| OCS Inventory NG ocsreports 2.4 and ocsreports 2.3.1 version 2.4 and 2.3.1 contains a SQL Injection vulnerability in web search that can result in An authenticated attacker is able to gain full access to data stored within database. This attack appear to be exploitable via By sending crafted requests it is possible to gain database access. This vulnerability appears to have been fixed in 2.4.1. | |||||
| CVE-2018-10353 | 1 Trendmicro | 1 Email Encryption Gateway | 2018-06-22 | 4.0 MEDIUM | 6.5 MEDIUM |
| A SQL injection information disclosure vulnerability in Trend Micro Email Encryption Gateway 5.5 could allow a remote attacker to disclose sensitive information on vulnerable installations due to a flaw in the formChangePass class. Authentication is required to exploit this vulnerability. | |||||
| CVE-2018-9102 | 1 Mitel | 2 Mivoice Connect, St 14.2 | 2018-05-25 | 4.3 MEDIUM | 6.5 MEDIUM |
| A vulnerability in the conferencing component of Mitel MiVoice Connect, versions R1707-PREM SP1 (21.84.5535.0) and earlier, and Mitel ST 14.2, versions GA27 (19.49.5200.0) and earlier, could allow an unauthenticated attacker to conduct an SQL injection attack due to insufficient input validation for the signin interface. A successful exploit could allow an attacker to extract sensitive information from the database. | |||||
| CVE-2017-1722 | 1 Ibm | 1 Qradar Security Information And Event Manager | 2018-05-25 | 6.5 MEDIUM | 6.3 MEDIUM |
| IBM Security QRadar SIEM 7.2 and 7.3 is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements, which could allow the attacker to view, add, modify or delete information in the back-end database. IBM X-Force ID: 134811. | |||||
| CVE-2018-6230 | 1 Trendmicro | 1 Email Encryption Gateway | 2018-04-04 | 8.3 HIGH | 6.8 MEDIUM |
| A SQL injection vulnerability in an Trend Micro Email Encryption Gateway 5.5 search configuration script could allow an attacker to execute SQL commands to upload and execute arbitrary code that may harm the target system. | |||||
| CVE-2018-6883 | 1 Piwigo | 1 Piwigo | 2018-03-17 | 4.0 MEDIUM | 4.9 MEDIUM |
| Piwigo before 2.9.3 has SQL injection in admin/tags.php in the administration panel, via the tags array parameter in an admin.php?page=tags request. The attacker must be an administrator. | |||||
| CVE-2017-15546 | 1 Emc | 1 Rsa Authentication Manager | 2018-02-15 | 4.0 MEDIUM | 4.3 MEDIUM |
| The Security Console in EMC RSA Authentication Manager 8.2 SP1 P6 and earlier is affected by a blind SQL injection vulnerability. Authenticated malicious users could potentially exploit this vulnerability to read any unencrypted data from the database. | |||||
| CVE-2017-0304 | 1 F5 | 1 Big-ip Advanced Firewall Manager | 2018-01-08 | 5.5 MEDIUM | 5.4 MEDIUM |
| A SQL injection vulnerability exists in the BIG-IP AFM management UI on versions 12.0.0, 12.1.0, 12.1.1, 12.1.2 and 13.0.0 that may allow a copy of the firewall rules to be tampered with and impact the Configuration Utility until there is a resync of the rules. Traffic processing and the live firewall rules in use are not affected. | |||||
| CVE-2017-16735 | 1 Ecava | 1 Integraxor | 2018-01-04 | 5.0 MEDIUM | 5.3 MEDIUM |
| A SQL Injection issue was discovered in Ecava IntegraXor v 6.1.1030.1 and prior. The SQL Injection vulnerability has been identified, which generates an error in the database log. | |||||
| CVE-2017-16733 | 1 Ecava | 1 Integraxor | 2018-01-04 | 5.0 MEDIUM | 5.3 MEDIUM |
| A SQL Injection issue was discovered in Ecava IntegraXor v 6.1.1030.1 and prior. The SQL Injection vulnerability has been identified, which an attacker can leverage to disclose sensitive information from the database. | |||||
| CVE-2017-17822 | 1 Piwigo | 1 Piwigo | 2018-01-03 | 4.0 MEDIUM | 4.9 MEDIUM |
| The List Users API of Piwigo 2.9.2 is vulnerable to SQL Injection via the /admin/user_list_backend.php sSortDir_0 parameter. An attacker can exploit this to gain access to the data in a connected MySQL database. | |||||