Search
Total
8599 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-19607 | 1 Mitel | 1 Micollab Audio\, Web \& Video Conferencing | 2020-03-04 | 7.5 HIGH | 9.8 CRITICAL |
| A SQL injection vulnerability in the web conferencing component of Mitel MiCollab AWV before 8.1.2.2 could allow an unauthenticated attack due to insufficient input validation for the session parameter. A successful exploit could allow an attacker to extract sensitive information from the database and execute arbitrary scripts. | |||||
| CVE-2019-19608 | 1 Mitel | 1 Micollab Audio\, Web \& Video Conferencing | 2020-03-04 | 7.5 HIGH | 9.8 CRITICAL |
| A SQL injection vulnerability in in the web conferencing component of Mitel MiCollab AWV before 8.1.2.2 could allow an unauthenticated attack due to insufficient input validation for the registeredList.cgi page. A successful exploit could allow an attacker to extract sensitive information from the database and execute arbitrary scripts. | |||||
| CVE-2020-9465 | 1 Eyesofnetwork | 1 Eyesofnetwork | 2020-03-04 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in EyesOfNetwork eonweb 5.1 through 5.3 before 5.3-3. The eonweb web interface is prone to a SQL injection, allowing an unauthenticated attacker to perform various tasks such as authentication bypass via the user_id field in a cookie. | |||||
| CVE-2018-16356 | 1 Pbootcms | 1 Pbootcms | 2020-03-04 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in PbootCMS. There is a SQL injection via the api.php/List/index order parameter. | |||||
| CVE-2020-9398 | 1 Ispconfig | 1 Ispconfig | 2020-03-03 | 9.3 HIGH | 9.8 CRITICAL |
| ISPConfig before 3.1.15p3, when the undocumented reverse_proxy_panel_allowed=sites option is manually enabled, allows SQL Injection. | |||||
| CVE-2018-16357 | 1 Pbootcms | 1 Pbootcms | 2020-03-03 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in PbootCMS. There is a SQL injection via the api.php/Cms/search order parameter. | |||||
| CVE-2019-17357 | 1 Cacti | 1 Cacti | 2020-03-01 | 4.0 MEDIUM | 6.5 MEDIUM |
| Cacti through 1.2.7 is affected by a graphs.php?template_id= SQL injection vulnerability affecting how template identifiers are handled when a string and id composite value are used to identify the template type and id. An authenticated attacker can exploit this to extract data from the database, or an unauthenticated remote attacker could exploit this via Cross-Site Request Forgery. | |||||
| CVE-2019-4669 | 1 Ibm | 2 Business Automation Workflow, Business Process Manager | 2020-02-28 | 6.5 MEDIUM | 6.3 MEDIUM |
| IBM Business Process Manager 8.5.7.0 through 8.5.7.0 2017.06, 8.6.0.0 through 8.6.0.0 CF2018.03, and IBM Business Automation Workflow 18.0.0.1 through 19.0.0.3 is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements, which could allow the attacker to view, add, modify or delete information in the back-end database. IBM X-Force ID: 171254. | |||||
| CVE-2020-9265 | 1 Ciprianmp | 1 Phpmychat-plus | 2020-02-27 | 6.4 MEDIUM | 8.2 HIGH |
| phpMyChat-Plus 1.98 is vulnerable to multiple SQL injections against the deluser.php Delete User functionality, as demonstrated by pmc_username. | |||||
| CVE-2019-19986 | 1 Seling | 1 Visual Access Manager | 2020-02-27 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered in Selesta Visual Access Manager (VAM) 4.15.0 through 4.29. An attacker without authentication is able to execute arbitrary SQL SELECT statements by injecting the HTTP (POST or GET) parameter persoid into /tools/VamPersonPhoto.php. The SQL Injection type is Error-based (this means that relies on error messages thrown by the database server to obtain information about the structure of the database). | |||||
| CVE-2019-4597 | 1 Ibm | 1 Sterling B2b Integrator | 2020-02-27 | 6.5 MEDIUM | 6.3 MEDIUM |
| IBM Sterling B2B Integrator Standard Edition 5.2.0.0 through 5.2.6.5 is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements, which could allow the attacker to view, add, modify or delete information in the back-end database. IBM X-Force ID: 167880. | |||||
| CVE-2019-4598 | 1 Ibm | 1 Sterling B2b Integrator | 2020-02-27 | 6.5 MEDIUM | 6.3 MEDIUM |
| IBM Sterling B2B Integrator Standard Edition 5.2.0.0 through 5.2.6.5 is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements, which could allow the attacker to view, add, modify or delete information in the back-end database. IBM X-Force ID: 167881. | |||||
| CVE-2020-9340 | 1 Fauzantrif Election Project | 1 Fauzantrif Election | 2020-02-25 | 6.5 MEDIUM | 7.2 HIGH |
| fauzantrif eLection 2.0 has SQL Injection via the admin/ajax/op_kandidat.php id parameter. | |||||
| CVE-2020-8596 | 1 Xnau | 1 Participants Database | 2020-02-25 | 6.0 MEDIUM | 7.5 HIGH |
| participants-database.php in the Participants Database plugin 1.9.5.5 and previous versions for WordPress has a time-based SQL injection vulnerability via the ascdesc, list_filter_count, or sortBy parameters. It is possible to exfiltrate data and potentially execute code (if certain conditions are met). | |||||
| CVE-2020-8804 | 1 Salesagility | 1 Suitecrm | 2020-02-25 | 4.0 MEDIUM | 6.5 MEDIUM |
| SuiteCRM through 7.11.10 allows SQL Injection via the SOAP API, the EmailUIAjax interface, or the MailMerge module. | |||||
| CVE-2020-9318 | 1 Red-gate | 1 Sql Monitor | 2020-02-25 | 6.5 MEDIUM | 7.2 HIGH |
| Red Gate SQL Monitor 9.0.13 through 9.2.14 allows an administrative user to perform a SQL injection attack by configuring the SNMP alert settings in the UI. This is fixed in 9.2.15. | |||||
| CVE-2004-2695 | 2 Jelsoft, Point-to-point Protocol Project | 2 Vbulletin, Point-to-point Protocol | 2020-02-24 | 7.5 HIGH | N/A |
| SQL injection vulnerability in the Authorize.net callback code (subscriptions/authorize.php) in Jelsoft vBulletin 3.0 through 3.0.3 allows remote attackers to execute arbitrary SQL statements via the x_invoice_num parameter. NOTE: this issue might be related to CVE-2006-4267. | |||||
| CVE-2020-3154 | 1 Cisco | 1 Cloud Web Security | 2020-02-24 | 4.0 MEDIUM | 4.9 MEDIUM |
| A vulnerability in the web UI of Cisco Cloud Web Security (CWS) could allow an authenticated, remote attacker to execute arbitrary SQL queries. The vulnerability exists because the web-based management interface improperly validates SQL values. An authenticated attacker could exploit this vulnerability sending malicious requests to the affected device. An exploit could allow the attacker to modify values on or return values from the underlying database. | |||||
| CVE-2019-4752 | 1 Ibm | 2 Emptoris Spend Analysis, Emptoris Strategic Supply Management Platform | 2020-02-21 | 6.5 MEDIUM | 8.8 HIGH |
| IBM Emptoris Spend Analysis and IBM Emptoris Strategic Supply Management Platform 10.1.0.x, 10.1.1.x, and 10.1.3.x is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements, which could allow the attacker to view, add, modify or delete information in the back-end database. IBM X-Force ID: 173348. | |||||
| CVE-2015-7567 | 1 Yeager | 1 Yeager Cms | 2020-02-21 | 7.5 HIGH | 9.8 CRITICAL |
| SQL injection vulnerability in Yeager CMS 1.2.1 allows remote attackers to execute arbitrary SQL commands via the "passwordreset&token" parameter. | |||||
| CVE-2013-2018 | 1 Berkeley | 1 Boinc | 2020-02-21 | 7.5 HIGH | 9.8 CRITICAL |
| Multiple SQL injection vulnerabilities in BOINC allow remote attackers to execute arbitrary SQL commands via unspecified vectors. | |||||
| CVE-2014-9613 | 1 Netsweeper | 1 Netsweeper | 2020-02-20 | 7.5 HIGH | 9.8 CRITICAL |
| Multiple SQL injection vulnerabilities in Netsweeper before 2.6.29.10 allow remote attackers to execute arbitrary SQL commands via the (1) login parameter to webadmin/auth/verification.php or (2) dpid parameter to webadmin/deny/index.php. | |||||
| CVE-2020-9269 | 1 Soplanning | 1 Soplanning | 2020-02-20 | 9.0 HIGH | 7.2 HIGH |
| SOPlanning 1.45 is vulnerable to authenticated SQL Injection that leads to command execution via the users parameter, as demonstrated by export_ical.php. | |||||
| CVE-2014-9612 | 1 Netsweeper | 1 Netsweeper | 2020-02-20 | 7.5 HIGH | 9.8 CRITICAL |
| SQL injection vulnerability in remotereporter/load_logfiles.php in Netsweeper before 3.1.10, 4.0.x before 4.0.9, and 4.1.x before 4.1.2 allows remote attackers to execute arbitrary SQL commands via the server parameter. | |||||
| CVE-2014-8089 | 3 Fedoraproject, Redhat, Zend | 3 Fedora, Enterprise Linux, Zend Framework | 2020-02-20 | 7.5 HIGH | 9.8 CRITICAL |
| SQL injection vulnerability in Zend Framework before 1.12.9, 2.2.x before 2.2.8, and 2.3.x before 2.3.3, when using the sqlsrv PHP extension, allows remote attackers to execute arbitrary SQL commands via a null byte. | |||||
| CVE-2020-8611 | 2 Progess, Progress | 2 Moveit Transfer, Moveit Transfer | 2020-02-19 | 6.5 MEDIUM | 8.8 HIGH |
| In Progress MOVEit Transfer 2019.1 before 2019.1.4 and 2019.2 before 2019.2.1, multiple SQL Injection vulnerabilities have been found in the REST API that could allow an authenticated attacker to gain unauthorized access to MOVEit Transfer's database via the REST API. Depending on the database engine being used (MySQL, Microsoft SQL Server, or Azure SQL), an attacker may be able to infer information about the structure and contents of the database in addition to executing SQL statements that alter or destroy database elements. | |||||
| CVE-2018-5986 | 1 Easycarscript | 1 Easycarscript | 2020-02-19 | 7.5 HIGH | 9.8 CRITICAL |
| SQL Injection exists in Easy Car Script 2014 via the s_order or s_row parameter to site_search.php. | |||||
| CVE-2020-9268 | 1 Soplanning | 1 Soplanning | 2020-02-19 | 5.0 MEDIUM | 7.5 HIGH |
| SoPlanning 1.45 is vulnerable to SQL Injection in the OrderBy clause, as demonstrated by the projets.php?order=nom_createur&by= substring. | |||||
| CVE-2020-8802 | 1 Salesagility | 1 Suitecrm | 2020-02-19 | 7.5 HIGH | 9.8 CRITICAL |
| SuiteCRM through 7.11.11 has Incorrect Access Control via action_saveHTMLField Bean Manipulation. | |||||
| CVE-2013-1401 | 1 Cardozatechnologies | 1 Wordpress Poll | 2020-02-19 | 7.5 HIGH | 9.8 CRITICAL |
| Multiple security bypass vulnerabilities in the editAnswer, deleteAnswer, addAnswer, and deletePoll functions in WordPress Poll Plugin 34.5 for WordPress allow a remote attacker to add, edit, and delete an answer and delete a poll. | |||||
| CVE-2013-1400 | 1 Cardozatechnologies | 1 Wordpress Poll | 2020-02-19 | 7.5 HIGH | 9.8 CRITICAL |
| Multiple SQL injection vulnerabilities in CWPPoll.js in WordPress Poll Plugin 34.5 for WordPress allow attackers to execute arbitrary SQL commands via the pollid or poll_id parameter in a viewPollResults or userlogs action. | |||||
| CVE-2010-4897 | 1 Bluecms Project | 1 Bluecms | 2020-02-18 | 7.5 HIGH | N/A |
| SQL injection vulnerability in comment.php in BlueCMS 1.6 allows remote attackers to execute arbitrary SQL commands via the X-Forwarded-For HTTP header in a send action. | |||||
| CVE-2019-15016 | 1 Zingbox | 1 Inspector | 2020-02-17 | 6.5 MEDIUM | 8.8 HIGH |
| An SQL injection vulnerability exists in the management interface of Zingbox Inspector versions 1.288 and earlier, that allows for unsanitized data provided by an authenticated user to be passed from the web UI into the database. | |||||
| CVE-2015-5617 | 1 Enorth | 1 Webpublisher Cms | 2020-02-14 | 7.5 HIGH | 9.8 CRITICAL |
| SQL injection vulnerability in pub/m_pending_news/delete_pending_news.jsp in Enorth Webpublisher CMS allows remote attackers to execute arbitrary SQL commands via the cbNewsId parameter. | |||||
| CVE-2012-1124 | 1 Phxeventmanager Project | 1 Phxeventmanager | 2020-02-13 | 7.5 HIGH | 9.8 CRITICAL |
| SQL injection vulnerability in search.php in phxEventManager 2.0 beta 5 allows remote attackers to execute arbitrary SQL commands via the search_terms parameter. | |||||
| CVE-2020-8841 | 1 Testlink | 1 Testlink | 2020-02-12 | 6.5 MEDIUM | 8.8 HIGH |
| An issue was discovered in TestLink 1.9.19. The relation_type parameter of the lib/requirements/reqSearch.php endpoint is vulnerable to authenticated SQL Injection. | |||||
| CVE-2015-3423 | 1 Netcracker | 1 Resource Management System | 2020-02-12 | 6.5 MEDIUM | 8.8 HIGH |
| Multiple SQL injection vulnerabilities in NetCracker Resource Management System before 8.2 allow remote authenticated users to execute arbitrary SQL commands via the (1) ctrl, (2) h____%2427, (3) h____%2439, (4) param0, (5) param1, (6) param2, (7) param3, (8) param4, (9) filter_INSERT_COUNT, (10) filter_MINOR_FALLOUT, (11) filter_UPDATE_COUNT, (12) sort, or (13) sessid parameter. | |||||
| CVE-2019-15622 | 1 Nextcloud | 1 Nextcloud | 2020-02-12 | 2.1 LOW | 2.4 LOW |
| Not strictly enough sanitization in the Nextcloud Android app 3.6.0 allowed an attacker to get content information from protected tables when using custom queries. | |||||
| CVE-2013-3638 | 1 Boonex | 1 Dolphin | 2020-02-12 | 6.5 MEDIUM | 8.8 HIGH |
| SQL injection vulnerability in Boonex Dolphin before 7.1.3 allows remote authenticated users to execute arbitrary SQL commands via the 'pathes' parameter in 'categories.php'. | |||||
| CVE-2020-8645 | 1 Simplejobscript | 1 Simplejobscript | 2020-02-12 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in Simplejobscript.com SJS through 1.66. There is an unauthenticated SQL injection via the job applications search function. The vulnerable parameter is job_id. The function is getJobApplicationsByJobId(). The file is _lib/class.JobApplication.php. | |||||
| CVE-2015-2062 | 2 Huge-it, Microsoft | 2 Huge-it Slider, Windows | 2020-02-11 | 6.5 MEDIUM | 7.2 HIGH |
| Multiple SQL injection vulnerabilities in the Huge-IT Slider (slider-image) plugin before 2.7.0 for WordPress allow remote administrators to execute arbitrary SQL commands via the removeslide parameter in a popup_posts or edit_cat action in the sliders_huge_it_slider page to wp-admin/admin.php. | |||||
| CVE-2019-20059 | 1 Mfscripts | 1 Yetishare | 2020-02-11 | 6.8 MEDIUM | 8.8 HIGH |
| payment_manage.ajax.php and various *_manage.ajax.php in MFScripts YetiShare 3.5.2 through 4.5.4 directly insert values from the sSortDir_0 parameter into a SQL string. This allows an attacker to inject their own SQL and manipulate the query, typically extracting data from the database, aka SQL Injection. NOTE: this issue exists because of an incomplete fix for CVE-2019-19732. | |||||
| CVE-2019-9039 | 1 Couchbase | 1 Sync Gateway | 2020-02-10 | 7.5 HIGH | 9.8 CRITICAL |
| In Couchbase Sync Gateway 2.1.2, an attacker with access to the Sync Gateway’s public REST API was able to issue additional N1QL statements and extract sensitive data or call arbitrary N1QL functions through the parameters "startkey" and "endkey" on the "_all_docs" endpoint. By issuing nested queries with CPU-intensive operations they may have been able to cause increased resource usage and denial of service conditions. The _all_docs endpoint is not required for Couchbase Mobile replication and external access to this REST endpoint has been blocked to mitigate this issue. This issue has been fixed in versions 2.5.0 and 2.1.3. | |||||
| CVE-2014-4984 | 1 Dejavuprotech | 1 Crescendo - Sales Crm | 2020-02-10 | 7.5 HIGH | 9.8 CRITICAL |
| Déjà Vu Crescendo Sales CRM has remote SQL Injection | |||||
| CVE-2008-1508 | 1 Efestech | 1 E-kontor | 2020-02-10 | 7.5 HIGH | N/A |
| SQL injection vulnerability in EfesTech E-Kontör and earlier allows remote attackers to execute arbitrary SQL commands via the id parameter. | |||||
| CVE-2005-2035 | 1 Cool Cafe Chat | 1 Cool Cafe Chat | 2020-02-10 | 7.5 HIGH | N/A |
| SQL injection vulnerability in login.asp for Cool Cafe (Cool Café) Chat 1.2.1 allows remote attackers to execute arbitrary SQL commands via the password. | |||||
| CVE-2019-20447 | 1 Jobberbase | 1 Jobberbase | 2020-02-07 | 7.5 HIGH | 9.8 CRITICAL |
| Jobberbase 2.0 has SQL injection via the PATH_INFO to the jobs-in endpoint. | |||||
| CVE-2011-1151 | 1 Joomla | 1 Joomla\! | 2020-02-07 | 6.4 MEDIUM | 9.1 CRITICAL |
| Joomla! 1.6.0 is vulnerable to SQL Injection via the filter_order and filer_order_Dir parameters. | |||||
| CVE-2020-6960 | 1 Honeywell | 12 Hnmswvms, Hnmswvms Firmware, Hnmswvmslt and 9 more | 2020-02-07 | 7.5 HIGH | 9.8 CRITICAL |
| The following versions of MAXPRO VMS and NVR, MAXPRO VMS:HNMSWVMS prior to Version VMS560 Build 595 T2-Patch, HNMSWVMSLT prior to Version VMS560 Build 595 T2-Patch, MAXPRO NVR: MAXPRO NVR XE prior to Version NVR 5.6 Build 595 T2-Patch, MAXPRO NVR SE prior to Version NVR 5.6 Build 595 T2-Patch, MAXPRO NVR PE prior to Version NVR 5.6 Build 595 T2-Patch, and MPNVRSWXX prior to Version NVR 5.6 Build 595 T2-Patch contain an SQL injection vulnerability that could give an attacker remote unauthenticated access to the web user interface with administrator-level privileges. | |||||
| CVE-2016-11018 | 1 Huge-it | 1 Image Gallery | 2020-02-06 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in the Huge-IT gallery-images plugin before 1.9.0 for WordPress. The headers Client-Ip and X-Forwarded-For are prone to unauthenticated SQL injection. The affected file is gallery-images.php. The affected function is huge_it_image_gallery_ajax_callback(). | |||||