Search
Total
8599 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-15984 | 1 Cisco | 1 Data Center Network Manager | 2020-02-06 | 9.0 HIGH | 7.2 HIGH |
| Multiple vulnerabilities in the REST and SOAP API endpoints of Cisco Data Center Network Manager (DCNM) could allow an authenticated, remote attacker to execute arbitrary SQL commands on an affected device. To exploit these vulnerabilities, an attacker would need administrative privileges on the DCNM application. For more information about these vulnerabilities, see the Details section of this advisory. Note: The severity of these vulnerabilities is aggravated by the vulnerabilities described in the Cisco Data Center Network Manager Authentication Bypass Vulnerabilities advisory, published simultaneously with this one. | |||||
| CVE-2020-8592 | 1 Eginnovations | 1 Eg Manager | 2020-02-05 | 7.5 HIGH | 9.8 CRITICAL |
| eG Manager 7.1.2 allows SQL Injection via the user parameter to com.eg.LoginHelperServlet (aka the Forgot Password feature). | |||||
| CVE-2014-3119 | 1 Web2project | 1 Web2project | 2020-02-05 | 6.5 MEDIUM | 8.8 HIGH |
| Multiple SQL injection vulnerabilities in web2Project 3.1 and earlier allow remote authenticated users to execute arbitrary SQL commands via the (1) search_string parameter in the contacts module to index.php or allow remote attackers to execute arbitrary SQL commands via the updatekey parameter to (2) do_updatecontact.php or (3) updatecontact.php. | |||||
| CVE-2014-3719 | 1 Exlibrisgroup | 1 Aleph 500 | 2020-02-05 | 7.5 HIGH | 9.8 CRITICAL |
| Multiple SQL injection vulnerabilities in cgi-bin/review_m.cgi in Ex Libris ALEPH 500 (Integrated library management system) 18.1 and 20 allow remote attackers to execute arbitrary SQL commands via the (1) find, (2) lib, or (3) sid parameter. | |||||
| CVE-2017-14807 | 1 Suse | 2 Studio Onsite, Susestudio-ui-server | 2020-02-04 | 5.5 MEDIUM | 8.1 HIGH |
| An Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in susestudio-ui-server of SUSE Studio onsite allows remote attackers with admin privileges in Studio to alter SQL statements, allowing for extraction and modification of data. This issue affects: SUSE Studio onsite susestudio-ui-server version 1.3.17-56.6.3 and prior versions. | |||||
| CVE-2018-5960 | 1 Tribalsystems | 1 Zenario | 2020-02-03 | 6.5 MEDIUM | 8.8 HIGH |
| Zenario v7.1 - v7.6 has SQL injection via the `Name` input field of organizer.php or admin_boxes.ajax.php in the `Categories - Edit` module. | |||||
| CVE-2014-3868 | 1 Zeuscart | 1 Zeuscart | 2020-02-03 | 6.5 MEDIUM | 8.8 HIGH |
| Multiple SQL injection vulnerabilities in ZeusCart 4.x. | |||||
| CVE-2015-0244 | 2 Debian, Postgresql | 2 Debian Linux, Postgresql | 2020-01-31 | 7.5 HIGH | 9.8 CRITICAL |
| PostgreSQL before 9.0.19, 9.1.x before 9.1.15, 9.2.x before 9.2.10, 9.3.x before 9.3.6, and 9.4.x before 9.4.1 does not properly handle errors while reading a protocol message, which allows remote attackers to conduct SQL injection attacks via crafted binary data in a parameter and causing an error, which triggers the loss of synchronization and part of the protocol message to be treated as a new message, as demonstrated by causing a timeout or query cancellation. | |||||
| CVE-2012-4383 | 1 Contao | 1 Contao | 2020-01-31 | 6.5 MEDIUM | 8.8 HIGH |
| contao prior to 2.11.4 has a sql injection vulnerability | |||||
| CVE-2014-1925 | 1 Koha | 1 Koha | 2020-01-30 | 7.5 HIGH | 9.8 CRITICAL |
| SQL injection vulnerability in the MARC framework import/export function (admin/import_export_framework.pl) in Koha before 3.8.23, 3.10.x before 3.10.13, 3.12.x before 3.12.10, and 3.14.x before 3.14.3 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors. NOTE: this can be leveraged by remote attackers using CVE-2014-1924. | |||||
| CVE-2020-3719 | 1 Magento | 1 Magento | 2020-01-30 | 7.8 HIGH | 7.5 HIGH |
| Magento versions 2.3.3 and earlier, 2.2.10 and earlier, 1.14.4.3 and earlier, and 1.9.4.3 and earlier have an sql injection vulnerability. Successful exploitation could lead to sensitive information disclosure. | |||||
| CVE-2014-1924 | 1 Koha | 1 Koha | 2020-01-30 | 7.5 HIGH | 9.8 CRITICAL |
| The MARC framework import/export function (admin/import_export_framework.pl) in Koha before 3.8.23, 3.10.x before 3.10.13, 3.12.x before 3.12.10, and 3.14.x before 3.14.3 does not require authentication, which allows remote attackers to conduct SQL injection attacks via unspecified vectors. | |||||
| CVE-2012-5698 | 1 Babygekko | 1 Babygekko | 2020-01-29 | 6.8 MEDIUM | 8.8 HIGH |
| BabyGekko before 1.2.4 has SQL injection. | |||||
| CVE-2020-7229 | 1 Simplejobscript | 1 Simplejobscript | 2020-01-29 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in Simplejobscript.com SJS before 1.65. There is unauthenticated SQL injection via the search engine. The parameter is landing_location. The function is countSearchedJobs(). The file is _lib/class.Job.php. | |||||
| CVE-2019-12619 | 1 Cisco | 8 Sd-wan Firmware, Vedge-100, Vedge-1000 and 5 more | 2020-01-29 | 4.0 MEDIUM | 6.5 MEDIUM |
| A vulnerability in the web interface for Cisco SD-WAN Solution vManage could allow an authenticated, remote attacker to impact the integrity of an affected system by executing arbitrary SQL queries. The vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by sending crafted input that includes SQL statements to an affected system. A successful exploit could allow the attacker to modify entries in some database tables, affecting the integrity of the data. | |||||
| CVE-2020-7981 | 1 Rubygeocoder | 1 Geocoder | 2020-01-27 | 7.5 HIGH | 9.8 CRITICAL |
| sql.rb in Geocoder before 1.6.1 allows Boolean-based SQL injection when within_bounding_box is used in conjunction with untrusted sw_lat, sw_lng, ne_lat, or ne_lng data. | |||||
| CVE-2020-7939 | 1 Plone | 1 Plone | 2020-01-24 | 6.5 MEDIUM | 8.8 HIGH |
| SQL Injection in DTML or in connection objects in Plone 4.0 through 5.2.1 allows users to perform unwanted SQL queries. (This is a problem in Zope.) | |||||
| CVE-2012-1259 | 1 Plixer | 1 Scrutinizer Netflow \& Sflow Analyzer | 2020-01-24 | 7.5 HIGH | 9.8 CRITICAL |
| Multiple SQL injection vulnerabilities in Plixer International Scrutinizer NetFlow & sFlow Analyzer 8.6.2.16204, and possibly other versions before 9.0.1.19899, allow remote attackers to execute arbitrary SQL commands via the (1) addip parameter to cgi-bin/scrut_fa_exclusions.cgi, (2) getPermissionsAndPreferences parameter to cgi-bin/login.cgi, or (3) possibly certain parameters to d4d/alarms.php as demonstrated by the search_str parameter. | |||||
| CVE-2011-0467 | 1 Suse | 2 Studio Onsite, Studio Onsite Appliance | 2020-01-24 | 6.5 MEDIUM | 8.8 HIGH |
| A vulnerability in the listing of available software of SUSE Studio Onsite, SUSE Studio Onsite 1.1 Appliance allows authenticated users to execute arbitrary SQL statements via SQL injection. Affected releases are SUSE Studio Onsite: versions prior to 1.0.3-0.18.1, SUSE Studio Onsite 1.1 Appliance: versions prior to 1.1.2-0.25.1. | |||||
| CVE-2011-2715 | 1 Drupal | 2 Data, Drupal | 2020-01-24 | 7.5 HIGH | 9.8 CRITICAL |
| An SQL Injection vulnerability exists in Drupal 6.20 with Data 6.x-1.0-alpha14 due to insufficient sanitization of table names or column names. | |||||
| CVE-2011-4094 | 1 Jara Project | 1 Jara | 2020-01-23 | 7.5 HIGH | 9.8 CRITICAL |
| Jara 1.6 has a SQL injection vulnerability. | |||||
| CVE-2019-19740 | 1 Octeth | 1 Oempro | 2020-01-21 | 7.5 HIGH | 9.8 CRITICAL |
| Octeth Oempro 4.7 and 4.8 allow SQL injection. The parameter CampaignID in Campaign.Get is vulnerable. | |||||
| CVE-2005-4891 | 1 Simplemachines | 1 Simple Machine Forum | 2020-01-21 | 7.5 HIGH | 9.8 CRITICAL |
| Simple Machine Forum (SMF) versions 1.0.4 and earlier have an SQL injection vulnerability that allows remote attackers to inject arbitrary SQL statements. | |||||
| CVE-2020-5511 | 1 Phpgurukul | 1 Small Crm | 2020-01-17 | 6.5 MEDIUM | 8.8 HIGH |
| PHPGurukul Small CRM v2.0 was found vulnerable to authentication bypass via SQL injection when logging into the administrator login page. | |||||
| CVE-2018-16803 | 1 Cimtechniques | 1 Cimscan | 2020-01-16 | 10.0 HIGH | 9.8 CRITICAL |
| In CIMTechniques CIMScan 6.x through 6.2, the SOAP WSDL parser allows attackers to execute SQL code. | |||||
| CVE-2020-5841 | 1 Opservices | 1 Opmon | 2020-01-16 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in OpServices OpMon 9.3.1-1. Using password change parameters, an attacker could perform SQL injection without authentication. | |||||
| CVE-2011-5266 | 1 Imperva | 1 Securesphere Web Application Firewall | 2020-01-15 | 7.5 HIGH | 9.8 CRITICAL |
| Imperva SecureSphere Web Application Firewall (WAF) before 12-august-2010 allows SQL injection filter bypass. | |||||
| CVE-2019-20179 | 1 Soplanning | 1 Soplanning | 2020-01-15 | 6.5 MEDIUM | 8.8 HIGH |
| SOPlanning 1.45 has SQL injection via the user_list.php "by" parameter. | |||||
| CVE-2019-18622 | 3 Fedoraproject, Opensuse, Phpmyadmin | 4 Fedora, Backports Sle, Leap and 1 more | 2020-01-14 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in phpMyAdmin before 4.9.2. A crafted database/table name can be used to trigger a SQL injection attack through the designer feature. | |||||
| CVE-2014-5140 | 1 Loadedcommerce | 1 Loaded7 | 2020-01-14 | 6.5 MEDIUM | 8.8 HIGH |
| The bindReplace function in the query factory in includes/classes/database.php in Loaded Commerce 7 does not properly handle : (colon) characters, which allows remote authenticated users to conduct SQL injection attacks via the First name and Last name fields in the address book. | |||||
| CVE-2019-4651 | 1 Ibm | 1 Jazz Reporting Service | 2020-01-14 | 7.5 HIGH | 9.8 CRITICAL |
| IBM Jazz Reporting Service (JRS) 6.0.6.1 is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements, which could allow the attacker to view, add, modify or delete information in the back-end database. IBM X-Force ID: 170962. | |||||
| CVE-2011-5020 | 1 Online Tv Database Project | 1 Online Tv Database | 2020-01-14 | 7.5 HIGH | 9.8 CRITICAL |
| An SQL Injection vulnerability exists in the ID parameter in Online TV Database 2011. | |||||
| CVE-2011-1933 | 1 Jifty\ | 1 \ | 2020-01-13 | 7.5 HIGH | 9.8 CRITICAL |
| SQL injection vulnerability in Jifty::DBI before 0.68. | |||||
| CVE-2013-3932 | 1 Jomres | 1 Jomres | 2020-01-09 | 6.5 MEDIUM | 8.8 HIGH |
| SQL injection vulnerability in the Jomres (com_jomres) component before 7.3.1 for Joomla! allows remote authenticated users with the "Business Manager" permission to execute arbitrary SQL commands via the id parameter in an editProfile action to administrator/index.php. | |||||
| CVE-2019-7478 | 1 Sonicwall | 1 Global Management System | 2020-01-09 | 7.5 HIGH | 9.8 CRITICAL |
| A vulnerability in GMS allow unauthenticated user to SQL injection in Webservice module. This vulnerability affected GMS versions GMS 8.4, 8.5, 8.6, 8.7, 9.0 and 9.1. | |||||
| CVE-2019-20337 | 1 Advanced Real Estate Script Project | 1 Advanced Real Estate Script | 2020-01-09 | 6.5 MEDIUM | 7.2 HIGH |
| In PHP Scripts Mall advanced-real-estate-script 4.0.9, the news_edit.php news_id parameter is vulnerable to SQL Injection. | |||||
| CVE-2019-19732 | 1 Mfscripts | 1 Yetishare | 2020-01-08 | 6.5 MEDIUM | 7.2 HIGH |
| translation_manage_text.ajax.php and various *_manage.ajax.php in MFScripts YetiShare 3.5.2 through 4.5.3 directly insert values from the aSortDir_0 and/or sSortDir_0 parameter into a SQL string. This allows an attacker to inject their own SQL and manipulate the query, typically extracting data from the database, aka SQL Injection. | |||||
| CVE-2019-15985 | 1 Cisco | 1 Data Center Network Manager | 2020-01-08 | 9.0 HIGH | 7.2 HIGH |
| Multiple vulnerabilities in the REST and SOAP API endpoints of Cisco Data Center Network Manager (DCNM) could allow an authenticated, remote attacker to execute arbitrary SQL commands on an affected device. To exploit these vulnerabilities, an attacker would need administrative privileges on the DCNM application. For more information about these vulnerabilities, see the Details section of this advisory. Note: The severity of these vulnerabilities is aggravated by the vulnerabilities described in the Cisco Data Center Network Manager Authentication Bypass Vulnerabilities advisory, published simultaneously with this one. | |||||
| CVE-2014-8673 | 1 Soplanning | 1 Soplanning | 2020-01-08 | 7.5 HIGH | 9.8 CRITICAL |
| Multiple SQL vulnerabilities exist in planning.php, user_list.php, projets.php, user_groupes.php, and groupe_list.php in Simple Online Planning (SOPPlanning)before 1.33. | |||||
| CVE-2017-18514 | 1 Simplerealtytheme | 1 Simple Login Log | 2020-01-07 | 7.5 HIGH | 9.8 CRITICAL |
| The simple-login-log plugin before 1.1.2 for WordPress has SQL injection. | |||||
| CVE-2019-19734 | 1 Mfscripts | 1 Yetishare | 2020-01-07 | 6.5 MEDIUM | 8.8 HIGH |
| _account_move_file_in_folder.ajax.php in MFScripts YetiShare 3.5.2 directly inserts values from the fileIds parameter into a SQL string. This allows an attacker to inject their own SQL and manipulate the query, typically extracting data from the database, aka SQL Injection. | |||||
| CVE-2015-5591 | 1 Zenphoto | 1 Zenphoto | 2020-01-06 | 6.5 MEDIUM | 7.2 HIGH |
| SQL injection vulnerability in Zenphoto before 1.4.9 allow remote administrators to execute arbitrary SQL commands. | |||||
| CVE-2019-6012 | 1 Tms-outsource | 1 Wpdatatables Lite | 2020-01-03 | 6.5 MEDIUM | 7.2 HIGH |
| SQL injection vulnerability in the wpDataTables Lite Version 2.0.11 and earlier allows remote authenticated attackers to execute arbitrary SQL commands via unspecified vectors. | |||||
| CVE-2019-17527 | 1 Joomsky | 1 Js Jobs | 2020-01-02 | 7.5 HIGH | 9.8 CRITICAL |
| dataForDepandantField in models/custormfields.php in the JS JOBS FREE extension before 1.2.7 for Joomla! allows SQL Injection via the index.php?option=com_jsjobs&task=customfields.getfieldtitlebyfieldandfieldfo child parameter. | |||||
| CVE-2019-7484 | 1 Sonicwall | 2 Sma 100, Sma 100 Firmware | 2019-12-31 | 4.0 MEDIUM | 6.5 MEDIUM |
| Authenticated SQL Injection in SonicWall SMA100 allow user to gain read-only access to unauthorized resources using viewcacert CGI script. This vulnerability impacted SMA100 version 9.0.0.3 and earlier. | |||||
| CVE-2019-18234 | 1 Equinoxce | 1 Control Expert | 2019-12-30 | 7.5 HIGH | 9.8 CRITICAL |
| Equinox Control Expert all versions, is vulnerable to an SQL injection attack, which may allow an attacker to remotely execute arbitrary code. | |||||
| CVE-2019-19850 | 1 Typo3 | 1 Typo3 | 2019-12-20 | 6.5 MEDIUM | 7.2 HIGH |
| An issue was discovered in TYPO3 before 8.7.30, 9.x before 9.5.12, and 10.x before 10.2.2. Because escaping of user-submitted content is mishandled, the class QueryGenerator is vulnerable to SQL injection. Exploitation requires having the system extension ext:lowlevel installed, and a valid backend user who has administrator privileges. | |||||
| CVE-2019-19650 | 1 Zohocorp | 1 Manageengine Applications Manager | 2019-12-19 | 6.5 MEDIUM | 8.8 HIGH |
| Zoho ManageEngine Applications Manager before 13640 allows a remote authenticated SQL injection via the Agent servlet agentid parameter to the Agent.java process function. | |||||
| CVE-2019-19649 | 1 Zohocorp | 1 Manageengine Applications Manager | 2019-12-19 | 7.5 HIGH | 9.8 CRITICAL |
| Zoho ManageEngine Applications Manager before 13620 allows a remote unauthenticated SQL injection via the SyncEventServlet eventid parameter to the SyncEventServlet.java doGet function. | |||||
| CVE-2016-1000113 | 1 Huge-it | 1 Gallery | 2019-12-19 | 7.5 HIGH | 9.8 CRITICAL |
| XSS and SQLi in huge IT gallery v1.1.5 for Joomla | |||||