Search
Total
8599 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-18464 | 1 Ipswitch | 1 Moveit Transfer | 2019-11-06 | 7.5 HIGH | 9.8 CRITICAL |
| In Progress MOVEit Transfer 10.2 before 10.2.6 (2018.3), 11.0 before 11.0.4 (2019.0.4), and 11.1 before 11.1.3 (2019.1.3), multiple SQL Injection vulnerabilities have been found in the REST API that could allow an unauthenticated attacker to gain unauthorized access to the database. Depending on the database engine being used (MySQL, Microsoft SQL Server, or Azure SQL), an attacker may be able to infer information about the structure and contents of the database or may be able to alter the database. | |||||
| CVE-2019-6658 | 1 F5 | 1 Big-ip Advanced Firewall Manager | 2019-11-05 | 4.0 MEDIUM | 4.3 MEDIUM |
| On BIG-IP AFM 15.0.0-15.0.1, 14.0.0-14.1.2, 13.1.0-13.1.3.1, and 12.1.0-12.1.5, a vulnerability in the AFM configuration utility may allow any authenticated BIG-IP user to run an SQL injection attack. | |||||
| CVE-2019-18663 | 1 Isl | 1 Arp-guard | 2019-11-05 | 7.5 HIGH | 9.8 CRITICAL |
| A SQL injection vulnerability in a /login/forgot1 POST request in ARP-GUARD 4.0.0-5 allows unauthenticated remote attackers to execute arbitrary SQL commands via the user_id parameter. | |||||
| CVE-2018-16659 | 1 Rausoft | 1 Id.prove | 2019-11-05 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in Rausoft ID.prove 2.95. The login page allows SQL injection via Microsoft SQL Server stacked queries in the Username POST parameter. Hypothetically, an attacker can utilize master..xp_cmdshell for the further privilege elevation. | |||||
| CVE-2010-3662 | 1 Typo3 | 1 Typo3 | 2019-11-05 | 6.5 MEDIUM | 8.8 HIGH |
| TYPO3 before 4.1.14, 4.2.x before 4.2.13, 4.3.x before 4.3.4 and 4.4.x before 4.4.1 allows SQL Injection on the backend. | |||||
| CVE-2013-2738 | 1 Readymedia Project | 1 Readymedia | 2019-11-04 | 7.5 HIGH | 9.8 CRITICAL |
| minidlna has SQL Injection that may allow retrieval of arbitrary files | |||||
| CVE-2009-4899 | 1 Pixelpost | 1 Pixelpost | 2019-11-01 | 7.5 HIGH | 9.8 CRITICAL |
| pixelpost 1.7.1 has SQL injection | |||||
| CVE-2019-10762 | 1 Medoo | 1 Medoo | 2019-11-01 | 7.5 HIGH | 9.8 CRITICAL |
| columnQuote in medoo before 1.7.5 allows remote attackers to perform a SQL Injection due to improper escaping. | |||||
| CVE-2019-10748 | 1 Sequelizejs | 1 Sequelize | 2019-10-31 | 7.5 HIGH | 9.8 CRITICAL |
| Sequelize all versions prior to 3.35.1, 4.44.3, and 5.8.11 are vulnerable to SQL Injection due to JSON path keys not being properly escaped for the MySQL/MariaDB dialects. | |||||
| CVE-2019-10749 | 1 Sequelizejs | 1 Sequelize | 2019-10-31 | 7.5 HIGH | 9.8 CRITICAL |
| sequelize before version 3.35.1 allows attackers to perform a SQL Injection due to the JSON path keys not being properly sanitized in the Postgres dialect. | |||||
| CVE-2015-0270 | 1 Zend | 1 Framework | 2019-10-30 | 7.5 HIGH | 9.8 CRITICAL |
| Zend Framework before 2.2.10 and 2.3.x before 2.3.5 has Potential SQL injection in PostgreSQL Zend\Db adapter. | |||||
| CVE-2019-12516 | 1 Slickquiz Project | 1 Slickquiz | 2019-10-29 | 6.5 MEDIUM | 8.8 HIGH |
| The slickquiz plugin through 1.3.7.1 for WordPress allows SQL Injection by Subscriber users, as demonstrated by a /wp-admin/admin.php?page=slickquiz-scores&id= or /wp-admin/admin.php?page=slickquiz-edit&id= or /wp-admin/admin.php?page=slickquiz-preview&id= URI. | |||||
| CVE-2019-18387 | 1 Hotel And Lodge Management System Project | 1 Hotel And Lodge Management System | 2019-10-28 | 7.5 HIGH | 9.8 CRITICAL |
| Sourcecodester Hotel and Lodge Management System 1.0 is vulnerable to unauthenticated SQL injection and can allow remote attackers to execute arbitrary SQL commands via the id parameter to the edit page for Customer, Room, Currency, Room Booking Details, or Tax Details. | |||||
| CVE-2015-9496 | 1 Freshmail | 1 Freshmail-newsletter | 2019-10-24 | 6.5 MEDIUM | 8.8 HIGH |
| The freshmail-newsletter plugin before 1.6 for WordPress has shortcode.php SQL Injection via the 'FM_form id=' substring. | |||||
| CVE-2019-16980 | 1 Fusionpbx | 1 Fusionpbx | 2019-10-23 | 6.5 MEDIUM | 8.8 HIGH |
| In FusionPBX up to v4.5.7, the file app\call_broadcast\call_broadcast_edit.php uses an unsanitized "id" variable coming from the URL in an unparameterized SQL query, leading to SQL injection. | |||||
| CVE-2019-17119 | 1 Wikidsystems | 1 Two Factor Authentication Enterprise Server | 2019-10-22 | 6.5 MEDIUM | 8.8 HIGH |
| Multiple SQL injection vulnerabilities in Logs.jsp in WiKID 2FA Enterprise Server through 4.2.0-b2053 allow authenticated users to execute arbitrary SQL commands via the source or subString parameter. | |||||
| CVE-2019-16917 | 1 Wikidsystems | 1 Two Factor Authentication Enterprise Server | 2019-10-22 | 6.5 MEDIUM | 8.8 HIGH |
| WiKID Enterprise 2FA (two factor authentication) Enterprise Server through 4.2.0-b2047 is vulnerable to SQL injection through the searchDevices.jsp endpoint. The uid and domain parameters are used, unsanitized, in a SQL query constructed in the buildSearchWhereClause function. | |||||
| CVE-2014-2311 | 1 Modx | 1 Modx Revolution | 2019-10-22 | 7.5 HIGH | N/A |
| SQL injection vulnerability in modx.class.php in MODX Revolution 2.0.0 before 2.2.13 allows remote attackers to execute arbitrary SQL commands via unspecified vectors. | |||||
| CVE-2014-2736 | 1 Modx | 1 Modx Revolution | 2019-10-22 | 7.5 HIGH | N/A |
| Multiple SQL injection vulnerabilities in MODX Revolution before 2.2.14 allow remote attackers to execute arbitrary SQL commands via the (1) session ID (PHPSESSID) to index.php or remote authenticated users to execute arbitrary SQL commands via the (2) user parameter to connectors/security/message.php or (3) id parameter to manager/index.php. | |||||
| CVE-2019-17117 | 1 Wikidsystems | 1 2fa Enterprise Server | 2019-10-22 | 6.5 MEDIUM | 8.8 HIGH |
| A SQL injection vulnerability in processPref.jsp in WiKID 2FA Enterprise Server through 4.2.0-b2053 allows an authenticated user to execute arbitrary SQL commands via the processPref.jsp key parameter. | |||||
| CVE-2019-16404 | 1 Open-emr | 1 Openemr | 2019-10-22 | 6.5 MEDIUM | 8.8 HIGH |
| Authenticated SQL Injection in interface/forms/eye_mag/js/eye_base.php in OpenEMR through 5.0.2 allows a user to extract arbitrary data from the openemr database via a non-parameterized INSERT INTO statement, as demonstrated by the providerID parameter. | |||||
| CVE-2019-13409 | 1 Topmeeting | 1 Topmeeting | 2019-10-22 | 5.0 MEDIUM | 9.8 CRITICAL |
| A SQL injection vulnerability was discovered in TOPMeeting before version 8.8 (2019/08/19). An attacker can use a union based injection query string though a search meeting room feature to get databases schema and username/password. | |||||
| CVE-2019-16682 | 1 Url Redirect Project | 1 Url Redirect | 2019-10-21 | 7.5 HIGH | 7.3 HIGH |
| The url_redirect (aka URL redirect) extension through 1.2.1 for TYPO3 fails to properly sanitize user input and is susceptible to SQL Injection. | |||||
| CVE-2019-10752 | 1 Sequelizejs | 1 Sequelize | 2019-10-21 | 7.5 HIGH | 9.8 CRITICAL |
| Sequelize, all versions prior to version 4.44.3 and 5.15.1, is vulnerable to SQL Injection due to sequelize.json() helper function not escaping values properly when formatting sub paths for JSON queries for MySQL, MariaDB and SQLite. | |||||
| CVE-2019-17612 | 1 74cms | 1 74cms | 2019-10-17 | 6.5 MEDIUM | 7.2 HIGH |
| An issue was discovered in 74CMS v5.2.8. There is a SQL Injection generated by the _list method in the Common/Controller/BackendController.class.php file via the index.php?m=Admin&c=Ad&a=category sort parameter. | |||||
| CVE-2015-9466 | 1 Webtechideas | 1 Wti Like Post | 2019-10-17 | 7.5 HIGH | 9.8 CRITICAL |
| The wti-like-post plugin before 1.4.3 for WordPress has WtiLikePostProcessVote SQL injection via the HTTP_CLIENT_IP, HTTP_X_FORWARDED_FOR, HTTP_X_FORWARDED, HTTP_FORWARDED_FOR, or HTTP_FORWARDED variable. | |||||
| CVE-2019-17553 | 1 Metinfo | 1 Metinfo | 2019-10-17 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in MetInfo v7.0.0 beta. There is SQL Injection via the admin/?n=tags&c=index&a=doSaveTags URI. | |||||
| CVE-2019-17552 | 1 Idreamsoft | 1 Icms | 2019-10-16 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in idreamsoft iCMS v7.0.14. There is a spider_project.admincp.php SQL injection vulnerability in the 'upload spider project scheme' feature via a two-dimensional payload. | |||||
| CVE-2019-17580 | 1 Dormsystem Project | 1 Dormsystem | 2019-10-16 | 7.5 HIGH | 9.8 CRITICAL |
| tonyy dormsystem through 1.3 allows SQL Injection in admin.php. | |||||
| CVE-2015-9457 | 1 Caseproof | 1 Pretty Link | 2019-10-16 | 6.5 MEDIUM | 7.2 HIGH |
| The pretty-link plugin before 1.6.8 for WordPress has PrliLinksController::list_links SQL injection via the group parameter. | |||||
| CVE-2015-9465 | 1 Yet Another Stars Rating Project | 1 Yet Another Stars Rating | 2019-10-15 | 6.5 MEDIUM | 8.8 HIGH |
| The yet-another-stars-rating plugin before 0.9.1 for WordPress has yasr_get_multi_set_values_and_field SQL injection via the set_id parameter. | |||||
| CVE-2015-9460 | 1 Pinpoint | 1 Pinpoint Booking System | 2019-10-15 | 6.5 MEDIUM | 8.8 HIGH |
| The booking-system plugin before 2.1 for WordPress has DOPBSPBackEndTranslation::display SQL injection via the language parameter. | |||||
| CVE-2019-10757 | 1 Knexjs | 1 Knex | 2019-10-15 | 7.5 HIGH | 9.8 CRITICAL |
| knex.js versions before 0.19.5 are vulnerable to SQL Injection attack. Identifiers are escaped incorrectly as part of the MSSQL dialect, allowing attackers to craft a malicious query to the host DB. | |||||
| CVE-2015-9462 | 1 Awesome Filterable Portfolio Project | 1 Awesome Filterable Portfolio | 2019-10-15 | 6.5 MEDIUM | 7.2 HIGH |
| The awesome-filterable-portfolio plugin before 1.9 for WordPress has afp_get_new_category_page SQL injection via the cat_id parameter. | |||||
| CVE-2019-17429 | 1 Adhouma Cms Project | 1 Adhouma Cms | 2019-10-11 | 7.5 HIGH | 9.8 CRITICAL |
| Adhouma CMS through 2019-10-09 has SQL Injection via the post.php p_id parameter. | |||||
| CVE-2019-17128 | 1 Netreo | 1 Omnicenter | 2019-10-11 | 5.0 MEDIUM | 7.5 HIGH |
| Netreo OmniCenter through 12.1.1 allows unauthenticated SQL Injection (Boolean Based Blind) in the redirect parameters and parameter name of the login page through a GET request. The injection allows an attacker to read sensitive information from the database used by the application. | |||||
| CVE-2015-9467 | 1 K-78 | 1 Broken Link Manager | 2019-10-11 | 7.5 HIGH | 9.8 CRITICAL |
| The broken-link-manager plugin before 0.5.0 for WordPress has wpslDelURL or wpslEditURL SQL injection via the url parameter. | |||||
| CVE-2015-9461 | 1 Brinidesigner | 1 Awesome Filterable Portfolio | 2019-10-11 | 6.5 MEDIUM | 7.2 HIGH |
| The awesome-filterable-portfolio plugin before 1.9 for WordPress has afp_get_new_portfolio_item_page SQL injection via the item_id parameter. | |||||
| CVE-2015-9458 | 1 Seo Searchterms Tagging 2 Project | 1 Seo Searchterms Tagging 2 | 2019-10-11 | 6.5 MEDIUM | 7.2 HIGH |
| The searchterms-tagging-2 plugin through 1.535 for WordPress has SQL injection via the pk_stt2_db_get_popular_terms count parameter exploitable via CSRF. | |||||
| CVE-2015-9454 | 1 Slidervilla | 1 Smooth Slider | 2019-10-10 | 6.5 MEDIUM | 8.8 HIGH |
| The smooth-slider plugin before 2.7 for WordPress has SQL Injection via the wp-admin/admin.php?page=smooth-slider-admin current_slider_id parameter. | |||||
| CVE-2019-17072 | 1 Awplife | 1 Contact Form Widget | 2019-10-10 | 7.5 HIGH | 9.8 CRITICAL |
| The new-contact-form-widget (aka Contact Form Widget - Contact Query, Form Maker) plugin 1.0.9 for WordPress has SQL Injection via all-query-page.php. | |||||
| CVE-2019-17418 | 1 Metinfo | 1 Metinfo | 2019-10-10 | 6.5 MEDIUM | 7.2 HIGH |
| An issue was discovered in MetInfo 7.0. There is SQL injection via the admin/?n=language&c=language_general&a=doSearchParameter appno parameter, a different issue than CVE-2019-16997. | |||||
| CVE-2019-17419 | 1 Metinfo | 1 Metinfo | 2019-10-10 | 6.5 MEDIUM | 7.2 HIGH |
| An issue was discovered in MetInfo 7.0. There is SQL injection via the admin/?n=user&c=admin_user&a=doGetUserInfo id parameter. | |||||
| CVE-2019-17292 | 1 Sugarcrm | 1 Sugarcrm | 2019-10-10 | 6.5 MEDIUM | 7.2 HIGH |
| SugarCRM before 8.0.4 and 9.x before 9.0.2 allows SQL injection in the pmse_Inbox module by an Admin user. | |||||
| CVE-2019-17293 | 1 Sugarcrm | 1 Sugarcrm | 2019-10-10 | 6.5 MEDIUM | 8.8 HIGH |
| SugarCRM before 8.0.4 and 9.x before 9.0.2 allows SQL injection in the pmse_Project module by a Regular user. | |||||
| CVE-2019-9918 | 1 Harmistechnology | 1 Je Messenger | 2019-10-09 | 6.4 MEDIUM | 9.1 CRITICAL |
| An issue was discovered in the Harmis JE Messenger component 1.2.2 for Joomla!. Input does not get validated and queries are not written in a way to prevent SQL injection. Therefore arbitrary SQL-Statements can be executed in the database. | |||||
| CVE-2019-9885 | 1 Eclass | 1 Eclass Ip | 2019-10-09 | 7.5 HIGH | 9.8 CRITICAL |
| eClass platform < ip.2.5.10.2.1 allows an attacker to execute SQL command via /admin/academic/studenview_left.php StudentID parameter. | |||||
| CVE-2019-7001 | 1 Avaya | 1 Ip Office Contact Center | 2019-10-09 | 6.5 MEDIUM | 8.8 HIGH |
| A SQL injection vulnerability in the WebUI component of IP Office Contact Center could allow an authenticated attacker to retrieve or alter sensitive data related to other users on the system. Affected versions of IP Office Contact Center include all 9.x and 10.x versions prior to 10.1.2.2.2-11201.1908. Unsupported versions not listed here were not evaluated. | |||||
| CVE-2019-7003 | 1 Avaya | 1 Control Manager | 2019-10-09 | 6.4 MEDIUM | 10.0 CRITICAL |
| A SQL injection vulnerability in the reporting component of Avaya Control Manager could allow an unauthenticated attacker to execute arbitrary SQL commands and retrieve sensitive data related to other users on the system. Affected versions of Avaya Control Manager include 7.x and 8.0.x versions prior to 8.0.4.0. Unsupported versions not listed here were not evaluated. | |||||
| CVE-2019-5476 | 1 Nextcloud | 1 Lookup-server | 2019-10-09 | 7.5 HIGH | 9.8 CRITICAL |
| An SQL Injection in the Nextcloud Lookup-Server < v0.3.0 (running on https://lookup.nextcloud.com) caused unauthenticated users to be able to execute arbitrary SQL commands. | |||||