Search
Total
8599 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2014-3482 | 1 Rubyonrails | 2 Rails, Ruby On Rails | 2019-08-08 | 7.5 HIGH | N/A |
| SQL injection vulnerability in activerecord/lib/active_record/connection_adapters/postgresql_adapter.rb in the PostgreSQL adapter for Active Record in Ruby on Rails 2.x and 3.x before 3.2.19 allows remote attackers to execute arbitrary SQL commands by leveraging improper bitstring quoting. | |||||
| CVE-2012-2661 | 1 Rubyonrails | 2 Rails, Ruby On Rails | 2019-08-08 | 5.0 MEDIUM | N/A |
| The Active Record component in Ruby on Rails 3.0.x before 3.0.13, 3.1.x before 3.1.5, and 3.2.x before 3.2.4 does not properly implement the passing of request data to a where method in an ActiveRecord class, which allows remote attackers to conduct certain SQL injection attacks via nested query parameters that leverage unintended recursion, a related issue to CVE-2012-2695. | |||||
| CVE-2014-0080 | 1 Rubyonrails | 1 Rails | 2019-08-08 | 6.8 MEDIUM | N/A |
| SQL injection vulnerability in activerecord/lib/active_record/connection_adapters/postgresql/cast.rb in Active Record in Ruby on Rails 4.0.x before 4.0.3, and 4.1.0.beta1, when PostgreSQL is used, allows remote attackers to execute "add data" SQL commands via vectors involving \ (backslash) characters that are not properly handled in operations on array columns. | |||||
| CVE-2008-4094 | 1 Rubyonrails | 2 Rails, Ruby On Rails | 2019-08-08 | 7.5 HIGH | N/A |
| Multiple SQL injection vulnerabilities in Ruby on Rails before 2.1.1 allow remote attackers to execute arbitrary SQL commands via the (1) :limit and (2) :offset parameters, related to ActiveRecord, ActiveSupport, ActiveResource, ActionPack, and ActionMailer. | |||||
| CVE-2018-11774 | 1 Apache | 1 Virtual Computing Lab | 2019-08-07 | 6.5 MEDIUM | 7.2 HIGH |
| Apache VCL versions 2.1 through 2.5 do not properly validate form input when adding and removing VMs to and from hosts. The form data is then used in SQL statements. This allows for an SQL injection attack. Access to this portion of a VCL system requires admin level rights. Other layers of security seem to protect against malicious attack. However, all VCL systems running versions earlier than 2.5.1 should be upgraded or patched. This vulnerability was found and reported to the Apache VCL project by ADLab of Venustech. | |||||
| CVE-2018-11772 | 1 Apache | 1 Virtual Computing Lab | 2019-08-07 | 6.5 MEDIUM | 7.2 HIGH |
| Apache VCL versions 2.1 through 2.5 do not properly validate cookie input when determining what node (if any) was previously selected in the privilege tree. The cookie data is then used in an SQL statement. This allows for an SQL injection attack. Access to this portion of a VCL system requires admin level rights. Other layers of security seem to protect against malicious attack. However, all VCL systems running versions earlier than 2.5.1 should be upgraded or patched. This vulnerability was found and reported to the Apache VCL project by ADLab of Venustech. | |||||
| CVE-2019-13026 | 1 Oxid-esales | 1 Eshop | 2019-08-07 | 7.5 HIGH | 9.8 CRITICAL |
| OXID eShop 6.0.x before 6.0.5 and 6.1.x before 6.1.4 allows SQL Injection via a crafted URL, leading to full access by an attacker. This includes all shopping cart options, customer data, and the database. No interaction between the attacker and the victim is necessary. | |||||
| CVE-2019-13571 | 1 Vsourz | 1 Advanced Cf7 Db | 2019-08-06 | 7.5 HIGH | 9.8 CRITICAL |
| A SQL injection vulnerability exists in the Vsourz Digital Advanced CF7 DB plugin through 1.6.1 for WordPress. Successful exploitation of this vulnerability would allow a remote attacker to execute arbitrary SQL commands on the affected system. | |||||
| CVE-2019-7139 | 1 Magento | 1 Magento | 2019-08-06 | 7.5 HIGH | 9.8 CRITICAL |
| An unauthenticated user can execute SQL statements that allow arbitrary read access to the underlying database, which causes sensitive data leakage. This issue is fixed in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. | |||||
| CVE-2016-10817 | 1 Cpanel | 1 Cpanel | 2019-08-06 | 10.0 HIGH | 9.8 CRITICAL |
| cPanel before 57.9999.54 allows SQL Injection via the ModSecurity TailWatch log file (SEC-123). | |||||
| CVE-2019-10866 | 1 10web | 1 Form Maker | 2019-08-03 | 7.5 HIGH | 9.8 CRITICAL |
| In the Form Maker plugin before 1.13.3 for WordPress, it's possible to achieve SQL injection in the function get_labels_parameters in the file form-maker/admin/models/Submissions_fm.php with a crafted value of the /models/Submissioc parameter. | |||||
| CVE-2018-20887 | 1 Cpanel | 1 Cpanel | 2019-08-01 | 7.5 HIGH | 9.8 CRITICAL |
| cPanel before 74.0.0 allows SQL injection during database backups (SEC-420). | |||||
| CVE-2016-6443 | 1 Cisco | 2 Evolved Programmable Network Manager, Prime Infrastructure | 2019-08-01 | 6.5 MEDIUM | 8.8 HIGH |
| A vulnerability in the Cisco Prime Infrastructure and Evolved Programmable Network Manager SQL database interface could allow an authenticated, remote attacker to impact system confidentiality by executing a subset of arbitrary SQL queries that can cause product instability. More Information: CSCva27038, CSCva28335. Known Affected Releases: 3.1(0.128), 1.2(400), 2.0(1.0.34A). | |||||
| CVE-2017-1002026 | 1 Eventespresso | 1 Event Espresso | 2019-07-31 | 6.5 MEDIUM | 8.8 HIGH |
| Vulnerability in wordpress plugin Event Expresso Free v3.1.37.11.L, The function edit_event_category does not sanitize user-supplied input via the $id parameter before passing it into an SQL statement. | |||||
| CVE-2019-13413 | 1 Boiteasite | 1 Rencontre | 2019-07-31 | 7.5 HIGH | 9.8 CRITICAL |
| The Rencontre plugin before 3.1.3 for WordPress allows SQL Injection via inc/rencontre_widget.php. | |||||
| CVE-2019-13573 | 1 Foliovision | 1 Fv Flowplayer Video Player | 2019-07-31 | 10.0 HIGH | 9.8 CRITICAL |
| A SQL injection vulnerability exists in the FolioVision FV Flowplayer Video Player plugin before 7.3.19.727 for WordPress. Successful exploitation of this vulnerability would allow a remote attacker to execute arbitrary SQL commands on the affected system. | |||||
| CVE-2019-13570 | 1 Ajdg | 1 Adrotate | 2019-07-31 | 6.5 MEDIUM | 7.2 HIGH |
| The AJdG AdRotate plugin before 5.3 for WordPress allows SQL Injection. | |||||
| CVE-2019-13569 | 1 Icegram | 1 Email Subscribers \& Newsletters | 2019-07-31 | 10.0 HIGH | 9.8 CRITICAL |
| A SQL injection vulnerability exists in the Icegram Email Subscribers & Newsletters plugin through 4.1.7 for WordPress. Successful exploitation of this vulnerability would allow a remote attacker to execute arbitrary SQL commands on the affected system. | |||||
| CVE-2014-3828 | 1 Merethis | 2 Centreon, Centreon Enterprise Server | 2019-07-30 | 10.0 HIGH | N/A |
| Multiple SQL injection vulnerabilities in Centreon 2.5.1 and Centreon Enterprise Server 2.2 (fixed in Centreon web 2.5.3) allow remote attackers to execute arbitrary SQL commands via (1) the index_id parameter to views/graphs/common/makeXML_ListMetrics.php, (2) the sid parameter to views/graphs/GetXmlTree.php, (3) the session_id parameter to views/graphs/graphStatus/displayServiceStatus.php, (4) the mnftr_id parameter to configuration/configObject/traps/GetXMLTrapsForVendor.php, or (5) the index parameter to common/javascript/commandGetArgs/cmdGetExample.php in include/. | |||||
| CVE-2015-1560 | 1 Centreon | 1 Centreon | 2019-07-30 | 7.5 HIGH | N/A |
| SQL injection vulnerability in the isUserAdmin function in include/common/common-Func.php in Centreon (formerly Merethis Centreon) 2.5.4 and earlier (fixed in Centreon web 2.7.0) allows remote attackers to execute arbitrary SQL commands via the sid parameter to include/common/XmlTree/GetXmlTree.php. | |||||
| CVE-2018-19312 | 1 Centreon | 1 Centreon | 2019-07-30 | 6.5 MEDIUM | 8.8 HIGH |
| Centreon 3.4.x (fixed in Centreon 18.10.0 and Centreon web 2.8.24) allows SQL Injection via the searchVM parameter to the main.php?p=20408 URI. | |||||
| CVE-2018-19281 | 1 Centreon | 1 Centreon | 2019-07-30 | 7.5 HIGH | 9.8 CRITICAL |
| Centreon 3.4.x (fixed in Centreon 18.10.0 and Centreon web 2.8.27) allows SNMP trap SQL Injection. | |||||
| CVE-2018-19271 | 1 Centreon | 1 Centreon | 2019-07-30 | 6.5 MEDIUM | 8.8 HIGH |
| Centreon 3.4.x (fixed in Centreon 18.10.0 and Centreon web 2.8.28) allows SQL Injection via the main.php searchH parameter. | |||||
| CVE-2019-1010191 | 1 Marginalia Project | 1 Marginalia | 2019-07-29 | 7.5 HIGH | 9.8 CRITICAL |
| marginalia < 1.6 is affected by: SQL Injection. The impact is: The impact is a injection of any SQL queries when a user controller argument is added as a component. The component is: Affects users that add a component that is user controller, for instance a parameter or a header. The attack vector is: Hacker inputs a SQL to a vulnerable vector(header, http parameter, etc). The fixed version is: 1.6. | |||||
| CVE-2019-14266 | 1 Opensns | 1 Opensns | 2019-07-29 | 6.5 MEDIUM | 8.8 HIGH |
| OpenSNS v6.1.0 allows SQL Injection via the index.php?s=/ucenter/Config/ uid parameter because of the getNeedQueryData function in Application/Common/Model/UserModel.class.php. | |||||
| CVE-2012-5967 | 1 Merethis | 1 Centreon | 2019-07-29 | 6.5 MEDIUM | N/A |
| SQL injection vulnerability in menuXML.php in Centreon 2.3.3 through 2.3.9-4 (fixed in Centreon web 2.6.0) allows remote authenticated users to execute arbitrary SQL commands via the menu parameter. | |||||
| CVE-2019-12193 | 1 H3c | 1 H3cloud Os | 2019-07-29 | 7.5 HIGH | 9.8 CRITICAL |
| H3C H3Cloud OS all versions allows SQL injection via the ear/grid_event sidx parameter. | |||||
| CVE-2019-13978 | 1 Ovidentia | 1 Ovidentia | 2019-07-27 | 6.5 MEDIUM | 8.8 HIGH |
| Ovidentia 8.4.3 has SQL Injection via the id parameter in an index.php?tg=delegat&idx=mem request. | |||||
| CVE-2019-1010201 | 1 Jeesite | 1 Jeesite | 2019-07-24 | 4.0 MEDIUM | 6.5 MEDIUM |
| Jeesite 1.2.7 is affected by: SQL Injection. The impact is: sensitive information disclosure. The component is: updateProcInsIdByBusinessId() function in src/main/java/com.thinkgem.jeesite/modules/act/ActDao.java has SQL Injection vulnerability. The attack vector is: network connectivity,authenticated. The fixed version is: 4.0 and later. | |||||
| CVE-2019-1010153 | 1 Zzcms | 1 Zzcms | 2019-07-24 | 7.5 HIGH | 9.8 CRITICAL |
| zzcms 8.3 and earlier is affected by: SQL Injection. The impact is: sql inject. The component is: zs/subzs.php. | |||||
| CVE-2019-1010148 | 1 Zzcms | 1 Zzcms | 2019-07-24 | 7.5 HIGH | 9.8 CRITICAL |
| zzcms version 8.3 and earlier is affected by: SQL Injection. The impact is: zzcms File Delete to Code Execution. | |||||
| CVE-2019-1010248 | 1 I-doit | 1 I-doit | 2019-07-23 | 7.5 HIGH | 9.8 CRITICAL |
| Synetics GmbH I-doit 1.12 and earlier is affected by: SQL Injection. The impact is: Unauthenticated mysql database access. The component is: Web login form. The attack vector is: An attacker can exploit the vulnerability by sending a malicious HTTP POST request. The fixed version is: 1.12.1. | |||||
| CVE-2019-14231 | 1 Onionbuzz | 1 Onionbuzz | 2019-07-23 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in the Viral Quiz Maker - OnionBuzz plugin before 1.2.2 for WordPress. One could exploit the points parameter in the ob_get_results ajax nopriv handler due to there being no sanitization prior to use in a SQL query in getResultByPointsTrivia. This allows an unauthenticated/unprivileged user to perform a SQL injection attack capable of remote code execution and information disclosure. | |||||
| CVE-2019-14230 | 1 Onionbuzz | 1 Onionbuzz | 2019-07-23 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in the Viral Quiz Maker - OnionBuzz plugin before 1.2.7 for WordPress. One could exploit the id parameter in the set_count ajax nopriv handler due to there being no sanitization prior to use in a SQL query in saveQuestionVote. This allows an unauthenticated/unprivileged user to perform a SQL injection attack capable of remote code execution and information disclosure. | |||||
| CVE-2019-1010104 | 1 Techytalk | 1 Quick Chat | 2019-07-23 | 7.5 HIGH | 9.8 CRITICAL |
| TechyTalk Quick Chat WordPress Plugin All up to the latest is affected by: SQL Injection. The impact is: Access to the database. The component is: like_escape is used in Quick-chat.php line 399. The attack vector is: Crafted ajax request. | |||||
| CVE-2019-12946 | 1 Elcom | 1 Elcom Cms | 2019-07-22 | 5.0 MEDIUM | 7.5 HIGH |
| Elcom CMS before 10.7 has SQL Injection via EventSearchByState.aspx and EventSearchAdv.aspx. | |||||
| CVE-2019-13575 | 1 Wpeverest | 1 Everest Forms | 2019-07-19 | 7.5 HIGH | 9.8 CRITICAL |
| A SQL injection vulnerability exists in WPEverest Everest Forms plugin for WordPress through 1.4.9. Successful exploitation of this vulnerability would allow a remote attacker to execute arbitrary SQL commands on the affected system via includes/evf-entry-functions.php | |||||
| CVE-2019-13969 | 1 Metinfo | 1 Metinfo | 2019-07-19 | 6.5 MEDIUM | 8.8 HIGH |
| Metinfo 6.x allows SQL Injection via the id parameter in an admin/index.php?n=ui_set&m=admin&c=index&a=doget_text_content&table=lang&field=1 request. | |||||
| CVE-2018-13442 | 1 Solarwinds | 1 Network Performance Monitor | 2019-07-18 | 6.5 MEDIUM | 8.8 HIGH |
| SolarWinds Network Performance Monitor 12.3 allows SQL Injection via the /api/ActiveAlertsOnThisEntity/GetActiveAlerts TriggeringObjectEntityNames parameter. | |||||
| CVE-2019-13447 | 1 Sertek | 1 Xpare | 2019-07-18 | 10.0 HIGH | 9.8 CRITICAL |
| An issue was discovered in Sertek Xpare 3.67. The login form does not sanitize input data. Because of this, a malicious agent could access the backend database via SQL injection. | |||||
| CVE-2014-3997 | 1 Zohocorp | 2 Manageengine It360, Manageengine Password Manager Pro | 2019-07-16 | 7.5 HIGH | N/A |
| SQL injection vulnerability in the MetadataServlet servlet in ManageEngine Password Manager Pro (PMP) and Password Manager Pro Managed Service Providers (MSP) edition 5 through 7 build 7003, IT360 and IT360 Managed Service Providers (MSP) edition before 10.3.3 build 10330, and possibly other ManageEngine products, allows remote attackers or remote authenticated users to execute arbitrary SQL commands via the sv parameter to MetadataServlet.dat. | |||||
| CVE-2014-8498 | 1 Zohocorp | 1 Manageengine Password Manager Pro | 2019-07-16 | 6.5 MEDIUM | N/A |
| SQL injection vulnerability in BulkEditSearchResult.cc in ManageEngine Password Manager Pro (PMP) and Password Manager Pro Managed Service Providers (MSP) edition before 7.1 build 7105 allows remote authenticated users to execute arbitrary SQL commands via the SEARCH_ALL parameter. | |||||
| CVE-2014-7867 | 1 Zohocorp | 3 Manageengine It360, Manageengine Opmanager, Manageengine Social It Plus | 2019-07-15 | 7.5 HIGH | N/A |
| SQL injection vulnerability in the com.manageengine.opmanager.servlet.UpdateProbeUpgradeStatus servlet in ZOHO ManageEngine OpManager 11.3 and 11.4, IT360 10.3 and 10.4, and Social IT Plus 11.0 allows remote attackers or remote authenticated users to execute arbitrary SQL commands via the probeName parameter. | |||||
| CVE-2014-7868 | 1 Zohocorp | 3 Manageengine It360, Manageengine Opmanager, Manageengine Social It Plus | 2019-07-15 | 7.5 HIGH | N/A |
| Multiple SQL injection vulnerabilities in ZOHO ManageEngine OpManager 11.3 and 11.4, IT360 10.3 and 10.4, and Social IT Plus 11.0 allow remote attackers or remote authenticated users to execute arbitrary SQL commands via the (1) OPM_BVNAME parameter in a Delete operation to the APMBVHandler servlet or (2) query parameter in a compare operation to the DataComparisonServlet servlet. | |||||
| CVE-2018-1252 | 1 Rsa | 1 Web Threat Detection | 2019-07-15 | 6.5 MEDIUM | 8.8 HIGH |
| RSA Web Threat Detection versions prior to 6.4, contain an SQL injection vulnerability in the Administration and Forensics applications. An authenticated malicious user with low privileges could potentially exploit this vulnerability to execute SQL commands on the back-end database to gain unauthorized access to the tool's monitoring and user information by supplying specially crafted input data to the affected application. | |||||
| CVE-2019-13027 | 1 Realization | 1 Concerto Critical Chain Planner | 2019-07-15 | 7.5 HIGH | 9.8 CRITICAL |
| Realization Concerto Critical Chain Planner (aka CCPM) 5.10.8071 has SQL Injection in at least in the taskupdt/taskdetails.aspx webpage via the projectname parameter. | |||||
| CVE-2019-13489 | 1 Trape Project | 1 Trape | 2019-07-14 | 7.5 HIGH | 9.8 CRITICAL |
| Trape through 2019-05-08 has SQL injection via the data[2] variable in core/db.py, as demonstrated by the /bs t parameter. | |||||
| CVE-2019-13507 | 1 Hidea | 1 Az Admin | 2019-07-14 | 7.5 HIGH | 9.8 CRITICAL |
| hidea.com AZ Admin 1.0 has news_det.php?cod= SQL Injection. | |||||
| CVE-2019-12723 | 1 Teclib-edition | 1 Fields | 2019-07-11 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in the Teclib Fields plugin through 1.9.2 for GLPI. it allows SQL Injection via container_id and old_order parameters to ajax/reorder.php by an unauthenticated user. | |||||
| CVE-2019-10653 | 1 Hsycms | 1 Hsycms | 2019-07-11 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in Hsycms V1.1. There is a SQL injection vulnerability via a /news/*.html page. | |||||