CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  What's the CVSS score of your company?
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In October 2019(SQL Injection)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2019-18464 89 Sql 2019-10-31 2019-11-06
7.5
None Remote Low Not required Partial Partial Partial
In Progress MOVEit Transfer 10.2 before 10.2.6 (2018.3), 11.0 before 11.0.4 (2019.0.4), and 11.1 before 11.1.3 (2019.1.3), multiple SQL Injection vulnerabilities have been found in the REST API that could allow an unauthenticated attacker to gain unauthorized access to the database. Depending on the database engine being used (MySQL, Microsoft SQL Server, or Azure SQL), an attacker may be able to infer information about the structure and contents of the database or may be able to alter the database.
2 CVE-2019-18413 79 Sql XSS Bypass 2019-10-24 2021-12-07
7.5
None Remote Low Not required Partial Partial Partial
In TypeStack class-validator 0.10.2, validate() input validation can be bypassed because certain internal attributes can be overwritten via a conflicting name. Even though there is an optional forbidUnknownValues parameter that can be used to reduce the risk of this bypass, this option is not documented and thus most developers configure input validation in the vulnerable default manner. With this vulnerability, attackers can launch SQL Injection or XSS attacks by injecting arbitrary malicious input. NOTE: a software maintainer agrees with the "is not documented" finding but suggests that much of the responsibility for the risk lies in a different product.
3 CVE-2019-18387 89 Exec Code Sql 2019-10-23 2019-10-28
7.5
None Remote Low Not required Partial Partial Partial
Sourcecodester Hotel and Lodge Management System 1.0 is vulnerable to unauthenticated SQL injection and can allow remote attackers to execute arbitrary SQL commands via the id parameter to the edit page for Customer, Room, Currency, Room Booking Details, or Tax Details.
4 CVE-2019-18344 89 Exec Code Sql 2019-10-23 2020-09-03
7.5
None Remote Low Not required Partial Partial Partial
Sourcecodester Online Grading System 1.0 is vulnerable to unauthenticated SQL injection and can allow remote attackers to execute arbitrary SQL commands via the student, instructor, department, room, class, or user page (id or classid parameter).
5 CVE-2019-18229 89 Sql 2019-10-31 2021-05-13
4.0
None Remote Low ??? Partial None None
Advantech WISE-PaaS/RMM, Versions 3.3.29 and prior. Lack of sanitization of user-supplied input cause SQL injection vulnerabilities. An attacker can leverage these vulnerabilities to disclose information.
6 CVE-2019-17612 89 Sql 2019-10-15 2019-10-17
6.5
None Remote Low ??? Partial Partial Partial
An issue was discovered in 74CMS v5.2.8. There is a SQL Injection generated by the _list method in the Common/Controller/BackendController.class.php file via the index.php?m=Admin&c=Ad&a=category sort parameter.
7 CVE-2019-17602 89 Sql 2019-10-15 2021-05-04
7.5
None Remote Low Not required Partial Partial Partial
An issue was discovered in Zoho ManageEngine OpManager before 12.4 build 124089. The OPMDeviceDetailsServlet servlet is prone to SQL injection. Depending on the configuration, this vulnerability could be exploited unauthenticated or authenticated.
8 CVE-2019-17580 89 Sql 2019-10-14 2019-10-16
7.5
None Remote Low Not required Partial Partial Partial
tonyy dormsystem through 1.3 allows SQL Injection in admin.php.
9 CVE-2019-17553 89 Sql 2019-10-14 2019-10-17
7.5
None Remote Low Not required Partial Partial Partial
An issue was discovered in MetInfo v7.0.0 beta. There is SQL Injection via the admin/?n=tags&c=index&a=doSaveTags URI.
10 CVE-2019-17552 89 Sql 2019-10-14 2019-10-16
7.5
None Remote Low Not required Partial Partial Partial
An issue was discovered in idreamsoft iCMS v7.0.14. There is a spider_project.admincp.php SQL injection vulnerability in the 'upload spider project scheme' feature via a two-dimensional payload.
11 CVE-2019-17429 89 Sql 2019-10-10 2019-10-11
7.5
None Remote Low Not required Partial Partial Partial
Adhouma CMS through 2019-10-09 has SQL Injection via the post.php p_id parameter.
12 CVE-2019-17419 89 Sql 2019-10-10 2019-10-10
6.5
None Remote Low ??? Partial Partial Partial
An issue was discovered in MetInfo 7.0. There is SQL injection via the admin/?n=user&c=admin_user&a=doGetUserInfo id parameter.
13 CVE-2019-17418 89 Sql 2019-10-10 2019-10-10
6.5
None Remote Low ??? Partial Partial Partial
An issue was discovered in MetInfo 7.0. There is SQL injection via the admin/?n=language&c=language_general&a=doSearchParameter appno parameter, a different issue than CVE-2019-16997.
14 CVE-2019-17319 89 Sql 2019-10-07 2019-10-09
6.5
None Remote Low ??? Partial Partial Partial
SugarCRM before 8.0.4 and 9.x before 9.0.2 allows SQL injection in the Emails module by a Regular user.
15 CVE-2019-17318 89 Sql 2019-10-07 2019-10-09
6.5
None Remote Low ??? Partial Partial Partial
SugarCRM before 8.0.4 and 9.x before 9.0.2 allows SQL injection in the pmse_Inbox module by a Regular user.
16 CVE-2019-17298 89 Sql 2019-10-07 2019-10-09
6.5
None Remote Low ??? Partial Partial Partial
SugarCRM before 8.0.4 and 9.x before 9.0.2 allows SQL injection in the Administration module by a Developer user.
17 CVE-2019-17297 89 Sql 2019-10-07 2019-10-09
6.5
None Remote Low ??? Partial Partial Partial
SugarCRM before 8.0.4 and 9.x before 9.0.2 allows SQL injection in the Quotes module by a Regular user.
18 CVE-2019-17296 89 Sql 2019-10-07 2019-10-09
6.5
None Remote Low ??? Partial Partial Partial
SugarCRM before 8.0.4 and 9.x before 9.0.2 allows SQL injection in the Contacts module by a Regular user.
19 CVE-2019-17295 89 Sql 2019-10-07 2019-10-09
6.5
None Remote Low ??? Partial Partial Partial
SugarCRM before 8.0.4 and 9.x before 9.0.2 allows SQL injection in the history function by a Regular user.
20 CVE-2019-17294 89 Sql 2019-10-07 2019-10-09
6.5
None Remote Low ??? Partial Partial Partial
SugarCRM before 8.0.4 and 9.x before 9.0.2 allows SQL injection in the export function by a Regular user.
21 CVE-2019-17293 89 Sql 2019-10-07 2019-10-10
6.5
None Remote Low ??? Partial Partial Partial
SugarCRM before 8.0.4 and 9.x before 9.0.2 allows SQL injection in the pmse_Project module by a Regular user.
22 CVE-2019-17292 89 Sql 2019-10-07 2019-10-10
6.5
None Remote Low ??? Partial Partial Partial
SugarCRM before 8.0.4 and 9.x before 9.0.2 allows SQL injection in the pmse_Inbox module by an Admin user.
23 CVE-2019-17271 89 Sql 2019-10-08 2019-10-09
4.0
None Remote Low ??? Partial None None
vBulletin 5.5.4 allows SQL Injection via the ajax/api/hook/getHookList or ajax/api/widget/getWidgetList where parameter.
24 CVE-2019-17197 89 Sql 2019-10-05 2019-10-08
7.5
None Remote Low Not required Partial Partial Partial
OpenEMR through 5.0.2 has SQL Injection in the Lifestyle demographic filter criteria in library/clinical_rules.php that affects library/patient.inc.
25 CVE-2019-17128 89 Sql 2019-10-09 2019-10-11
5.0
None Remote Low Not required Partial None None
Netreo OmniCenter through 12.1.1 allows unauthenticated SQL Injection (Boolean Based Blind) in the redirect parameters and parameter name of the login page through a GET request. The injection allows an attacker to read sensitive information from the database used by the application.
26 CVE-2019-17119 89 Exec Code Sql 2019-10-17 2019-10-22
6.5
None Remote Low ??? Partial Partial Partial
Multiple SQL injection vulnerabilities in Logs.jsp in WiKID 2FA Enterprise Server through 4.2.0-b2053 allow authenticated users to execute arbitrary SQL commands via the source or subString parameter.
27 CVE-2019-17117 89 Exec Code Sql 2019-10-17 2019-10-22
6.5
None Remote Low ??? Partial Partial Partial
A SQL injection vulnerability in processPref.jsp in WiKID 2FA Enterprise Server through 4.2.0-b2053 allows an authenticated user to execute arbitrary SQL commands via the processPref.jsp key parameter.
28 CVE-2019-17072 89 Sql 2019-10-10 2019-10-10
7.5
None Remote Low Not required Partial Partial Partial
The new-contact-form-widget (aka Contact Form Widget - Contact Query, Form Maker) plugin 1.0.9 for WordPress has SQL Injection via all-query-page.php.
29 CVE-2019-16980 89 Sql 2019-10-21 2019-10-23
6.5
None Remote Low ??? Partial Partial Partial
In FusionPBX up to v4.5.7, the file app\call_broadcast\call_broadcast_edit.php uses an unsanitized "id" variable coming from the URL in an unparameterized SQL query, leading to SQL injection.
30 CVE-2019-16917 89 Sql 2019-10-17 2019-10-22
6.5
None Remote Low ??? Partial Partial Partial
WiKID Enterprise 2FA (two factor authentication) Enterprise Server through 4.2.0-b2047 is vulnerable to SQL injection through the searchDevices.jsp endpoint. The uid and domain parameters are used, unsanitized, in a SQL query constructed in the buildSearchWhereClause function.
31 CVE-2019-16682 89 Sql 2019-10-16 2019-10-21
7.5
None Remote Low Not required Partial Partial Partial
The url_redirect (aka URL redirect) extension through 1.2.1 for TYPO3 fails to properly sanitize user input and is susceptible to SQL Injection.
32 CVE-2019-16404 89 Sql 2019-10-21 2019-10-22
6.5
None Remote Low ??? Partial Partial Partial
Authenticated SQL Injection in interface/forms/eye_mag/js/eye_base.php in OpenEMR through 5.0.2 allows a user to extract arbitrary data from the openemr database via a non-parameterized INSERT INTO statement, as demonstrated by the providerID parameter.
33 CVE-2019-15016 89 Sql 2019-10-09 2020-02-17
6.5
None Remote Low ??? Partial Partial Partial
An SQL injection vulnerability exists in the management interface of Zingbox Inspector versions 1.288 and earlier, that allows for unsanitized data provided by an authenticated user to be passed from the web UI into the database.
34 CVE-2019-13957 89 Sql 2019-10-02 2019-10-04
7.5
None Remote Low Not required Partial Partial Partial
In Umbraco 7.3.8, there is SQL Injection in the backoffice/PageWApprove/PageWApproveApi/GetInpectSearch method via the nodeName parameter.
35 CVE-2019-13409 89 Sql 2019-10-17 2019-10-22
5.0
None Remote Low Not required Partial None None
A SQL injection vulnerability was discovered in TOPMeeting before version 8.8 (2019/08/19). An attacker can use a union based injection query string though a search meeting room feature to get databases schema and username/password.
36 CVE-2019-12710 89 Sql 2019-10-02 2019-10-09
4.0
None Remote Low ??? Partial None None
A vulnerability in the web-based interface of Cisco Unified Communications Manager and Cisco Unified Communications Manager Session Management Edition (SME) could allow an authenticated, remote attacker to impact the confidentiality of an affected system by executing arbitrary SQL queries. The vulnerability exists because the affected software improperly validates user-supplied input in SQL queries. An attacker could exploit this vulnerability by sending crafted requests that contain malicious SQL statements to the affected application. A successful exploit could allow the attacker to determine the presence of certain values in the database, impacting the confidentiality of the system.
37 CVE-2019-12686 89 Exec Code Sql 2019-10-02 2019-10-09
9.0
None Remote Low ??? Complete Complete Complete
Multiple vulnerabilities in the web-based management interface of Cisco Firepower Management Center (FMC) Software could allow an authenticated, remote attacker to execute arbitrary SQL injections on an affected device. These vulnerabilities exist due to improper input validation. An attacker could exploit these vulnerabilities by sending crafted SQL queries to an affected device. A successful exploit could allow the attacker to view information that they are not authorized to view, make changes to the system that they are not authorized to make, and execute commands within the underlying operating system that may affect the availability of the device.
38 CVE-2019-12685 89 Exec Code Sql 2019-10-02 2019-10-09
9.0
None Remote Low ??? Complete Complete Complete
Multiple vulnerabilities in the web-based management interface of Cisco Firepower Management Center (FMC) Software could allow an authenticated, remote attacker to execute arbitrary SQL injections on an affected device. These vulnerabilities exist due to improper input validation. An attacker could exploit these vulnerabilities by sending crafted SQL queries to an affected device. A successful exploit could allow the attacker to view information that they are not authorized to view, make changes to the system that they are not authorized to make, and execute commands within the underlying operating system that may affect the availability of the device.
39 CVE-2019-12684 89 Exec Code Sql 2019-10-02 2019-10-09
9.0
None Remote Low ??? Complete Complete Complete
Multiple vulnerabilities in the web-based management interface of Cisco Firepower Management Center (FMC) Software could allow an authenticated, remote attacker to execute arbitrary SQL injections on an affected device. These vulnerabilities exist due to improper input validation. An attacker could exploit these vulnerabilities by sending crafted SQL queries to an affected device. A successful exploit could allow the attacker to view information that they are not authorized to view, make changes to the system that they are not authorized to make, and execute commands within the underlying operating system that may affect the availability of the device.
40 CVE-2019-12683 89 Exec Code Sql 2019-10-02 2019-10-09
9.0
None Remote Low ??? Complete Complete Complete
Multiple vulnerabilities in the web-based management interface of Cisco Firepower Management Center (FMC) Software could allow an authenticated, remote attacker to execute arbitrary SQL injections on an affected device. These vulnerabilities exist due to improper input validation. An attacker could exploit these vulnerabilities by sending crafted SQL queries to an affected device. A successful exploit could allow the attacker to view information that they are not authorized to view, make changes to the system that they are not authorized to make, and execute commands within the underlying operating system that may affect the availability of the device.
41 CVE-2019-12682 89 Exec Code Sql 2019-10-02 2019-10-09
9.0
None Remote Low ??? Complete Complete Complete
Multiple vulnerabilities in the web-based management interface of Cisco Firepower Management Center (FMC) Software could allow an authenticated, remote attacker to execute arbitrary SQL injections on an affected device. These vulnerabilities exist due to improper input validation. An attacker could exploit these vulnerabilities by sending crafted SQL queries to an affected device. A successful exploit could allow the attacker to view information that they are not authorized to view, make changes to the system that they are not authorized to make, and execute commands within the underlying operating system that may affect the availability of the device.
42 CVE-2019-12681 89 Exec Code Sql 2019-10-02 2019-10-09
9.0
None Remote Low ??? Complete Complete Complete
Multiple vulnerabilities in the web-based management interface of Cisco Firepower Management Center (FMC) Software could allow an authenticated, remote attacker to execute arbitrary SQL injections on an affected device. These vulnerabilities exist due to improper input validation. An attacker could exploit these vulnerabilities by sending crafted SQL queries to an affected device. A successful exploit could allow the attacker to view information that they are not authorized to view, make changes to the system that they are not authorized to make, and execute commands within the underlying operating system that may affect the availability of the device.
43 CVE-2019-12680 89 Exec Code Sql 2019-10-02 2019-10-09
9.0
None Remote Low ??? Complete Complete Complete
Multiple vulnerabilities in the web-based management interface of Cisco Firepower Management Center (FMC) Software could allow an authenticated, remote attacker to execute arbitrary SQL injections on an affected device. These vulnerabilities exist due to improper input validation. An attacker could exploit these vulnerabilities by sending crafted SQL queries to an affected device. A successful exploit could allow the attacker to view information that they are not authorized to view, make changes to the system that they are not authorized to make, and execute commands within the underlying operating system that may affect the availability of the device.
44 CVE-2019-12679 89 Exec Code Sql 2019-10-02 2019-10-09
9.0
None Remote Low ??? Complete Complete Complete
Multiple vulnerabilities in the web-based management interface of Cisco Firepower Management Center (FMC) Software could allow an authenticated, remote attacker to execute arbitrary SQL injections on an affected device. These vulnerabilities exist due to improper input validation. An attacker could exploit these vulnerabilities by sending crafted SQL queries to an affected device. A successful exploit could allow the attacker to view information that they are not authorized to view, make changes to the system that they are not authorized to make, and execute commands within the underlying operating system that may affect the availability of the device.
45 CVE-2019-10762 89 Sql 2019-10-30 2019-11-01
7.5
None Remote Low Not required Partial Partial Partial
columnQuote in medoo before 1.7.5 allows remote attackers to perform a SQL Injection due to improper escaping.
46 CVE-2019-10757 89 Sql 2019-10-08 2019-10-15
7.5
None Remote Low Not required Partial Partial Partial
knex.js versions before 0.19.5 are vulnerable to SQL Injection attack. Identifiers are escaped incorrectly as part of the MSSQL dialect, allowing attackers to craft a malicious query to the host DB.
47 CVE-2019-10752 89 Sql 2019-10-17 2019-10-21
7.5
None Remote Low Not required Partial Partial Partial
Sequelize, all versions prior to version 4.44.3 and 5.15.1, is vulnerable to SQL Injection due to sequelize.json() helper function not escaping values properly when formatting sub paths for JSON queries for MySQL, MariaDB and SQLite.
48 CVE-2019-10749 89 Sql 2019-10-29 2019-10-31
7.5
None Remote Low Not required Partial Partial Partial
sequelize before version 3.35.1 allows attackers to perform a SQL Injection due to the JSON path keys not being properly sanitized in the Postgres dialect.
49 CVE-2019-10748 89 Sql 2019-10-29 2019-10-31
7.5
None Remote Low Not required Partial Partial Partial
Sequelize all versions prior to 3.35.1, 4.44.3, and 5.8.11 are vulnerable to SQL Injection due to JSON path keys not being properly escaped for the MySQL/MariaDB dialects.
50 CVE-2019-10208 89 Sql 2019-10-29 2020-08-17
6.5
None Remote Low ??? Partial Partial Partial
A flaw was discovered in postgresql versions 9.4.x before 9.4.24, 9.5.x before 9.5.19, 9.6.x before 9.6.15, 10.x before 10.10 and 11.x before 11.5 where arbitrary SQL statements can be executed given a suitable SECURITY DEFINER function. An attacker, with EXECUTE permission on the function, can execute arbitrary SQL as the owner of the function.
Total number of vulnerabilities : 77   Page : 1 (This Page)2
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.