CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  What's the CVSS score of your company?
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In November 2019(SQL Injection)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2019-19250 89 Sql 2019-11-25 2019-12-04
7.5
None Remote Low Not required Partial Partial Partial
OpenTrade before 2019-11-23 allows SQL injection, related to server/modules/api/v1.js and server/utils.js.
2 CVE-2019-19207 89 Sql 2019-11-21 2019-11-26
6.5
None Remote Low ??? Partial Partial Partial
rConfig 3.9.2 allows devices.php?searchColumn= SQL injection.
3 CVE-2019-19113 89 Sql 2019-11-18 2019-12-03
7.5
None Remote Low Not required Partial Partial Partial
main/resources/mapper/NewBeeMallGoodsMapper.xml in newbee-mall (aka New Bee) before 2019-10-23 allows search?goodsCategoryId=&keyword= SQL Injection.
4 CVE-2019-18890 89 Sql 2019-11-21 2019-11-26
4.0
None Remote Low ??? Partial None None
A SQL injection vulnerability in Redmine through 3.2.9 and 3.3.x before 3.3.10 allows Redmine users to access protected information via a crafted object query.
5 CVE-2019-18784 89 Sql 2019-11-06 2019-11-06
7.5
None Remote Low Not required Partial Partial Partial
SuiteCRM 7.10.x versions prior to 7.10.21 and 7.11.x versions prior to 7.11.9 allow SQL Injection.
6 CVE-2019-18663 89 Exec Code Sql 2019-11-04 2019-11-05
7.5
None Remote Low Not required Partial Partial Partial
A SQL injection vulnerability in a /login/forgot1 POST request in ARP-GUARD 4.0.0-5 allows unauthenticated remote attackers to execute arbitrary SQL commands via the user_id parameter.
7 CVE-2019-18662 89 Sql 2019-11-02 2019-12-04
7.5
None Remote Low Not required Partial Partial Partial
An issue was discovered in YouPHPTube through 7.7. User input passed through the live_stream_code POST parameter to /plugin/LiveChat/getChat.json.php is not properly sanitized (in getFromChat in plugin/LiveChat/Objects/LiveChatObj.php) before being used to construct a SQL query. This can be exploited by malicious users to, e.g., read sensitive data from the database through in-band SQL Injection attacks. Successful exploitation of this vulnerability requires the Live Chat plugin to be enabled.
8 CVE-2019-18646 89 Sql 2019-11-14 2019-11-14
6.5
None Remote Low ??? Partial Partial Partial
The Untangle NG firewall 14.2.0 is vulnerable to authenticated inline-query SQL injection within the timeDataDynamicColumn parameter when logged in as an admin user.
9 CVE-2019-18622 89 Sql 2019-11-22 2020-01-14
7.5
None Remote Low Not required Partial Partial Partial
An issue was discovered in phpMyAdmin before 4.9.2. A crafted database/table name can be used to trigger a SQL injection attack through the designer feature.
10 CVE-2019-15995 89 Sql 2019-11-26 2019-12-09
5.5
None Remote Low ??? None Partial Partial
A vulnerability in the web UI of Cisco DNA Spaces: Connector could allow an authenticated, remote attacker to execute arbitrary SQL queries. The vulnerability exists because the web UI does not properly validate user-supplied input. An attacker could exploit this vulnerability by entering malicious SQL statements in an affected field in the web UI. A successful exploit could allow the attacker to remove the SQL database, which would require the reinstallation of the Connector VM.
11 CVE-2019-15972 89 Sql 2019-11-26 2019-12-09
6.5
None Remote Low ??? Partial Partial Partial
A vulnerability in the web-based management interface of Cisco Unified Communications Manager could allow an authenticated, remote attacker to conduct SQL injection attacks on an affected system. The vulnerability exists because the web-based management interface improperly validates SQL values. An attacker could exploit this vulnerability by authenticating to the application and sending malicious requests to an affected system. A successful exploit could allow the attacker to modify values on or return values from the underlying database.
12 CVE-2019-15300 89 Sql 2019-11-27 2019-12-09
6.5
None Remote Low ??? Partial Partial Partial
A problem was found in Centreon Web through 19.04.3. An authenticated SQL injection is present in the page include/Administration/parameters/ldap/xml/ldap_host.php. The arId parameter is not properly filtered before being passed to the SQL query.
13 CVE-2019-13079 89 Exec Code Sql 2019-11-06 2019-11-07
6.5
None Remote Low ??? Partial Partial Partial
Quest KACE Systems Management Appliance Server Center 9.1.317 is vulnerable to SQL injection. An authenticated user has the ability to execute arbitrary commands against the database. The affected component is /adminui/history_log.php. The affected parameter is TYPE_NAME.
14 CVE-2019-13078 89 Exec Code Sql 2019-11-06 2019-11-07
6.5
None Remote Low ??? Partial Partial Partial
Quest KACE Systems Management Appliance Server Center 9.1.317 is vulnerable to SQL injection. An authenticated user has the ability to execute arbitrary commands against the database. The affected component is /common/user_profile.php. The affected parameter is sort_column.
15 CVE-2019-13076 89 Exec Code Sql 2019-11-06 2019-11-07
6.5
None Remote Low ??? Partial Partial Partial
Quest KACE Systems Management Appliance Server Center 9.1.317 is vulnerable to SQL injection. An authenticated user has the ability to execute arbitrary commands against the database. The affected component is /userui/ticket_list.php, and affected parameters are order[0][column] and order[0][dir].
16 CVE-2019-12918 89 Sql 2019-11-06 2019-11-07
7.5
None Remote Low Not required Partial Partial Partial
Quest KACE Systems Management Appliance Server Center version 9.1.317 is vulnerable to SQL injection. The affected file is software_library.php and affected parameters are order[0][column] and order[0][dir].
17 CVE-2019-12720 89 Sql 2019-11-12 2019-11-15
5.0
None Remote Low Not required Partial None None
AUO SunVeillance Monitoring System before v1.1.9e is vulnerable to mvc_send_mail.aspx (MailAdd parameter) SQL Injection. An Attacker can carry a SQL Injection payload to the server, allowing the attacker to read privileged data. This also affects the picture_manage_mvc.aspx plant_no parameter, the swapdl_mvc.aspx plant_no parameter, and the account_management.aspx Text_Postal_Code and Text_Dis_Code parameters.
18 CVE-2019-10766 89 Sql 2019-11-19 2019-11-20
7.5
None Remote Low Not required Partial Partial Partial
Pixie versions 1.0.x before 1.0.3, and 2.0.x before 2.0.2 allow SQL Injection in the limit() function due to improper sanitization.
19 CVE-2019-10763 89 Sql 2019-11-18 2020-03-18
4.0
None Remote Low ??? Partial None None
pimcore/pimcore before 6.3.0 is vulnerable to SQL Injection. An attacker with limited privileges (classes permission) can achieve a SQL injection that can lead in data leakage. The vulnerability can be exploited via 'id', 'storeId', 'pageSize' and 'tables' parameters, using a payload for trigger a time based or error based sql injection.
20 CVE-2019-8143 89 Sql +Info 2019-11-06 2019-11-06
4.0
None Remote Low ??? Partial None None
A SQL injection vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user with access to email templates can send malicious SQL queries and obtain access to sensitive information stored in the database.
21 CVE-2019-8134 89 Sql 2019-11-06 2019-11-07
6.5
None Remote Low ??? Partial Partial Partial
A SQL injection vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. A user with marketing privileges can execute arbitrary SQL queries in the database when accessing email template variables.
22 CVE-2019-8130 89 Sql 2019-11-06 2019-11-07
6.5
None Remote Low ??? Partial Partial Partial
A SQL injection vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. A user with store manipulation privileges can execute arbitrary SQL queries by getting access to the database connection through group instance in email templates.
23 CVE-2019-8127 89 Sql 2019-11-05 2019-11-07
6.5
None Remote Low ??? Partial Partial Partial
A SQL injection vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user with privileges to an account with Newsletter Template editing permission could exfiltrate the Admin login data, and reset their password, effectively performing a privilege escalation.
24 CVE-2019-6658 89 Sql 2019-11-01 2019-11-05
4.0
None Remote Low ??? Partial None None
On BIG-IP AFM 15.0.0-15.0.1, 14.0.0-14.1.2, 13.1.0-13.1.3.1, and 12.1.0-12.1.5, a vulnerability in the AFM configuration utility may allow any authenticated BIG-IP user to run an SQL injection attack.
25 CVE-2019-4387 89 Sql 2019-11-26 2019-12-09
6.5
None Remote Low ??? Partial Partial Partial
IBM Sterling B2B Integrator Standard Edition 6.0.0.0 through 6.0.2.0 is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements, which could allow the attacker to view, add, modify or delete information in the back-end database. IBM X-Force ID: 162715.
26 CVE-2019-3661 89 Exec Code Sql 2019-11-14 2019-11-15
6.5
None Remote Low ??? Partial Partial Partial
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in McAfee Advanced Threat Defense (ATD) prior to 4.8 allows remote authenticated attacker to execute database commands via carefully constructed time based payloads.
27 CVE-2019-2211 89 Sql 2019-11-13 2019-11-14
7.8
None Remote Low Not required Complete None None
In createProjectionMapForQuery of TvProvider.java, there is possible SQL injection. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-8.0 Android-8.1 Android-9 Android-10Android ID: A-135269669
28 CVE-2019-2198 89 Sql 2019-11-13 2019-11-15
4.9
None Local Low Not required Complete None None
In Download Provider, there is a possible SQL injection vulnerability. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-8.0 Android-8.1 Android-9 Android-10Android ID: A-135270103
29 CVE-2019-2196 89 Sql 2019-11-13 2019-11-15
4.9
None Local Low Not required Complete None None
In Download Provider, there is possible SQL injection. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-8.0 Android-8.1 Android-9 Android-10Android ID: A-135269143
30 CVE-2019-0393 89 Sql 2019-11-13 2019-11-15
4.0
None Remote Low ??? Partial None None
An SQL Injection vulnerability in SAP Quality Management (corrected in S4CORE versions 1.0, 1.01, 1.02, 1.03) allows an attacker to carry out targeted database queries that can read individual fields of historical inspection results.
31 CVE-2013-2738 89 Sql 2019-11-01 2019-11-04
7.5
None Remote Low Not required Partial Partial Partial
minidlna has SQL Injection that may allow retrieval of arbitrary files
32 CVE-2013-2091 89 Exec Code Sql 2019-11-20 2019-11-21
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in Dolibarr ERP/CRM 3.3.1 allows remote attackers to execute arbitrary SQL commands via the 'pays' parameter in fiche.php.
33 CVE-2011-3584 89 Sql 2019-11-26 2019-12-05
7.5
None Remote Low Not required Partial Partial Partial
The TYPO3 Core wec_discussion extension before 2.1.1 is vulnerable to SQL Injection due to improper sanitation of user-supplied input.
34 CVE-2011-3583 89 Sql 2019-11-26 2019-12-05
7.5
None Remote Low Not required Partial Partial Partial
It was found that Typo3 Core versions 4.5.0 - 4.5.5 uses prepared statements that, if the parameter values are not properly replaced, could lead to a SQL Injection vulnerability. This issue can only be exploited if two or more parameters are bound to the query and at least two come from user input.
35 CVE-2011-2936 89 Sql 2019-11-12 2019-11-12
7.5
None Remote Low Not required Partial Partial Partial
Elgg through 1.7.10 has a SQL injection vulnerability
36 CVE-2011-1939 89 Sql 2019-11-26 2019-12-10
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in Zend Framework 1.10.x before 1.10.9 and 1.11.x before 1.11.6 when using non-ASCII-compatible encodings in conjunction PDO_MySql in PHP before 5.3.6.
37 CVE-2011-1933 89 Sql 2019-11-26 2020-01-13
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in Jifty::DBI before 0.68.
38 CVE-2010-3662 89 Sql 2019-11-04 2019-11-05
6.5
None Remote Low ??? Partial Partial Partial
TYPO3 before 4.1.14, 4.2.x before 4.2.13, 4.3.x before 4.3.4 and 4.4.x before 4.4.1 allows SQL Injection on the backend.
Total number of vulnerabilities : 38   Page : 1 (This Page)
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.