CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  What's the CVSS score of your company?
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In July 2019(SQL Injection)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2019-1010259 89 Sql 2019-07-18 2019-08-13
7.5
None Remote Low Not required Partial Partial Partial
SaltStack Salt 2018.3, 2019.2 is affected by: SQL Injection. The impact is: An attacker could escalate privileges on MySQL server deployed by cloud provider. It leads to RCE. The component is: The mysql.user_chpass function from the MySQL module for Salt. The attack vector is: specially crafted password string. The fixed version is: 2018.3.4.
2 CVE-2019-1010248 89 Sql 2019-07-18 2019-07-23
7.5
None Remote Low Not required Partial Partial Partial
Synetics GmbH I-doit 1.12 and earlier is affected by: SQL Injection. The impact is: Unauthenticated mysql database access. The component is: Web login form. The attack vector is: An attacker can exploit the vulnerability by sending a malicious HTTP POST request. The fixed version is: 1.12.1.
3 CVE-2019-1010201 89 Sql 2019-07-23 2019-07-24
4.0
None Remote Low ??? Partial None None
Jeesite 1.2.7 is affected by: SQL Injection. The impact is: sensitive information disclosure. The component is: updateProcInsIdByBusinessId() function in src/main/java/com.thinkgem.jeesite/modules/act/ActDao.java has SQL Injection vulnerability. The attack vector is: network connectivity,authenticated. The fixed version is: 4.0 and later.
4 CVE-2019-1010191 89 Sql 2019-07-24 2019-07-29
7.5
None Remote Low Not required Partial Partial Partial
marginalia < 1.6 is affected by: SQL Injection. The impact is: The impact is a injection of any SQL queries when a user controller argument is added as a component. The component is: Affects users that add a component that is user controller, for instance a parameter or a header. The attack vector is: Hacker inputs a SQL to a vulnerable vector(header, http parameter, etc). The fixed version is: 1.6.
5 CVE-2019-1010153 89 Sql 2019-07-23 2019-07-24
7.5
None Remote Low Not required Partial Partial Partial
zzcms 8.3 and earlier is affected by: SQL Injection. The impact is: sql inject. The component is: zs/subzs.php.
6 CVE-2019-1010148 89 Exec Code Sql 2019-07-23 2019-07-24
7.5
None Remote Low Not required Partial Partial Partial
zzcms version 8.3 and earlier is affected by: SQL Injection. The impact is: zzcms File Delete to Code Execution.
7 CVE-2019-1010104 89 Sql 2019-07-18 2019-07-23
7.5
None Remote Low Not required Partial Partial Partial
TechyTalk Quick Chat WordPress Plugin All up to the latest is affected by: SQL Injection. The impact is: Access to the database. The component is: like_escape is used in Quick-chat.php line 399. The attack vector is: Crafted ajax request.
8 CVE-2019-1010034 89 Sql 2019-07-15 2019-08-21
4.0
None Remote Low ??? Partial None None
Deepwoods Software WebLibrarian 3.5.2 and earlier is affected by: SQL Injection. The impact is: Exposing the entire database. The component is: Function "AllBarCodes" (defined at database_code.php line 1018) is vulnerable to a boolean-based blind sql injection. This function call can be triggered by any user logged-in with at least Volunteer role or manage_circulation capabilities. PoC : /wordpress/wp-admin/admin.php?page=weblib-circulation-desk&orderby=title&order=DESC.
9 CVE-2019-14313 89 Exec Code Sql 2019-07-30 2019-08-13
10.0
None Remote Low Not required Complete Complete Complete
A SQL injection vulnerability exists in the 10Web Photo Gallery plugin before 1.5.31 for WordPress. Successful exploitation of this vulnerability would allow a remote attacker to execute arbitrary SQL commands on the affected system via filemanager/model.php.
10 CVE-2019-14266 89 Sql 2019-07-25 2019-07-29
6.5
None Remote Low ??? Partial Partial Partial
OpenSNS v6.1.0 allows SQL Injection via the index.php?s=/ucenter/Config/ uid parameter because of the getNeedQueryData function in Application/Common/Model/UserModel.class.php.
11 CVE-2019-14231 89 Exec Code Sql 2019-07-21 2019-07-23
7.5
None Remote Low Not required Partial Partial Partial
An issue was discovered in the Viral Quiz Maker - OnionBuzz plugin before 1.2.2 for WordPress. One could exploit the points parameter in the ob_get_results ajax nopriv handler due to there being no sanitization prior to use in a SQL query in getResultByPointsTrivia. This allows an unauthenticated/unprivileged user to perform a SQL injection attack capable of remote code execution and information disclosure.
12 CVE-2019-14230 89 Exec Code Sql 2019-07-21 2019-07-23
7.5
None Remote Low Not required Partial Partial Partial
An issue was discovered in the Viral Quiz Maker - OnionBuzz plugin before 1.2.7 for WordPress. One could exploit the id parameter in the set_count ajax nopriv handler due to there being no sanitization prior to use in a SQL query in saveQuestionVote. This allows an unauthenticated/unprivileged user to perform a SQL injection attack capable of remote code execution and information disclosure.
13 CVE-2019-13978 89 Sql 2019-07-19 2019-07-27
6.5
None Remote Low ??? Partial Partial Partial
Ovidentia 8.4.3 has SQL Injection via the id parameter in an index.php?tg=delegat&idx=mem request.
14 CVE-2019-13969 89 Sql 2019-07-19 2019-07-19
6.5
None Remote Low ??? Partial Partial Partial
Metinfo 6.x allows SQL Injection via the id parameter in an admin/index.php?n=ui_set&m=admin&c=index&a=doget_text_content&table=lang&field=1 request.
15 CVE-2019-13575 89 Exec Code Sql 2019-07-18 2019-07-19
7.5
None Remote Low Not required Partial Partial Partial
A SQL injection vulnerability exists in WPEverest Everest Forms plugin for WordPress through 1.4.9. Successful exploitation of this vulnerability would allow a remote attacker to execute arbitrary SQL commands on the affected system via includes/evf-entry-functions.php
16 CVE-2019-13573 89 Exec Code Sql 2019-07-17 2019-07-31
10.0
None Remote Low Not required Complete Complete Complete
A SQL injection vulnerability exists in the FolioVision FV Flowplayer Video Player plugin before 7.3.19.727 for WordPress. Successful exploitation of this vulnerability would allow a remote attacker to execute arbitrary SQL commands on the affected system.
17 CVE-2019-13571 89 Exec Code Sql 2019-07-29 2019-08-06
7.5
None Remote Low Not required Partial Partial Partial
A SQL injection vulnerability exists in the Vsourz Digital Advanced CF7 DB plugin through 1.6.1 for WordPress. Successful exploitation of this vulnerability would allow a remote attacker to execute arbitrary SQL commands on the affected system.
18 CVE-2019-13570 89 Sql 2019-07-23 2019-07-31
6.5
None Remote Low ??? Partial Partial Partial
The AJdG AdRotate plugin before 5.3 for WordPress allows SQL Injection.
19 CVE-2019-13569 89 Exec Code Sql 2019-07-19 2019-07-31
10.0
None Remote Low Not required Complete Complete Complete
A SQL injection vulnerability exists in the Icegram Email Subscribers & Newsletters plugin through 4.1.7 for WordPress. Successful exploitation of this vulnerability would allow a remote attacker to execute arbitrary SQL commands on the affected system.
20 CVE-2019-13507 89 Sql 2019-07-11 2019-07-14
7.5
None Remote Low Not required Partial Partial Partial
hidea.com AZ Admin 1.0 has news_det.php?cod= SQL Injection.
21 CVE-2019-13489 89 Sql 2019-07-10 2019-07-14
7.5
None Remote Low Not required Partial Partial Partial
Trape through 2019-05-08 has SQL injection via the data[2] variable in core/db.py, as demonstrated by the /bs t parameter.
22 CVE-2019-13447 89 Sql 2019-07-17 2019-07-18
10.0
None Remote Low Not required Complete Complete Complete
An issue was discovered in Sertek Xpare 3.67. The login form does not sanitize input data. Because of this, a malicious agent could access the backend database via SQL injection.
23 CVE-2019-13413 89 Sql 2019-07-08 2019-07-31
7.5
None Remote Low Not required Partial Partial Partial
The Rencontre plugin before 3.1.3 for WordPress allows SQL Injection via inc/rencontre_widget.php.
24 CVE-2019-13375 89 Sql 2019-07-06 2019-07-09
7.5
None Remote Low Not required Partial Partial Partial
A SQL Injection was discovered in D-Link Central WiFi Manager CWM(100) before v1.03R0100_BETA6 in PayAction.class.php with the index.php/Pay/passcodeAuth parameter passcode. The vulnerability does not need any authentication.
25 CVE-2019-13373 89 Sql 2019-07-06 2019-07-09
7.5
None Remote Low Not required Partial Partial Partial
An issue was discovered in the D-Link Central WiFi Manager CWM(100) before v1.03R0100_BETA6. Input does not get validated and arbitrary SQL statements can be executed in the database via the /web/Public/Conn.php parameter dbSQL.
26 CVE-2019-13292 89 Sql 2019-07-04 2019-07-10
7.5
None Remote Low Not required Partial Partial Partial
A SQL Injection issue was discovered in webERP 4.15. Payments.php accepts payment data in base64 format. After this is decoded, it is deserialized. Then, this deserialized data goes directly into a SQL query, with no sanitizing checks.
27 CVE-2019-13275 89 Sql 2019-07-04 2019-07-10
7.5
None Remote Low Not required Partial Partial Partial
An issue was discovered in the VeronaLabs wp-statistics plugin before 12.6.7 for WordPress. The v1/hit endpoint of the API, when the non-default "use cache plugin" setting is enabled, is vulnerable to unauthenticated blind SQL Injection.
28 CVE-2019-13146 74 Sql XSS 2019-07-09 2020-08-24
5.0
None Remote Low Not required None Partial None
The field_test gem 0.3.0 for Ruby has unvalidated input. A method call that is expected to return a value from a certain set of inputs can be made to return any input, which can be dangerous depending on how applications use it. If an application treats arbitrary variants as trusted, this can lead to a variety of potential vulnerabilities like SQL injection or cross-site scripting (XSS).
29 CVE-2019-13027 89 Sql 2019-07-12 2019-07-15
7.5
None Remote Low Not required Partial Partial Partial
Realization Concerto Critical Chain Planner (aka CCPM) 5.10.8071 has SQL Injection in at least in the taskupdt/taskdetails.aspx webpage via the projectname parameter.
30 CVE-2019-13026 89 Sql 2019-07-30 2019-08-07
7.5
None Remote Low Not required Partial Partial Partial
OXID eShop 6.0.x before 6.0.5 and 6.1.x before 6.1.4 allows SQL Injection via a crafted URL, leading to full access by an attacker. This includes all shopping cart options, customer data, and the database. No interaction between the attacker and the victim is necessary.
31 CVE-2019-12989 89 Sql 2019-07-16 2019-11-20
7.5
None Remote Low Not required Partial Partial Partial
Citrix SD-WAN 10.2.x before 10.2.3 and NetScaler SD-WAN 10.0.x before 10.0.8 allow SQL Injection.
32 CVE-2019-12946 89 Sql 2019-07-19 2019-07-22
5.0
None Remote Low Not required Partial None None
Elcom CMS before 10.7 has SQL Injection via EventSearchByState.aspx and EventSearchAdv.aspx.
33 CVE-2019-12850 89 Sql 2019-07-03 2019-07-10
7.5
None Remote Low Not required Partial Partial Partial
A query injection was possible in JetBrains YouTrack. The issue was fixed in YouTrack 2018.4.49168.
34 CVE-2019-12838 89 Sql 2019-07-11 2022-01-17
7.5
None Remote Low Not required Partial Partial Partial
SchedMD Slurm 17.11.x, 18.08.0 through 18.08.7, and 19.05.0 allows SQL Injection.
35 CVE-2019-12723 89 Sql 2019-07-10 2019-07-11
7.5
None Remote Low Not required Partial Partial Partial
An issue was discovered in the Teclib Fields plugin through 1.9.2 for GLPI. it allows SQL Injection via container_id and old_order parameters to ajax/reorder.php by an unauthenticated user.
36 CVE-2019-12570 89 Exec Code Sql 2019-07-03 2019-12-02
6.5
None Remote Low ??? Partial Partial Partial
A SQL injection vulnerability in the Xpert Solution "Server Status by Hostname/IP" plugin 4.6 for WordPress allows an authenticated user to execute arbitrary SQL commands via GET parameters.
37 CVE-2019-12193 89 Sql 2019-07-19 2019-07-29
7.5
None Remote Low Not required Partial Partial Partial
H3C H3Cloud OS all versions allows SQL injection via the ear/grid_event sidx parameter.
38 CVE-2019-11512 89 Sql 2019-07-09 2019-07-10
7.5
None Remote Low Not required Partial Partial Partial
Contao 4.x allows SQL Injection. Fixed in Contao 4.4.39 and Contao 4.7.5.
39 CVE-2019-10653 89 Sql 2019-07-10 2019-07-11
7.5
None Remote Low Not required Partial Partial Partial
An issue was discovered in Hsycms V1.1. There is a SQL injection vulnerability via a /news/*.html page.
40 CVE-2019-10141 89 DoS Sql 2019-07-30 2021-08-04
6.4
None Remote Low Not required None Partial Partial
A vulnerability was found in openstack-ironic-inspector all versions excluding 5.0.2, 6.0.3, 7.2.4, 8.0.3 and 8.2.1. A SQL-injection vulnerability was found in openstack-ironic-inspector's node_cache.find_node(). This function makes a SQL query using unfiltered data from a server reporting inspection results (by a POST to the /v1/continue endpoint). Because the API is unauthenticated, the flaw could be exploited by an attacker with access to the network on which ironic-inspector is listening. Because of how ironic-inspector uses the query results, it is unlikely that data could be obtained. However, the attacker could pass malicious data and create a denial of service.
41 CVE-2019-9885 89 Exec Code Sql 2019-07-25 2019-10-09
7.5
None Remote Low Not required Partial Partial Partial
eClass platform < ip.2.5.10.2.1 allows an attacker to execute SQL command via /admin/academic/studenview_left.php StudentID parameter.
42 CVE-2019-7003 89 Exec Code Sql 2019-07-11 2019-10-09
6.4
None Remote Low Not required Partial Partial None
A SQL injection vulnerability in the reporting component of Avaya Control Manager could allow an unauthenticated attacker to execute arbitrary SQL commands and retrieve sensitive data related to other users on the system. Affected versions of Avaya Control Manager include 7.x and 8.0.x versions prior to 8.0.4.0. Unsupported versions not listed here were not evaluated.
43 CVE-2019-5454 89 Sql 2019-07-30 2019-10-09
7.5
None Remote Low Not required Partial Partial Partial
SQL Injection in the Nextcloud Android app prior to version 3.0.0 allows to destroy a local cache when a harmful query is executed requiring to resetup the account.
44 CVE-2019-1942 89 Sql 2019-07-17 2019-10-09
4.0
None Remote Low ??? None Partial None
A vulnerability in the sponsor portal web interface for Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to impact the integrity of an affected system by executing arbitrary SQL queries. The vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by sending crafted input that includes SQL statements to an affected system. A successful exploit could allow the attacker to modify entries in some database tables, affecting the integrity of the data. At the time of publication, this vulnerability affected Cisco ISE running software releases 2.6.0 and prior.
45 CVE-2018-13442 89 Sql 2019-07-16 2019-07-18
6.5
None Remote Low ??? Partial Partial Partial
SolarWinds Network Performance Monitor 12.3 allows SQL Injection via the /api/ActiveAlertsOnThisEntity/GetActiveAlerts TriggeringObjectEntityNames parameter.
46 CVE-2018-12250 89 Sql 2019-07-03 2019-07-05
6.5
None Remote Low ??? Partial Partial Partial
An issue was discovered in Elite CMS Pro 2.01. In /admin/add_sidebar.php, the ?page= parameter is vulnerable to SQL injection.
47 CVE-2018-11774 89 Sql 2019-07-29 2019-08-07
6.5
None Remote Low ??? Partial Partial Partial
Apache VCL versions 2.1 through 2.5 do not properly validate form input when adding and removing VMs to and from hosts. The form data is then used in SQL statements. This allows for an SQL injection attack. Access to this portion of a VCL system requires admin level rights. Other layers of security seem to protect against malicious attack. However, all VCL systems running versions earlier than 2.5.1 should be upgraded or patched. This vulnerability was found and reported to the Apache VCL project by ADLab of Venustech.
48 CVE-2018-11772 89 +Priv Sql 2019-07-29 2019-08-07
6.5
None Remote Low ??? Partial Partial Partial
Apache VCL versions 2.1 through 2.5 do not properly validate cookie input when determining what node (if any) was previously selected in the privilege tree. The cookie data is then used in an SQL statement. This allows for an SQL injection attack. Access to this portion of a VCL system requires admin level rights. Other layers of security seem to protect against malicious attack. However, all VCL systems running versions earlier than 2.5.1 should be upgraded or patched. This vulnerability was found and reported to the Apache VCL project by ADLab of Venustech.
49 CVE-2017-18346 89 Exec Code Sql 2019-07-03 2019-07-05
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in /wbg/core/_includes/authorization.inc.php in CMS Web-Gooroo through 2013-01-19 allows remote attackers to execute arbitrary SQL commands via the wbg_login parameter.
Total number of vulnerabilities : 49   Page : 1 (This Page)
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.