CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  What's the CVSS score of your company?
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In September 2019(SQL Injection)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2019-17049 89 Sql 2019-09-30 2019-10-04
5.0
None Remote Low Not required None Partial None
NETGEAR SRX5308 4.3.5-3 devices allow SQL Injection, as exploited in the wild in September 2019 to add a new user account.
2 CVE-2019-16999 89 Sql 2019-09-30 2019-10-02
7.5
None Remote Low Not required Partial Partial Partial
CloudBoot through 2019-03-08 allows SQL Injection via a crafted Status field in JSON data to the api/osinstall/v1/device/getNumByStatus URI.
3 CVE-2019-16997 89 Sql 2019-09-30 2019-10-04
6.5
None Remote Low ??? Partial Partial Partial
In Metinfo 7.0.0beta, a SQL Injection was discovered in app/system/language/admin/language_general.class.php via the admin/?n=language&c=language_general&a=doExportPack appno parameter.
4 CVE-2019-16996 89 Sql 2019-09-30 2019-10-04
6.5
None Remote Low ??? Partial Partial Partial
In Metinfo 7.0.0beta, a SQL Injection was discovered in app/system/product/admin/product_admin.class.php via the admin/?n=product&c=product_admin&a=dopara&app_type=shop id parameter.
5 CVE-2019-16894 89 Sql 2019-09-26 2020-08-24
7.5
None Remote Low Not required Partial Partial Partial
download.php in inoERP 4.15 allows SQL injection through insecure deserialization.
6 CVE-2019-16745 89 Sql 2019-09-30 2019-10-03
6.5
None Remote Low ??? Partial Partial Partial
eBrigade before 5.0 has evenement_choice.php chxCal SQL Injection.
7 CVE-2019-16744 89 Sql 2019-09-30 2019-10-03
6.5
None Remote Low ??? Partial Partial Partial
eBrigade before 5.0 has evenements.php cid SQL Injection.
8 CVE-2019-16743 89 Sql 2019-09-30 2019-10-02
6.5
None Remote Low ??? Partial Partial Partial
eBrigade before 5.0 has evenement_ical.php evenement SQL Injection.
9 CVE-2019-16696 89 Sql 2019-09-22 2019-09-23
7.5
None Remote Low Not required Partial Partial Partial
phpIPAM 1.4 allows SQL injection via the app/admin/custom-fields/edit.php table parameter when action=add is used.
10 CVE-2019-16695 89 Sql 2019-09-22 2019-09-23
7.5
None Remote Low Not required Partial Partial Partial
phpIPAM 1.4 allows SQL injection via the app/admin/custom-fields/filter.php table parameter when action=add is used.
11 CVE-2019-16694 89 Sql 2019-09-22 2019-09-23
7.5
None Remote Low Not required Partial Partial Partial
phpIPAM 1.4 allows SQL injection via the app/admin/custom-fields/edit-result.php table parameter when action=add is used.
12 CVE-2019-16693 89 Sql 2019-09-22 2019-09-23
7.5
None Remote Low Not required Partial Partial Partial
phpIPAM 1.4 allows SQL injection via the app/admin/custom-fields/order.php table parameter when action=add is used.
13 CVE-2019-16692 89 Sql 2019-09-22 2019-10-01
7.5
None Remote Low Not required Partial Partial Partial
phpIPAM 1.4 allows SQL injection via the app/admin/custom-fields/filter-result.php table parameter when action=add is used.
14 CVE-2019-16644 89 Sql 2019-09-20 2019-09-20
7.5
None Remote Low Not required Partial Partial Partial
App\Home\Controller\ZhuantiController.class.php in TuziCMS 2.0.6 has SQL injection via the index.php/Zhuanti/group?id= substring.
15 CVE-2019-16642 89 Sql 2019-09-20 2019-09-20
7.5
None Remote Low Not required Partial Partial Partial
App\Mobile\Controller\ZhuantiController.class.php in TuziCMS 2.0.6 has SQL injection via the index.php/Mobile/Zhuanti/group?id= substring.
16 CVE-2019-16383 89 Sql 2019-09-24 2020-04-14
7.5
None Remote Low Not required Partial Partial Partial
MOVEit.DMZ.WebApi.dll in Progress MOVEit Transfer 2018 SP2 before 10.2.4, 2019 before 11.0.2, and 2019.1 before 11.1.1 allows an unauthenticated attacker to gain unauthorized access to the database. Depending on the database engine being used (MySQL, Microsoft SQL Server, or Azure SQL), an attacker may be able to infer information about the structure and contents of the database, or may be able to alter the database via the REST API, aka SQL Injection.
17 CVE-2019-16309 89 Sql 2019-09-14 2019-09-16
7.5
None Remote Low Not required Partial Partial Partial
FlameCMS 3.3.5 has SQL injection in account/login.php via accountName.
18 CVE-2019-16264 89 Sql 2019-09-16 2019-09-17
7.5
None Remote Low Not required Partial Partial Partial
In Escuela de Gestion Publica Plurinacional (EGPP) Sistema Integrado de Gestion Academica (GESAC) v1, the username parameter of the authentication form is vulnerable to SQL injection, allowing attackers to access the database.
19 CVE-2019-16194 89 Sql 2019-09-25 2019-09-25
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerabilities in Centreon through 19.04 allow attacks via the svc_id parameter in include/monitoring/status/Services/xml/makeXMLForOneService.php.
20 CVE-2019-16125 89 Sql 2019-09-09 2019-09-09
7.5
None Remote Low Not required Partial Partial Partial
In Jobberbase 2.0, the parameter category is not sanitized in public/page_subscribe.php, leading to /subscribe SQL injection.
21 CVE-2019-16119 89 Sql 2019-09-08 2019-09-10
7.5
None Remote Low Not required Partial Partial Partial
SQL injection in the photo-gallery (10Web Photo Gallery) plugin before 1.5.35 for WordPress exists via the admin/controllers/Albumsgalleries.php album_id parameter.
22 CVE-2019-15872 89 Sql 2019-09-03 2019-09-05
7.5
None Remote Low Not required Partial Partial Partial
The LoginPress plugin before 1.1.4 for WordPress has SQL injection via an import of settings.
23 CVE-2019-15301 89 Exec Code Sql 2019-09-18 2019-09-19
7.5
None Remote Low Not required Partial Partial Partial
A SQL injection vulnerability in the method Terrasoft.Core.DB.Column.Const() in Terrasoft Bpm'online CRM-System SDK 7.13 allows attackers to execute arbitrary SQL commands via the value parameter.
24 CVE-2019-14254 89 Sql 2019-09-18 2019-09-19
7.5
None Remote Low Not required Partial Partial Partial
An issue was discovered in the secure portal in Publisure 2.1.2. Because SQL queries are not well sanitized, there are multiple SQL injections in userAccFunctions.php functions. Using this, an attacker can access passwords and/or grant access to the user account "user" in order to become "Administrator" (for example).
25 CVE-2019-13191 89 Exec Code Sql 2019-09-05 2019-09-05
5.0
None Remote Low Not required Partial None None
A SQL injection vulnerability in IntraMaps MapControl 8 allows attackers to execute arbitrary SQL commands via the /ApplicationEngine/Search/Refine/Set page.
26 CVE-2019-12516 89 Sql 2019-09-13 2019-10-29
6.5
None Remote Low ??? Partial Partial Partial
The slickquiz plugin through 1.3.7.1 for WordPress allows SQL Injection by Subscriber users, as demonstrated by a /wp-admin/admin.php?page=slickquiz-scores&id= or /wp-admin/admin.php?page=slickquiz-edit&id= or /wp-admin/admin.php?page=slickquiz-preview&id= URI.
27 CVE-2019-12465 89 Sql 2019-09-09 2019-09-10
5.5
None Remote Low ??? Partial Partial None
An issue was discovered in LibreNMS 1.50.1. A SQL injection flaw was identified in the ajax_rulesuggest.php file where the term parameter is used insecurely in a database query for showing columns of a table, as demonstrated by an ajax_rulesuggest.php?debug=1&term= request.
28 CVE-2019-12463 74 DoS Sql 2019-09-09 2020-08-24
6.5
None Remote Low ??? Partial Partial Partial
An issue was discovered in LibreNMS 1.50.1. The scripts that handle graphing options (includes/html/graphs/common.inc.php and includes/html/graphs/graphs.inc.php) do not sufficiently validate or encode several fields of user supplied input. Some parameters are filtered with mysqli_real_escape_string, which is only useful for preventing SQL injection attacks; other parameters are unfiltered. This allows an attacker to inject RRDtool syntax with newline characters via the html/graph.php and html/graph-realtime.php scripts. RRDtool syntax is quite versatile and an attacker could leverage this to perform a number of attacks, including disclosing directory structure and filenames, disclosing file content, denial of service, or writing arbitrary files. NOTE: relative to CVE-2019-10665, this requires authentication and the pathnames differ.
29 CVE-2019-10671 89 Sql 2019-09-09 2019-09-10
6.5
None Remote Low ??? Partial Partial Partial
An issue was discovered in LibreNMS through 1.47. It does not parameterize all user supplied input within database queries, resulting in SQL injection. An authenticated attacker can subvert these database queries to extract or manipulate data, as demonstrated by the graph.php sort parameter.
30 CVE-2019-10669 78 Exec Code Sql 2019-09-09 2020-08-24
6.5
None Remote Low ??? Partial Partial Partial
An issue was discovered in LibreNMS through 1.47. There is a command injection vulnerability in html/includes/graphs/device/collectd.inc.php where user supplied parameters are filtered with the mysqli_escape_real_string function. This function is not the appropriate function to sanitize command arguments as it does not escape a number of command line syntax characters such as ` (backtick), allowing an attacker to inject commands into the variable $rrd_cmd, which gets executed via passthru().
31 CVE-2019-10665 74 DoS Sql 2019-09-09 2020-08-24
7.5
None Remote Low Not required Partial Partial Partial
An issue was discovered in LibreNMS through 1.47. The scripts that handle the graphing options (html/includes/graphs/common.inc.php and html/includes/graphs/graphs.inc.php) do not sufficiently validate or encode several fields of user supplied input. Some parameters are filtered with mysqli_real_escape_string, which is only useful for preventing SQL injection attacks; other parameters are unfiltered. This allows an attacker to inject RRDtool syntax with newline characters via the html/graph.php script. RRDtool syntax is quite versatile and an attacker could leverage this to perform a number of attacks, including disclosing directory structure and filenames, file content, denial of service, or writing arbitrary files.
32 CVE-2019-5996 89 Exec Code Sql 2019-09-12 2019-09-13
6.5
None Remote Low ??? Partial Partial Partial
SQL injection vulnerability in the Video Insight VMS 7.3.2.5 and earlier allows remote authenticated attackers to execute arbitrary SQL commands via unspecified vectors.
33 CVE-2019-5991 89 Exec Code Sql 2019-09-12 2019-09-13
6.5
None Remote Low ??? Partial Partial Partial
SQL injection vulnerability in the Cybozu Garoon 4.0.0 to 4.10.3 allows remote authenticated attackers to execute arbitrary SQL commands via unspecified vectors.
34 CVE-2019-5070 89 Sql 2019-09-05 2019-09-06
6.4
None Remote Low Not required Partial Partial None
An exploitable SQL injection vulnerability exists in the unauthenticated portion of eFront LMS, versions v5.2.12 and earlier. Specially crafted web request to login page can cause SQL injections, resulting in data compromise. An attacker can use a browser to trigger these vulnerabilities, and no special tools are required.
35 CVE-2019-4147 89 Sql 2019-09-16 2019-10-09
6.5
None Remote Low ??? Partial Partial Partial
IBM Sterling File Gateway 2.2.0.0 through 6.0.1.0 is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements, which could allow the attacker to view, add, modify or delete information in the back-end database. IBM X-Force ID: 158413.
36 CVE-2019-3760 89 Exec Code Sql 2019-09-11 2020-08-31
6.5
None Remote Low ??? Partial Partial Partial
The RSA Identity Governance and Lifecycle software and RSA Via Lifecycle and Governance products prior to 7.1.0 P08 contain a SQL Injection vulnerability in Workflow Architect. A remote authenticated malicious user could potentially exploit this vulnerability to execute SQL commands on the back-end database to gain unauthorized access to the data by supplying specially crafted input data to the affected application.
37 CVE-2017-18614 89 Sql 2019-09-13 2019-09-16
9.3
None Remote Medium Not required Complete Complete Complete
The kama-clic-counter plugin 3.4.9 for WordPress has SQL injection via the admin.php order parameter.
38 CVE-2017-18602 89 Sql 2019-09-10 2019-09-10
6.5
None Remote Low ??? Partial Partial Partial
The examapp plugin 1.0 for WordPress has SQL injection via the wp-admin/admin.php?page=examapp_UserResult id parameter.
39 CVE-2017-18597 89 Sql 2019-09-10 2019-09-10
6.5
None Remote Low ??? Partial Partial Partial
The jtrt-responsive-tables plugin before 4.1.2 for WordPress has SQL Injection via the admin/class-jtrt-responsive-tables-admin.php tableId parameter.
40 CVE-2016-11000 89 Sql 2019-09-20 2019-09-20
7.5
None Remote Low Not required Partial Partial Partial
The wp-ultimate-exporter plugin through 1.1 for WordPress has SQL injection via the export_type_name parameter.
41 CVE-2016-10951 89 Sql 2019-09-13 2019-09-16
6.5
None Remote Low ??? Partial Partial Partial
The fs-shopping-cart plugin 2.07.02 for WordPress has SQL injection via the pid parameter.
42 CVE-2016-10950 89 Sql 2019-09-13 2019-09-16
6.5
None Remote Low ??? Partial Partial Partial
The sirv plugin before 1.3.2 for WordPress has SQL injection via the id parameter.
43 CVE-2016-10949 89 Sql 2019-09-13 2019-09-16
6.8
None Remote Medium Not required Partial Partial Partial
The Relevanssi Premium plugin before 1.14.6.1 for WordPress has SQL injection with resultant unsafe unserialization.
44 CVE-2016-10947 89 Sql 2019-09-13 2019-09-13
6.5
None Remote Low ??? Partial Partial Partial
The Post Indexer plugin before 3.0.6.2 for WordPress has SQL injection via the period parameter by a super admin.
45 CVE-2016-10943 89 Sql 2019-09-13 2019-09-13
6.5
None Remote Low ??? Partial Partial Partial
The zx-csv-upload plugin 1 for WordPress has SQL injection via the id parameter.
46 CVE-2016-10942 89 Sql CSRF 2019-09-13 2019-09-13
7.5
None Remote Low Not required Partial Partial Partial
The podlove-podcasting-plugin-for-wordpress plugin before 2.3.16 for WordPress has SQL injection via the insert_id parameter exploitable via CSRF.
47 CVE-2016-10940 89 Sql 2019-09-13 2019-09-13
6.5
None Remote Low ??? Partial Partial Partial
The zm-gallery plugin 1.0 for WordPress has SQL injection via the order parameter.
48 CVE-2016-10939 89 Sql 2019-09-13 2019-09-13
6.5
None Remote Low ??? Partial Partial Partial
The xtremelocator plugin 1.5 for WordPress has SQL injection via the id parameter.
49 CVE-2015-9449 89 Sql 2019-09-26 2019-09-26
6.5
None Remote Low ??? Partial Partial Partial
The microblog-poster plugin before 1.6.2 for WordPress has SQL Injection via the wp-admin/options-general.php?page=microblogposter.php account_id parameter.
50 CVE-2015-9448 89 Sql 2019-09-26 2019-09-26
6.5
None Remote Low ??? Partial Partial Partial
The sendpress plugin before 1.2 for WordPress has SQL Injection via the wp-admin/admin.php?page=sp-queue listid parameter.
Total number of vulnerabilities : 57   Page : 1 (This Page)2
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.