CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  What's the CVSS score of your company?
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In 2021(SQL Injection)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2020-13873 89 Exec Code Sql Bypass 2021-05-12 2021-05-20
10.0
None Remote Low Not required Complete Complete Complete
A SQL Injection vulnerability in get_topic_info() in sys/CODOF/Forum/Topic.php in Codoforum before 4.9 allows remote attackers (pre-authentication) to bypass the admin page via a leaked password-reset token of the admin. (As an admin, an attacker can upload a PHP shell and execute remote code on the operating system.)
2 CVE-2020-26712 89 Sql 2021-01-12 2021-07-01
10.0
None Remote Low Not required Complete Complete Complete
REDCap 10.3.4 contains a SQL injection vulnerability in the ToDoList function via sort parameter. The application uses the addition of a string of information from the submitted user that is not validated well in the database query, resulting in an SQL injection vulnerability where an attacker can exploit and compromise all databases.
3 CVE-2020-28960 89 Sql 2021-10-22 2021-10-28
10.0
None Remote Low Not required Complete Complete Complete
Chichen Tech CMS v1.0 was discovered to contain multiple SQL injection vulnerabilities in the file product_list.php via the id and cid parameters.
4 CVE-2021-26754 89 Sql 2021-02-08 2021-02-09
10.0
None Remote Low Not required Complete Complete Complete
wpDataTables before 3.4.1 mishandles order direction for server-side tables, aka admin-ajax.php?action=get_wdtable order[0][dir] SQL injection.
5 CVE-2021-29089 89 Exec Code Sql 2021-06-02 2021-06-10
10.0
None Remote Low Not required Complete Complete Complete
Improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability in thumbnail component in Synology Photo Station before 6.8.14-3500 allows remote attackers users to execute arbitrary SQL commands via unspecified vectors.
6 CVE-2021-31316 89 Sql 2021-05-18 2021-05-24
10.0
None Remote Low Not required Complete Complete Complete
The unprivileged user portal part of CentOS Web Panel is affected by a SQL Injection via the 'idsession' HTTP POST parameter.
7 CVE-2021-32983 89 Exec Code Sql 2021-08-30 2021-09-07
10.0
None Remote Low Not required Complete Complete Complete
A Blind SQL injection vulnerability exists in the /DataHandler/Handler_CFG.ashx endpoint of Delta Electronics DIAEnergie Version 1.7.5 and prior. The application does not properly validate the user-controlled value supplied through the parameter keyword before using it as part of an SQL query. A remote, unauthenticated attacker can exploit this issue to execute arbitrary code in the context of NT SERVICE\MSSQLSERVER.
8 CVE-2021-36385 89 Exec Code Sql 2021-08-24 2021-08-31
10.0
None Remote Low Not required Complete Complete Complete
A SQL Injection vulnerability in Cerner Mobile Care 5.0.0 allows remote unauthenticated attackers to execute arbitrary SQL commands via a Fullwidth Apostrophe (aka U+FF07) in the default.aspx User ID field. Arbitrary system commands can be executed through the use of xp_cmdshell.
9 CVE-2021-36722 89 Sql Bypass 2021-12-29 2022-01-11
10.0
None Remote Low Not required Complete Complete Complete
Emuse - eServices / eNvoice SQL injection can be used in various ways ranging from bypassing login authentication or dumping the whole database to full RCE on the affected endpoints. The SQLi caused by CWE-209: Generation of Error Message Containig Sensetive Information, showing parts of the aspx code and the webroot location , information an attacker can leverage to further compromise the host.
10 CVE-2021-37749 89 Sql 2021-08-30 2021-09-01
10.0
None Remote Low Not required Complete Complete Complete
MapService.svc in Hexagon GeoMedia WebMap 2020 before Update 2 (aka 16.6.2.66) allows blind SQL Injection via the Id (within sourceItems) parameter to the GetMap method.
11 CVE-2021-38390 89 Exec Code Sql 2021-08-30 2021-09-07
10.0
None Remote Low Not required Complete Complete Complete
A Blind SQL injection vulnerability exists in the /DataHandler/HandlerEnergyType.ashx endpoint of Delta Electronics DIAEnergie Version 1.7.5 and prior. The application does not properly validate the user-controlled value supplied through the parameter egyid before using it as part of an SQL query. A remote, unauthenticated attacker can exploit this issue to execute arbitrary code in the context of NT SERVICE\MSSQLSERVER.
12 CVE-2021-38391 89 Exec Code Sql 2021-08-30 2021-09-07
10.0
None Remote Low Not required Complete Complete Complete
A Blind SQL injection vulnerability exists in the /DataHandler/AM/AM_Handler.ashx endpoint of Delta Electronics DIAEnergie Version 1.7.5 and prior. The application does not properly validate the user-controlled value supplied through the parameter type before using it as part of an SQL query. A remote, unauthenticated attacker can exploit this issue to execute arbitrary code in the context of NT SERVICE\MSSQLSERVER.
13 CVE-2021-38393 89 Exec Code Sql 2021-08-30 2021-09-07
10.0
None Remote Low Not required Complete Complete Complete
A Blind SQL injection vulnerability exists in the /DataHandler/HandlerAlarmGroup.ashx endpoint of Delta Electronics DIAEnergie Version 1.7.5 and prior. The application does not properly validate the user-controlled value supplied through the parameter agid before using it as part of an SQL query. A remote, unauthenticated attacker can exploit this issue to execute arbitrary code in the context of NT SERVICE\MSSQLSERVER.
14 CVE-2021-42077 89 Sql Bypass 2021-11-08 2021-11-09
10.0
None Remote Low Not required Complete Complete Complete
PHP Event Calendar before 2021-09-03 allows SQL injection, as demonstrated by the /server/ajax/user_manager.php username parameter. This can be used to execute SQL statements directly on the database, allowing an adversary in some cases to completely compromise the database system. It can also be used to bypass the login form.
15 CVE-2021-42313 89 Exec Code Sql 2021-12-15 2021-12-30
10.0
None Remote Low Not required Complete Complete Complete
Microsoft Defender for IoT Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-41365, CVE-2021-42310, CVE-2021-42311, CVE-2021-42314, CVE-2021-42315, CVE-2021-43882, CVE-2021-43889.
16 CVE-2021-43130 89 Sql 2021-11-03 2021-11-17
10.0
None Remote Low Not required Complete Complete Complete
An SQL Injection vulnerability exists in Sourcecodester Customer Relationship Management System (CRM) 1.0 via the username parameter in customer/login.php.
17 CVE-2021-44966 89 Sql Bypass 2021-12-13 2021-12-17
10.0
None Remote Low Not required Complete Complete Complete
SQL injection bypass authentication vulnerability in PHPGURUKUL Employee Record Management System 1.2 via index.php. An attacker can log in as an admin account of this system and can destroy, change or manipulate all sensitive information on the system.
18 CVE-2021-45255 89 Sql 2021-12-21 2022-01-04
10.0
None Remote Low Not required Complete Complete Complete
The email parameter from ajax.php of Video Sharing Website 1.0 appears to be vulnerable to SQL injection attacks. A payload injects a SQL sub-query that calls MySQL's load_file function with a UNC file path that references a URL on an external domain. The application interacted with that domain, indicating that the injected SQL query was executed.
19 CVE-2021-37803 89 Sql 2021-10-27 2021-11-02
9.3
None Remote Medium Not required Complete Complete Complete
An SQL Injection vulnerability exists in Sourcecodester Online Covid Vaccination Scheduler System 1.0 via the username in lognin.php .
20 CVE-2020-27869 89 Sql 2021-02-12 2021-03-26
9.0
None Remote Low ??? Complete Complete Complete
This vulnerability allows remote attackers to escalate privileges on affected installations of SolarWinds Network Performance Monitor 2020 HF1, NPM: 2020.2. Authentication is required to exploit this vulnerability. The specific flaw exists within the WriteToFile method. The issue results from the lack of proper validation of a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to escalate privileges and reset the password for the Admin user. Was ZDI-CAN-11804.
21 CVE-2021-27928 78 Exec Code Sql 2021-03-19 2022-01-04
9.0
None Remote Low ??? Complete Complete Complete
A remote code execution issue was discovered in MariaDB 10.2 before 10.2.37, 10.3 before 10.3.28, 10.4 before 10.4.18, and 10.5 before 10.5.9; Percona Server through 2021-03-03; and the wsrep patch through 2021-03-03 for MySQL. An untrusted search path leads to eval injection, in which a database SUPER user can execute OS commands after modifying wsrep_provider and wsrep_notify_cmd. NOTE: this does not affect an Oracle product.
22 CVE-2021-29090 89 Exec Code Sql 2021-06-02 2021-06-10
9.0
None Remote Low ??? Complete Complete Complete
Improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability in PHP component in Synology Photo Station before 6.8.14-3500 allows remote authenticated users to execute arbitrary SQL command via unspecified vectors.
23 CVE-2021-32590 89 Exec Code Sql 2021-08-04 2021-08-11
9.0
None Remote Low ??? Complete Complete Complete
Multiple improper neutralization of special elements used in an SQL command vulnerabilities in FortiPortal 6.0.0 through 6.0.4, 5.3.0 through 5.3.5, 5.2.0 through 5.2.5, and 4.2.2 and earlier may allow an attacker with regular user's privileges to execute arbitrary commands on the underlying SQL database via specifically crafted HTTP requests.
24 CVE-2021-35212 89 Sql 2021-08-31 2021-11-05
9.0
None Remote Low ??? Complete Complete Complete
An SQL injection Privilege Escalation Vulnerability was discovered in the Orion Platform reported by the ZDI Team. A blind Boolean SQL injection which could lead to full read/write over the Orion database content including the Orion certificate for any authenticated user.
25 CVE-2021-43408 89 Exec Code Sql 2021-11-19 2021-11-24
9.0
None Remote Low ??? Complete Complete Complete
The "Duplicate Post" WordPress plugin up to and including version 1.1.9 is vulnerable to SQL Injection. SQL injection vulnerabilities occur when client supplied data is included within an SQL Query insecurely. SQL Injection can typically be exploited to read, modify and delete SQL table data. In many cases it also possible to exploit features of SQL server to execute system commands and/or access the local file system. This particular vulnerability can be exploited by any authenticated user who has been granted access to use the Duplicate Post plugin. By default, this is limited to Administrators, however the plugin presents the option to permit access to the Editor, Author, Contributor and Subscriber roles.
26 CVE-2010-1435 863 Sql Bypass 2021-06-21 2021-09-20
7.5
None Remote Low Not required Partial Partial Partial
Joomla! Core is prone to a security bypass vulnerability. Exploiting this issue may allow attackers to perform otherwise restricted actions and subsequently retrieve password reset tokens from the database through an already existing SQL injection vector. Joomla! Core versions 1.5.x ranging from 1.5.0 and up to and including 1.5.15 are vulnerable.
27 CVE-2019-12348 89 Sql 2021-05-24 2021-05-27
7.5
None Remote Low Not required Partial Partial Partial
An issue was discovered in zzcms 2019. SQL Injection exists in user/ztconfig.php via the daohang or img POST parameter.
28 CVE-2019-25019 89 Sql 2021-02-14 2021-06-04
7.5
None Remote Low Not required Partial Partial Partial
LimeSurvey before 4.0.0-RC4 allows SQL injection via the participant model.
29 CVE-2020-6577 89 Sql 2021-03-19 2021-03-25
7.5
None Remote Low Not required Partial Partial Partial
The IT-Recht Kanzlei plugin in Zen Cart 1.5.6c (German edition) allows itrk-api.php rechtstext_language SQL Injection.
30 CVE-2020-10582 89 Sql 2021-03-25 2021-03-27
7.5
None Remote Low Not required Partial Partial Partial
A SQL injection on the /admin/display_errors.php script of Invigo Automatic Device Management (ADM) through 5.0 allows remote attackers to execute arbitrary SQL requests (including data reading and modification) on the database.
31 CVE-2020-16629 89 Sql 2021-02-08 2021-02-10
7.5
None Remote Low Not required Partial Partial Partial
PhpOK 5.4.137 contains a SQL injection vulnerability that can inject an attachment data through SQL, and then call the attachment replacement function through api.php to write a PHP file to the target path.
32 CVE-2020-18013 89 Sql 2021-07-30 2021-08-03
7.5
None Remote Low Not required Partial Partial Partial
SQL Injextion vulnerability exists in Whatsns 4.0 via the ip parameter in index.php?admin_banned/add.htm.
33 CVE-2020-18106 89 Sql 2021-08-27 2021-09-01
7.5
None Remote Low Not required Partial Partial Partial
The GET parameter "id" in WMS v1.0 is passed without filtering, which allows attackers to perform SQL injection.
34 CVE-2020-18144 89 Sql 2021-07-14 2021-07-22
7.5
None Remote Low Not required Partial Partial Partial
SQL Injection Vulnerability in ECTouch v2 via the integral_min parameter in index.php.
35 CVE-2020-18155 89 Sql 2021-07-14 2021-07-29
7.5
None Remote Low Not required Partial Partial Partial
SQL Injection vulnerability in Subrion CMS v4.2.1 in the search page if a website uses a PDO connection.
36 CVE-2020-18164 89 Sql 2021-08-17 2021-08-25
7.5
None Remote Low Not required Partial Partial Partial
SQL Injection vulnerability exists in tp-shop 2.x-3.x via the /index.php/home/api/shop fBill parameter.
37 CVE-2020-18175 89 Sql 2021-07-30 2021-08-03
7.5
None Remote Low Not required Partial Partial Partial
SQL Injection vulnerability in Metinfo 6.1.3 via a dosafety_emailadd action in basic.php.
38 CVE-2020-18262 89 Sql 2021-11-03 2021-11-05
7.5
None Remote Low Not required Partial Partial Partial
ED01-CMS v1.0 was discovered to contain a SQL injection in the component cposts.php via the cid parameter.
39 CVE-2020-18544 89 Exec Code Sql 2021-07-12 2021-07-14
7.5
None Remote Low Not required Partial Partial Partial
SQL Injection in WMS v1.0 allows remote attackers to execute arbitrary code via the "username" parameter in the component "chkuser.php".
40 CVE-2020-18662 89 Sql 2021-06-24 2021-06-28
7.5
None Remote Low Not required Partial Partial Partial
SQL Injection vulnerability in gnuboard5 <=v5.3.2.8 via the table_prefix parameter in install_db.php.
41 CVE-2020-18667 89 Sql 2021-06-24 2021-09-13
7.5
None Remote Low Not required Partial Partial Partial
SQL Injection vulnerability in WebPort <=1.19.1 via the new connection, parameter name in type-conn.
42 CVE-2020-18713 89 +Priv Sql 2021-02-05 2021-02-05
7.5
None Remote Low Not required Partial Partial Partial
SQL Injection in Rockoa v1.8.7 allows remote attackers to gain privileges due to loose filtering of parameters in customerAction.php
43 CVE-2020-18714 89 +Priv Sql 2021-02-05 2021-02-05
7.5
None Remote Low Not required Partial Partial Partial
SQL Injection in Rockoa v1.8.7 allows remote attackers to gain privileges due to loose filtering of parameters in wordModel.php's getdata function.
44 CVE-2020-18716 89 +Priv Sql 2021-02-05 2021-02-05
7.5
None Remote Low Not required Partial Partial Partial
SQL Injection in Rockoa v1.8.7 allows remote attackers to gain privileges due to loose filtering of parameters in wordAction.php.
45 CVE-2020-18717 89 Exec Code Sql 2021-02-05 2021-02-08
7.5
None Remote Low Not required Partial Partial Partial
SQL Injection in ZZZCMS zzzphp 1.7.1 allows remote attackers to execute arbitrary code due to a lack of parameter filtering in inc/zzz_template.php.
46 CVE-2020-19705 89 Sql 2021-08-26 2021-09-01
7.5
None Remote Low Not required Partial Partial Partial
thinkphp-zcms as of 20190715 allows SQL injection via index.php?m=home&c=message&a=add.
47 CVE-2020-19853 89 Sql 2021-09-08 2021-09-10
7.5
None Remote Low Not required Partial Partial Partial
BlueCMS v1.6 contains a SQL injection vulnerability via /ad_js.php.
48 CVE-2020-20120 89 Sql 2021-09-28 2021-10-06
7.5
None Remote Low Not required Partial Partial Partial
ThinkPHP v3.2.3 and below contains a SQL injection vulnerability which is triggered when the array is not passed to the "where" and "query" methods.
49 CVE-2020-20122 89 Sql 2021-09-28 2021-10-06
7.5
None Remote Low Not required Partial Partial Partial
Wuzhi CMS v4.1 contains a SQL injection vulnerability in the checktitle() function in /coreframe/app/content/admin/content.php.
50 CVE-2020-20289 89 Sql 2021-02-01 2021-02-03
7.5
None Remote Low Not required Partial Partial Partial
Sql injection vulnerability in the yccms 3.3 project. The no_top function's improper judgment of the request parameters, triggers a sql injection vulnerability.
Total number of vulnerabilities : 627   Page : 1 (This Page)2 3 4 5 6 7 8 9 10 11 12 13
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.