CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  What's the CVSS score of your company?
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In January 2021(SQL Injection)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2021-23837 89 Sql 2021-01-15 2021-01-22
4.0
None Remote Low ??? Partial None None
An issue was discovered in flatCore before 2.0.0 build 139. A time-based blind SQL injection was identified in the selected_folder HTTP request body parameter for the acp interface. The affected parameter (which retrieves the file contents of the specified folder) was found to be accepting malicious user input without proper sanitization, thus leading to SQL injection. Database related information can be successfully retrieved.
2 CVE-2021-22852 89 Sql 2021-01-19 2021-01-22
6.5
None Remote Low ??? Partial Partial Partial
HGiga EIP product contains SQL Injection vulnerability. Attackers can inject SQL commands into specific URL parameter (online registration) to obtain database schema and data.
3 CVE-2021-22851 89 Sql 2021-01-19 2021-01-22
7.5
None Remote Low Not required Partial Partial Partial
HGiga EIP product contains SQL Injection vulnerability. Attackers can inject SQL commands into specific URL parameter (document management page) to obtain database schema and data.
4 CVE-2021-22847 89 Exec Code Sql 2021-01-22 2021-01-28
6.5
None Remote Low ??? Partial Partial Partial
Hyweb HyCMS-J1's API fail to filter POST request parameters. Remote attackers can inject SQL syntax and execute commands without privilege.
5 CVE-2021-21465 89 Exec Code Sql 2021-01-12 2021-02-11
6.5
None Remote Low ??? Partial Partial Partial
The BW Database Interface allows an attacker with low privileges to execute any crafted database queries, exposing the backend database. An attacker can include their own SQL commands which the database will execute without properly sanitizing the untrusted data leading to SQL injection vulnerability which can fully compromise the affected SAP system.
6 CVE-2021-3286 89 Sql 2021-01-26 2021-01-30
7.5
None Remote Low Not required Partial Partial Partial
SQL injection exists in Spotweb 1.4.9 because the notAllowedCommands protection mechanism is inadequate, e.g., a variation of the payload may be used. NOTE: this issue exists because of an incomplete fix for CVE-2020-35545.
7 CVE-2021-3278 89 Sql Bypass 2021-01-26 2021-06-03
7.5
None Remote Low Not required Partial Partial Partial
Local Service Search Engine Management System 1.0 has a vulnerability through authentication bypass using SQL injection . Using this vulnerability, an attacker can bypass the login page.
8 CVE-2021-3118 89 Sql 2021-01-11 2021-01-14
7.5
None Remote Low Not required Partial Partial Partial
** UNSUPPORTED WHEN ASSIGNED ** EVOLUCARE ECSIMAGING (aka ECS Imaging) through 6.21.5 has multiple SQL Injection issues in the login form and the password-forgotten form (such as /req_password_user.php?email=). This allows an attacker to steal data in the database and obtain access to the application. (The database component runs as root.) NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
9 CVE-2021-3110 89 Sql 2021-01-20 2021-01-22
7.5
None Remote Low Not required Partial Partial Partial
The store system in PrestaShop 1.7.7.0 allows time-based boolean SQL injection via the module=productcomments controller=CommentGrade id_products[] parameter.
10 CVE-2021-3025 89 Sql 2021-01-08 2021-01-15
6.5
None Remote Low ??? Partial Partial Partial
Invision Community IPS Community Suite before 4.5.4.2 allows SQL Injection via the Downloads REST API (the sortDir parameter in a sortBy=popular action to the GETindex() method in applications/downloads/api/files.php).
11 CVE-2021-3021 89 Sql 2021-01-05 2021-01-07
7.5
None Remote Low Not required Partial Partial Partial
ISPConfig before 3.2.2 allows SQL injection.
12 CVE-2021-3018 89 Sql 2021-01-05 2021-01-07
7.5
None Remote Low Not required Partial Partial Partial
ipeak Infosystems ibexwebCMS (aka IPeakCMS) 3.5 is vulnerable to an unauthenticated Boolean-based SQL injection via the id parameter on the /cms/print.php page.
13 CVE-2021-1636 89 Sql 2021-01-12 2021-01-14
6.5
None Remote Low ??? Partial Partial Partial
Microsoft SQL Elevation of Privilege Vulnerability
14 CVE-2021-1364 89 Sql 2021-01-20 2021-01-29
4.0
None Remote Low ??? Partial None None
Multiple vulnerabilities in Cisco Unified Communications Manager IM & Presence Service (Unified CM IM&P) could allow an attacker to conduct path traversal attacks and SQL injection attacks on an affected system. One of the SQL injection vulnerabilities that affects Unified CM IM&P also affects Cisco Unified Communications Manager (Unified CM) and Cisco Unified Communications Manager Session Management Edition (Unified CM SME) and could allow an attacker to conduct SQL injection attacks on an affected system. For more information about these vulnerabilities, see the Details section of this advisory.
15 CVE-2021-1357 35 Sql 2021-01-20 2021-01-29
4.0
None Remote Low ??? Partial None None
Multiple vulnerabilities in Cisco Unified Communications Manager IM & Presence Service (Unified CM IM&P) could allow an attacker to conduct path traversal attacks and SQL injection attacks on an affected system. One of the SQL injection vulnerabilities that affects Unified CM IM&P also affects Cisco Unified Communications Manager (Unified CM) and Cisco Unified Communications Manager Session Management Edition (Unified CM SME) and could allow an attacker to conduct SQL injection attacks on an affected system. For more information about these vulnerabilities, see the Details section of this advisory.
16 CVE-2021-1355 89 Sql 2021-01-20 2021-01-29
4.0
None Remote Low ??? Partial None None
Multiple vulnerabilities in Cisco Unified Communications Manager IM & Presence Service (Unified CM IM&P) could allow an attacker to conduct path traversal attacks and SQL injection attacks on an affected system. One of the SQL injection vulnerabilities that affects Unified CM IM&P also affects Cisco Unified Communications Manager (Unified CM) and Cisco Unified Communications Manager Session Management Edition (Unified CM SME) and could allow an attacker to conduct SQL injection attacks on an affected system. For more information about these vulnerabilities, see the Details section of this advisory.
17 CVE-2021-1282 35 Sql 2021-01-20 2021-01-28
4.0
None Remote Low ??? Partial None None
Multiple vulnerabilities in Cisco Unified Communications Manager IM & Presence Service (Unified CM IM&P) could allow an attacker to conduct path traversal attacks and SQL injection attacks on an affected system. One of the SQL injection vulnerabilities that affects Unified CM IM&P also affects Cisco Unified Communications Manager (Unified CM) and Cisco Unified Communications Manager Session Management Edition (Unified CM SME) and could allow an attacker to conduct SQL injection attacks on an affected system. For more information about these vulnerabilities, see the Details section of this advisory.
18 CVE-2021-1248 89 Exec Code Sql 2021-01-20 2021-01-27
6.5
None Remote Low ??? Partial Partial Partial
Multiple vulnerabilities in certain REST API endpoints of Cisco Data Center Network Manager (DCNM) could allow an authenticated, remote attacker to execute arbitrary SQL commands on an affected device. For more information about these vulnerabilities, see the Details section of this advisory.
19 CVE-2021-1247 89 Exec Code Sql 2021-01-20 2021-01-27
6.5
None Remote Low ??? Partial Partial Partial
Multiple vulnerabilities in certain REST API endpoints of Cisco Data Center Network Manager (DCNM) could allow an authenticated, remote attacker to execute arbitrary SQL commands on an affected device. For more information about these vulnerabilities, see the Details section of this advisory.
20 CVE-2021-1225 89 Sql 2021-01-20 2021-01-27
6.4
None Remote Low Not required Partial Partial None
Multiple vulnerabilities in the web-based management interface of Cisco SD-WAN vManage Software could allow an unauthenticated, remote attacker to conduct SQL injection attacks on an affected system. These vulnerabilities exist because the web-based management interface improperly validates values in SQL queries. An attacker could exploit these vulnerabilities by authenticating to the application and sending malicious SQL queries to an affected system. A successful exploit could allow the attacker to modify values on or return values from the underlying database or the operating system.
21 CVE-2021-1222 89 Sql 2021-01-20 2021-01-28
5.5
None Remote Low ??? Partial Partial None
A vulnerability in the web-based management interface of Cisco Smart Software Manager Satellite could allow an authenticated, remote attacker to conduct SQL injection attacks on an affected system. The vulnerability exists because the web-based management interface improperly validates values within SQL queries. An attacker could exploit this vulnerability by authenticating to the application and sending malicious SQL queries to an affected system. A successful exploit could allow the attacker to modify values on or return values from the underlying database or the operating system.
22 CVE-2020-36112 89 Sql 2021-01-04 2021-01-07
7.5
None Remote Low Not required Partial Partial Partial
CSE Bookstore version 1.0 is vulnerable to time-based blind, boolean-based blind and OR error-based SQL injection in pubid parameter in bookPerPub.php and in cart.php. A successful exploitation of this vulnerability will lead to an attacker dumping the entire database on which the web application is running.
23 CVE-2020-35701 89 Exec Code Sql 2021-01-11 2021-05-21
6.5
None Remote Low ??? Partial Partial Partial
An issue was discovered in Cacti 1.2.x through 1.2.16. A SQL injection vulnerability in data_debug.php allows remote authenticated attackers to execute arbitrary SQL commands via the site_id parameter. This can lead to remote code execution.
24 CVE-2020-35270 89 Sql 2021-01-26 2021-02-01
6.4
None Remote Low Not required Partial Partial None
Student Result Management System In PHP With Source Code is affected by SQL injection. An attacker can able to access of Admin Panel and manage every account of Result.
25 CVE-2020-35263 89 Exec Code Sql 2021-01-26 2021-02-02
7.5
None Remote Low Not required Partial Partial Partial
EgavilanMedia User Registration & Login System 1.0 is affected by SQL injection to the admin panel, which may allow arbitrary code execution.
26 CVE-2020-29493 89 Exec Code Sql 2021-01-14 2021-01-21
7.5
None Remote Low Not required Partial Partial Partial
DELL EMC Avamar Server, versions 19.1, 19.2, 19.3, contain a SQL Injection Vulnerability in Fitness Analyzer. A remote unauthenticated attacker could potentially exploit this vulnerability, leading to the execution of certain SQL commands on the application's backend database, causing unauthorized read and write access to application data. Exploitation may lead to leakage or deletion of sensitive backup data; hence the severity is Critical. Dell EMC recommends customers to upgrade at the earliest opportunity.
27 CVE-2020-29437 89 Exec Code Sql 2021-01-05 2021-01-07
5.5
None Remote Low ??? Partial None Partial
SQL injection in the Buzz module of OrangeHRM through 4.6 allows remote authenticated attackers to execute arbitrary SQL commands via the orangehrmBuzzPlugin/lib/dao/BuzzDao.php loadMorePostsForm[profileUserId] parameter to the buzz/loadMoreProfile endpoint.
28 CVE-2020-29015 89 Exec Code Sql 2021-01-14 2021-01-20
7.5
None Remote Low Not required Partial Partial Partial
A blind SQL injection in the user interface of FortiWeb 6.3.0 through 6.3.7 and version before 6.2.4 may allow an unauthenticated, remote attacker to execute arbitrary SQL queries or commands by sending a request with a crafted Authorization header containing a malicious SQL statement.
29 CVE-2020-27733 89 Sql 2021-01-19 2021-01-26
6.5
None Remote Low ??? Partial Partial Partial
Zoho ManageEngine Applications Manager before 14 build 14880 allows an authenticated SQL Injection via a crafted Alarmview request.
30 CVE-2020-26773 89 Exec Code Sql 2021-01-07 2021-01-14
6.5
None Remote Low ??? Partial Partial Partial
Restaurant Reservation System 1.0 suffers from an authenticated SQL injection vulnerability, which allows a remote, authenticated attacker to execute arbitrary SQL commands via the date parameter in includes/reservation.inc.php.
31 CVE-2020-26712 89 Sql 2021-01-12 2021-07-01
10.0
None Remote Low Not required Complete Complete Complete
REDCap 10.3.4 contains a SQL injection vulnerability in the ToDoList function via sort parameter. The application uses the addition of a string of information from the submitted user that is not validated well in the database query, resulting in an SQL injection vulnerability where an attacker can exploit and compromise all databases.
32 CVE-2020-26045 89 Sql 2021-01-05 2021-01-08
7.5
None Remote Low Not required Partial Partial Partial
FUEL CMS 1.4.11 allows SQL Injection via parameter 'name' in /fuel/permissions/create/. Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
33 CVE-2020-23630 89 Sql 2021-01-11 2021-01-14
6.5
None Remote Low ??? Partial Partial Partial
A blind SQL injection vulnerability exists in zzcms ver201910 based on time (cookie injection).
34 CVE-2020-23262 89 Sql 2021-01-26 2021-01-30
7.5
None Remote Low Not required Partial Partial Partial
An issue was discovered in ming-soft MCMS v5.0, where a malicious user can exploit SQL injection without logging in through /mcms/view.do.
35 CVE-2020-5428 89 Sql 2021-01-27 2021-02-03
6.5
None Remote Low ??? Partial Partial Partial
In applications using Spring Cloud Task 2.2.4.RELEASE and below, may be vulnerable to SQL injection when exercising certain lookup queries in the TaskExplorer.
36 CVE-2020-5427 89 Sql 2021-01-27 2021-02-04
6.5
None Remote Low ??? Partial Partial Partial
In Spring Cloud Data Flow, versions 2.6.x prior to 2.6.5, versions 2.5.x prior 2.5.4, an application is vulnerable to SQL injection when requesting task execution.
37 CVE-2020-4921 89 Sql 2021-01-20 2021-01-22
6.5
None Remote Low ??? Partial Partial Partial
IBM Security Guardium 10.6 and 11.2 is vulnerable to SQL injection. A remote attacker could send specially crafted SQL statements, which could allow the attacker to view, add, modify or delete information in the back-end database. IBM X-Force ID: 191398.
Total number of vulnerabilities : 37   Page : 1 (This Page)
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.