CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  What's the CVSS score of your company?
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In 2019(SQL Injection) (CVSS score >= 7)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2019-1010259 89 Sql 2019-07-18 2019-08-13
7.5
None Remote Low Not required Partial Partial Partial
SaltStack Salt 2018.3, 2019.2 is affected by: SQL Injection. The impact is: An attacker could escalate privileges on MySQL server deployed by cloud provider. It leads to RCE. The component is: The mysql.user_chpass function from the MySQL module for Salt. The attack vector is: specially crafted password string. The fixed version is: 2018.3.4.
2 CVE-2019-1010248 89 Sql 2019-07-18 2019-07-23
7.5
None Remote Low Not required Partial Partial Partial
Synetics GmbH I-doit 1.12 and earlier is affected by: SQL Injection. The impact is: Unauthenticated mysql database access. The component is: Web login form. The attack vector is: An attacker can exploit the vulnerability by sending a malicious HTTP POST request. The fixed version is: 1.12.1.
3 CVE-2019-1010191 89 Sql 2019-07-24 2019-07-29
7.5
None Remote Low Not required Partial Partial Partial
marginalia < 1.6 is affected by: SQL Injection. The impact is: The impact is a injection of any SQL queries when a user controller argument is added as a component. The component is: Affects users that add a component that is user controller, for instance a parameter or a header. The attack vector is: Hacker inputs a SQL to a vulnerable vector(header, http parameter, etc). The fixed version is: 1.6.
4 CVE-2019-1010153 89 Sql 2019-07-23 2019-07-24
7.5
None Remote Low Not required Partial Partial Partial
zzcms 8.3 and earlier is affected by: SQL Injection. The impact is: sql inject. The component is: zs/subzs.php.
5 CVE-2019-1010148 89 Exec Code Sql 2019-07-23 2019-07-24
7.5
None Remote Low Not required Partial Partial Partial
zzcms version 8.3 and earlier is affected by: SQL Injection. The impact is: zzcms File Delete to Code Execution.
6 CVE-2019-1010104 89 Sql 2019-07-18 2019-07-23
7.5
None Remote Low Not required Partial Partial Partial
TechyTalk Quick Chat WordPress Plugin All up to the latest is affected by: SQL Injection. The impact is: Access to the database. The component is: like_escape is used in Quick-chat.php line 399. The attack vector is: Crafted ajax request.
7 CVE-2019-1000023 89 Exec Code Sql 2019-02-04 2019-02-06
7.5
None Remote Low Not required Partial Partial Partial
OPT/NET BV OPTOSS Next Gen Network Management System (NG-NetMS) version v3.6-2 and earlier versions contains a SQL Injection vulnerability in Identified vulnerable parameters: id, id_access_type and id_attr_access that can result in a malicious attacker can include own SQL commands which database will execute. This attack appears to be exploitable via network connectivity.
8 CVE-2019-19846 89 Sql 2019-12-18 2019-12-18
7.5
None Remote Low Not required Partial Partial Partial
In Joomla! before 3.9.14, the lack of validation of configuration parameters used in SQL queries caused various SQL injection vectors.
9 CVE-2019-19740 89 Sql 2019-12-12 2020-01-21
7.5
None Remote Low Not required Partial Partial Partial
Octeth Oempro 4.7 and 4.8 allow SQL injection. The parameter CampaignID in Campaign.Get is vulnerable.
10 CVE-2019-19649 89 Sql 2019-12-11 2019-12-19
7.5
None Remote Low Not required Partial Partial Partial
Zoho ManageEngine Applications Manager before 13620 allows a remote unauthenticated SQL injection via the SyncEventServlet eventid parameter to the SyncEventServlet.java doGet function.
11 CVE-2019-19250 89 Sql 2019-11-25 2019-12-04
7.5
None Remote Low Not required Partial Partial Partial
OpenTrade before 2019-11-23 allows SQL injection, related to server/modules/api/v1.js and server/utils.js.
12 CVE-2019-19245 89 Sql 2019-12-02 2019-12-11
7.5
None Remote Low Not required Partial Partial Partial
NAPC Xinet Elegant 6 Asset Library 6.1.655 allows Pre-Authentication SQL Injection via the /elegant6/login LoginForm[username] field when double quotes are used.
13 CVE-2019-19113 89 Sql 2019-11-18 2019-12-03
7.5
None Remote Low Not required Partial Partial Partial
main/resources/mapper/NewBeeMallGoodsMapper.xml in newbee-mall (aka New Bee) before 2019-10-23 allows search?goodsCategoryId=&keyword= SQL Injection.
14 CVE-2019-18784 89 Sql 2019-11-06 2019-11-06
7.5
None Remote Low Not required Partial Partial Partial
SuiteCRM 7.10.x versions prior to 7.10.21 and 7.11.x versions prior to 7.11.9 allow SQL Injection.
15 CVE-2019-18663 89 Exec Code Sql 2019-11-04 2019-11-05
7.5
None Remote Low Not required Partial Partial Partial
A SQL injection vulnerability in a /login/forgot1 POST request in ARP-GUARD 4.0.0-5 allows unauthenticated remote attackers to execute arbitrary SQL commands via the user_id parameter.
16 CVE-2019-18662 89 Sql 2019-11-02 2019-12-04
7.5
None Remote Low Not required Partial Partial Partial
An issue was discovered in YouPHPTube through 7.7. User input passed through the live_stream_code POST parameter to /plugin/LiveChat/getChat.json.php is not properly sanitized (in getFromChat in plugin/LiveChat/Objects/LiveChatObj.php) before being used to construct a SQL query. This can be exploited by malicious users to, e.g., read sensitive data from the database through in-band SQL Injection attacks. Successful exploitation of this vulnerability requires the Live Chat plugin to be enabled.
17 CVE-2019-18622 89 Sql 2019-11-22 2020-01-14
7.5
None Remote Low Not required Partial Partial Partial
An issue was discovered in phpMyAdmin before 4.9.2. A crafted database/table name can be used to trigger a SQL injection attack through the designer feature.
18 CVE-2019-18464 89 Sql 2019-10-31 2019-11-06
7.5
None Remote Low Not required Partial Partial Partial
In Progress MOVEit Transfer 10.2 before 10.2.6 (2018.3), 11.0 before 11.0.4 (2019.0.4), and 11.1 before 11.1.3 (2019.1.3), multiple SQL Injection vulnerabilities have been found in the REST API that could allow an unauthenticated attacker to gain unauthorized access to the database. Depending on the database engine being used (MySQL, Microsoft SQL Server, or Azure SQL), an attacker may be able to infer information about the structure and contents of the database or may be able to alter the database.
19 CVE-2019-18413 79 Sql XSS Bypass 2019-10-24 2021-12-07
7.5
None Remote Low Not required Partial Partial Partial
In TypeStack class-validator 0.10.2, validate() input validation can be bypassed because certain internal attributes can be overwritten via a conflicting name. Even though there is an optional forbidUnknownValues parameter that can be used to reduce the risk of this bypass, this option is not documented and thus most developers configure input validation in the vulnerable default manner. With this vulnerability, attackers can launch SQL Injection or XSS attacks by injecting arbitrary malicious input. NOTE: a software maintainer agrees with the "is not documented" finding but suggests that much of the responsibility for the risk lies in a different product.
20 CVE-2019-18387 89 Exec Code Sql 2019-10-23 2019-10-28
7.5
None Remote Low Not required Partial Partial Partial
Sourcecodester Hotel and Lodge Management System 1.0 is vulnerable to unauthenticated SQL injection and can allow remote attackers to execute arbitrary SQL commands via the id parameter to the edit page for Customer, Room, Currency, Room Booking Details, or Tax Details.
21 CVE-2019-18344 89 Exec Code Sql 2019-10-23 2020-09-03
7.5
None Remote Low Not required Partial Partial Partial
Sourcecodester Online Grading System 1.0 is vulnerable to unauthenticated SQL injection and can allow remote attackers to execute arbitrary SQL commands via the student, instructor, department, room, class, or user page (id or classid parameter).
22 CVE-2019-18234 89 Exec Code Sql 2019-12-23 2019-12-30
7.5
None Remote Low Not required Partial Partial Partial
Equinox Control Expert all versions, is vulnerable to an SQL injection attack, which may allow an attacker to remotely execute arbitrary code.
23 CVE-2019-17602 89 Sql 2019-10-15 2021-05-04
7.5
None Remote Low Not required Partial Partial Partial
An issue was discovered in Zoho ManageEngine OpManager before 12.4 build 124089. The OPMDeviceDetailsServlet servlet is prone to SQL injection. Depending on the configuration, this vulnerability could be exploited unauthenticated or authenticated.
24 CVE-2019-17580 89 Sql 2019-10-14 2019-10-16
7.5
None Remote Low Not required Partial Partial Partial
tonyy dormsystem through 1.3 allows SQL Injection in admin.php.
25 CVE-2019-17553 89 Sql 2019-10-14 2019-10-17
7.5
None Remote Low Not required Partial Partial Partial
An issue was discovered in MetInfo v7.0.0 beta. There is SQL Injection via the admin/?n=tags&c=index&a=doSaveTags URI.
26 CVE-2019-17552 89 Sql 2019-10-14 2019-10-16
7.5
None Remote Low Not required Partial Partial Partial
An issue was discovered in idreamsoft iCMS v7.0.14. There is a spider_project.admincp.php SQL injection vulnerability in the 'upload spider project scheme' feature via a two-dimensional payload.
27 CVE-2019-17527 89 Sql 2019-12-19 2020-01-02
7.5
None Remote Low Not required Partial Partial Partial
dataForDepandantField in models/custormfields.php in the JS JOBS FREE extension before 1.2.7 for Joomla! allows SQL Injection via the index.php?option=com_jsjobs&task=customfields.getfieldtitlebyfieldandfieldfo child parameter.
28 CVE-2019-17429 89 Sql 2019-10-10 2019-10-11
7.5
None Remote Low Not required Partial Partial Partial
Adhouma CMS through 2019-10-09 has SQL Injection via the post.php p_id parameter.
29 CVE-2019-17197 89 Sql 2019-10-05 2019-10-08
7.5
None Remote Low Not required Partial Partial Partial
OpenEMR through 5.0.2 has SQL Injection in the Lifestyle demographic filter criteria in library/clinical_rules.php that affects library/patient.inc.
30 CVE-2019-17072 89 Sql 2019-10-10 2019-10-10
7.5
None Remote Low Not required Partial Partial Partial
The new-contact-form-widget (aka Contact Form Widget - Contact Query, Form Maker) plugin 1.0.9 for WordPress has SQL Injection via all-query-page.php.
31 CVE-2019-16999 89 Sql 2019-09-30 2019-10-02
7.5
None Remote Low Not required Partial Partial Partial
CloudBoot through 2019-03-08 allows SQL Injection via a crafted Status field in JSON data to the api/osinstall/v1/device/getNumByStatus URI.
32 CVE-2019-16894 89 Sql 2019-09-26 2020-08-24
7.5
None Remote Low Not required Partial Partial Partial
download.php in inoERP 4.15 allows SQL injection through insecure deserialization.
33 CVE-2019-16696 89 Sql 2019-09-22 2019-09-23
7.5
None Remote Low Not required Partial Partial Partial
phpIPAM 1.4 allows SQL injection via the app/admin/custom-fields/edit.php table parameter when action=add is used.
34 CVE-2019-16695 89 Sql 2019-09-22 2019-09-23
7.5
None Remote Low Not required Partial Partial Partial
phpIPAM 1.4 allows SQL injection via the app/admin/custom-fields/filter.php table parameter when action=add is used.
35 CVE-2019-16694 89 Sql 2019-09-22 2019-09-23
7.5
None Remote Low Not required Partial Partial Partial
phpIPAM 1.4 allows SQL injection via the app/admin/custom-fields/edit-result.php table parameter when action=add is used.
36 CVE-2019-16693 89 Sql 2019-09-22 2019-09-23
7.5
None Remote Low Not required Partial Partial Partial
phpIPAM 1.4 allows SQL injection via the app/admin/custom-fields/order.php table parameter when action=add is used.
37 CVE-2019-16692 89 Sql 2019-09-22 2019-10-01
7.5
None Remote Low Not required Partial Partial Partial
phpIPAM 1.4 allows SQL injection via the app/admin/custom-fields/filter-result.php table parameter when action=add is used.
38 CVE-2019-16682 89 Sql 2019-10-16 2019-10-21
7.5
None Remote Low Not required Partial Partial Partial
The url_redirect (aka URL redirect) extension through 1.2.1 for TYPO3 fails to properly sanitize user input and is susceptible to SQL Injection.
39 CVE-2019-16644 89 Sql 2019-09-20 2019-09-20
7.5
None Remote Low Not required Partial Partial Partial
App\Home\Controller\ZhuantiController.class.php in TuziCMS 2.0.6 has SQL injection via the index.php/Zhuanti/group?id= substring.
40 CVE-2019-16642 89 Sql 2019-09-20 2019-09-20
7.5
None Remote Low Not required Partial Partial Partial
App\Mobile\Controller\ZhuantiController.class.php in TuziCMS 2.0.6 has SQL injection via the index.php/Mobile/Zhuanti/group?id= substring.
41 CVE-2019-16383 89 Sql 2019-09-24 2020-04-14
7.5
None Remote Low Not required Partial Partial Partial
MOVEit.DMZ.WebApi.dll in Progress MOVEit Transfer 2018 SP2 before 10.2.4, 2019 before 11.0.2, and 2019.1 before 11.1.1 allows an unauthenticated attacker to gain unauthorized access to the database. Depending on the database engine being used (MySQL, Microsoft SQL Server, or Azure SQL), an attacker may be able to infer information about the structure and contents of the database, or may be able to alter the database via the REST API, aka SQL Injection.
42 CVE-2019-16309 89 Sql 2019-09-14 2019-09-16
7.5
None Remote Low Not required Partial Partial Partial
FlameCMS 3.3.5 has SQL injection in account/login.php via accountName.
43 CVE-2019-16264 89 Sql 2019-09-16 2019-09-17
7.5
None Remote Low Not required Partial Partial Partial
In Escuela de Gestion Publica Plurinacional (EGPP) Sistema Integrado de Gestion Academica (GESAC) v1, the username parameter of the authentication form is vulnerable to SQL injection, allowing attackers to access the database.
44 CVE-2019-16194 89 Sql 2019-09-25 2019-09-25
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerabilities in Centreon through 19.04 allow attacks via the svc_id parameter in include/monitoring/status/Services/xml/makeXMLForOneService.php.
45 CVE-2019-16125 89 Sql 2019-09-09 2019-09-09
7.5
None Remote Low Not required Partial Partial Partial
In Jobberbase 2.0, the parameter category is not sanitized in public/page_subscribe.php, leading to /subscribe SQL injection.
46 CVE-2019-16119 89 Sql 2019-09-08 2019-09-10
7.5
None Remote Low Not required Partial Partial Partial
SQL injection in the photo-gallery (10Web Photo Gallery) plugin before 1.5.35 for WordPress exists via the admin/controllers/Albumsgalleries.php album_id parameter.
47 CVE-2019-15933 89 Sql 2019-12-12 2019-12-13
7.5
None Remote Low Not required Partial Partial Partial
Intesync Solismed 3.3sp has SQL Injection.
48 CVE-2019-15872 89 Sql 2019-09-03 2019-09-05
7.5
None Remote Low Not required Partial Partial Partial
The LoginPress plugin before 1.1.4 for WordPress has SQL injection via an import of settings.
49 CVE-2019-15659 89 Sql 2019-08-27 2019-08-28
7.5
None Remote Low Not required Partial Partial Partial
The pie-register plugin before 3.1.2 for WordPress has SQL injection, a different issue than CVE-2018-10969.
50 CVE-2019-15658 89 Sql 2019-08-26 2019-08-30
7.5
None Remote Low Not required Partial Partial Partial
connect-pg-simple before 6.0.1 allows SQL injection if tableName or schemaName is untrusted data.
Total number of vulnerabilities : 336   Page : 1 (This Page)2 3 4 5 6 7
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.