CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  What's the CVSS score of your company?
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In 2021(SQL Injection)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
501 CVE-2021-21427 89 Sql 2021-04-21 2021-04-30
6.5
None Remote Low ??? Partial Partial Partial
Magento-lts is a long-term support alternative to Magento Community Edition (CE). A vulnerability in magento-lts versions before 19.4.13 and 20.0.9 potentially allows an administrator unauthorized access to restricted resources. This is a backport of CVE-2021-21024. The vulnerability is patched in versions 19.4.13 and 20.0.9.
502 CVE-2021-21380 89 Sql 2021-03-23 2021-03-24
6.5
None Remote Low ??? Partial Partial Partial
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In affected versions of XWiki Platform (and only those with the Ratings API installed), the Rating Script Service expose an API to perform SQL requests without escaping the from and where search arguments. This might lead to an SQL script injection quite easily for any user having Script rights on XWiki. The problem has been patched in XWiki 12.9RC1. The only workaround besides upgrading XWiki would be to uninstall the Ratings API in XWiki from the Extension Manager.
503 CVE-2021-21339 312 Sql 2021-03-23 2021-03-26
5.0
None Remote Low Not required Partial None None
TYPO3 is an open source PHP based web content management system. In TYPO3 before versions 6.2.57, 7.6.51, 8.7.40, 9.5.25, 10.4.14, 11.1.1 user session identifiers were stored in cleartext - without processing of additional cryptographic hashing algorithms. This vulnerability cannot be exploited directly and occurs in combination with a chained attack - like for instance SQL injection in any other component of the system. This is fixed in versions 6.2.57, 7.6.51, 8.7.40, 9.5.25, 10.4.14, 11.1.1.
504 CVE-2021-21024 89 Sql 2021-02-11 2021-02-16
6.5
None Remote Low ??? Partial Partial Partial
Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) are affected by a blind SQL injection vulnerability in the Search module. Successful exploitation could lead to unauthorized access to restricted resources by an unauthenticated attacker. Access to the admin console is required for successful exploitation.
505 CVE-2021-20736 74 Sql +Info 2021-06-22 2021-07-01
6.4
None Remote Low Not required Partial Partial None
NoSQL injection vulnerability in GROWI versions prior to v4.2.20 allows a remote attacker to obtain and/or alter the information stored in the database via unspecified vectors.
506 CVE-2021-20720 89 Exec Code Sql +Info 2021-05-20 2021-05-25
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in the KonaWiki2 versions prior to 2.2.4 allows remote attackers to execute arbitrary SQL commands and to obtain/alter the information stored in the database via unspecified vectors.
507 CVE-2021-20678 89 Exec Code Sql 2021-03-18 2021-03-23
6.5
None Remote Low ??? Partial Partial Partial
SQL injection vulnerability in the Paid Memberships Pro versions prior to 2.5.6 allows remote authenticated attackers to execute arbitrary SQL commands via unspecified vectors.
508 CVE-2021-20028 89 Sql 2021-08-04 2021-08-11
7.5
None Remote Low Not required Partial Partial Partial
** UNSUPPORTED WHEN ASSIGNED ** Improper neutralization of a SQL Command leading to SQL Injection vulnerability impacting end-of-life Secure Remote Access (SRA) products, specifically the SRA appliances running all 8.x firmware and 9.0.0.9-26sv or earlier.
509 CVE-2021-20016 89 Sql 2021-02-04 2021-02-08
7.5
None Remote Low Not required Partial Partial Partial
A SQL-Injection vulnerability in the SonicWall SSLVPN SMA100 product allows a remote unauthenticated attacker to perform SQL query to access username password and other session related information. This vulnerability impacts SMA100 build version 10.x.
510 CVE-2021-3958 89 Sql 2021-11-16 2021-11-17
7.5
None Remote Low Not required Partial Partial Partial
Due to improper sanitization iPack SCADA Automation software suffers from a remote SQL injection vulnerability. An unauthenticated attacker with the web access is able to extract critical information from the system.
511 CVE-2021-3935 89 Sql 2021-11-22 2021-12-31
5.1
None Remote High Not required Partial Partial Partial
When PgBouncer is configured to use "cert" authentication, a man-in-the-middle attacker can inject arbitrary SQL queries when a connection is first established, despite the use of TLS certificate verification and encryption. This flaw affects PgBouncer versions prior to 1.16.1.
512 CVE-2021-3860 89 Sql 2021-12-20 2022-01-03
6.5
None Remote Low ??? Partial Partial Partial
JFrog Artifactory before 7.25.4 (Enterprise+ deployments only), is vulnerable to Blind SQL Injection by a low privileged authenticated user due to incomplete validation when performing an SQL query.
513 CVE-2021-3817 89 Sql 2021-12-09 2022-01-04
7.5
None Remote Low Not required Partial Partial Partial
wbce_cms is vulnerable to Improper Neutralization of Special Elements used in an SQL Command
514 CVE-2021-3604 89 Sql 2021-06-18 2021-06-24
7.5
None Remote Low Not required Partial Partial Partial
Secure 8 (Evalos) does not validate user input data correctly, allowing a remote attacker to perform a Blind SQL Injection. An attacker could exploit this vulnerability in order to extract information of users and administrator accounts stored in the database.
515 CVE-2021-3515 77 Exec Code Sql 2021-06-01 2021-06-14
7.2
None Local Low Not required Complete Complete Complete
A shell injection flaw was found in pglogical in versions before 2.3.4 and before 3.6.26. An attacker with CREATEDB privileges on a PostgreSQL server can craft a database name that allows execution of shell commands as the postgresql user when calling pglogical.create_subscription().
516 CVE-2021-3286 89 Sql 2021-01-26 2021-01-30
7.5
None Remote Low Not required Partial Partial Partial
SQL injection exists in Spotweb 1.4.9 because the notAllowedCommands protection mechanism is inadequate, e.g., a variation of the payload may be used. NOTE: this issue exists because of an incomplete fix for CVE-2020-35545.
517 CVE-2021-3278 89 Sql Bypass 2021-01-26 2021-06-03
7.5
None Remote Low Not required Partial Partial Partial
Local Service Search Engine Management System 1.0 has a vulnerability through authentication bypass using SQL injection . Using this vulnerability, an attacker can bypass the login page.
518 CVE-2021-3264 89 Sql 2021-08-27 2021-09-01
6.5
None Remote Low ??? Partial Partial Partial
SQL Injection vulnerability in cxuucms 3.1 ivia the pid parameter in public/admin.php.
519 CVE-2021-3239 89 Exec Code Sql 2021-02-15 2021-11-02
7.5
None Remote Low Not required Partial Partial Partial
E-Learning System 1.0 suffers from an unauthenticated SQL injection vulnerability, which allows remote attackers to execute arbitrary code on the hosting web server and gain a reverse shell.
520 CVE-2021-3119 89 DoS Exec Code Sql 2021-03-25 2021-03-27
5.0
None Remote Low Not required None None Partial
Zetetic SQLCipher 4.x before 4.4.3 has a NULL pointer dereferencing issue related to sqlcipher_export in crypto.c and sqlite3StrICmp in sqlite3.c. This may allow an attacker to perform a remote denial of service attack. For example, an SQL injection can be used to execute the crafted SQL command sequence, which causes a segmentation fault.
521 CVE-2021-3118 89 Sql 2021-01-11 2021-01-14
7.5
None Remote Low Not required Partial Partial Partial
** UNSUPPORTED WHEN ASSIGNED ** EVOLUCARE ECSIMAGING (aka ECS Imaging) through 6.21.5 has multiple SQL Injection issues in the login form and the password-forgotten form (such as /req_password_user.php?email=). This allows an attacker to steal data in the database and obtain access to the application. (The database component runs as root.) NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
522 CVE-2021-3110 89 Sql 2021-01-20 2021-01-22
7.5
None Remote Low Not required Partial Partial Partial
The store system in PrestaShop 1.7.7.0 allows time-based boolean SQL injection via the module=productcomments controller=CommentGrade id_products[] parameter.
523 CVE-2021-3025 89 Sql 2021-01-08 2021-01-15
6.5
None Remote Low ??? Partial Partial Partial
Invision Community IPS Community Suite before 4.5.4.2 allows SQL Injection via the Downloads REST API (the sortDir parameter in a sortBy=popular action to the GETindex() method in applications/downloads/api/files.php).
524 CVE-2021-3021 89 Sql 2021-01-05 2021-01-07
7.5
None Remote Low Not required Partial Partial Partial
ISPConfig before 3.2.2 allows SQL injection.
525 CVE-2021-3018 89 Sql 2021-01-05 2021-01-07
7.5
None Remote Low Not required Partial Partial Partial
ipeak Infosystems ibexwebCMS (aka IPeakCMS) 3.5 is vulnerable to an unauthenticated Boolean-based SQL injection via the id parameter on the /cms/print.php page.
526 CVE-2021-1636 89 Sql 2021-01-12 2021-01-14
6.5
None Remote Low ??? Partial Partial Partial
Microsoft SQL Elevation of Privilege Vulnerability
527 CVE-2021-1365 89 Sql 2021-05-06 2021-05-14
5.5
None Remote Low ??? Partial Partial None
Multiple vulnerabilities in the web-based management interface of Cisco Unified Communications Manager IM & Presence Service could allow an authenticated, remote attacker to conduct SQL injection attacks on an affected system. These vulnerabilities are due to improper validation of user-submitted parameters. An attacker could exploit these vulnerabilities by authenticating to the application and sending malicious requests to an affected system. A successful exploit could allow the attacker to obtain data or modify data that is stored in the underlying database.
528 CVE-2021-1364 89 Sql 2021-01-20 2021-01-29
4.0
None Remote Low ??? Partial None None
Multiple vulnerabilities in Cisco Unified Communications Manager IM & Presence Service (Unified CM IM&P) could allow an attacker to conduct path traversal attacks and SQL injection attacks on an affected system. One of the SQL injection vulnerabilities that affects Unified CM IM&P also affects Cisco Unified Communications Manager (Unified CM) and Cisco Unified Communications Manager Session Management Edition (Unified CM SME) and could allow an attacker to conduct SQL injection attacks on an affected system. For more information about these vulnerabilities, see the Details section of this advisory.
529 CVE-2021-1363 89 Sql 2021-05-06 2021-05-14
5.5
None Remote Low ??? Partial Partial None
Multiple vulnerabilities in the web-based management interface of Cisco Unified Communications Manager IM & Presence Service could allow an authenticated, remote attacker to conduct SQL injection attacks on an affected system. These vulnerabilities are due to improper validation of user-submitted parameters. An attacker could exploit these vulnerabilities by authenticating to the application and sending malicious requests to an affected system. A successful exploit could allow the attacker to obtain data or modify data that is stored in the underlying database.
530 CVE-2021-1357 35 Sql 2021-01-20 2021-01-29
4.0
None Remote Low ??? Partial None None
Multiple vulnerabilities in Cisco Unified Communications Manager IM & Presence Service (Unified CM IM&P) could allow an attacker to conduct path traversal attacks and SQL injection attacks on an affected system. One of the SQL injection vulnerabilities that affects Unified CM IM&P also affects Cisco Unified Communications Manager (Unified CM) and Cisco Unified Communications Manager Session Management Edition (Unified CM SME) and could allow an attacker to conduct SQL injection attacks on an affected system. For more information about these vulnerabilities, see the Details section of this advisory.
531 CVE-2021-1355 89 Sql 2021-01-20 2021-01-29
4.0
None Remote Low ??? Partial None None
Multiple vulnerabilities in Cisco Unified Communications Manager IM & Presence Service (Unified CM IM&P) could allow an attacker to conduct path traversal attacks and SQL injection attacks on an affected system. One of the SQL injection vulnerabilities that affects Unified CM IM&P also affects Cisco Unified Communications Manager (Unified CM) and Cisco Unified Communications Manager Session Management Edition (Unified CM SME) and could allow an attacker to conduct SQL injection attacks on an affected system. For more information about these vulnerabilities, see the Details section of this advisory.
532 CVE-2021-1282 35 Sql 2021-01-20 2021-01-28
4.0
None Remote Low ??? Partial None None
Multiple vulnerabilities in Cisco Unified Communications Manager IM & Presence Service (Unified CM IM&P) could allow an attacker to conduct path traversal attacks and SQL injection attacks on an affected system. One of the SQL injection vulnerabilities that affects Unified CM IM&P also affects Cisco Unified Communications Manager (Unified CM) and Cisco Unified Communications Manager Session Management Edition (Unified CM SME) and could allow an attacker to conduct SQL injection attacks on an affected system. For more information about these vulnerabilities, see the Details section of this advisory.
533 CVE-2021-1248 89 Exec Code Sql 2021-01-20 2021-01-27
6.5
None Remote Low ??? Partial Partial Partial
Multiple vulnerabilities in certain REST API endpoints of Cisco Data Center Network Manager (DCNM) could allow an authenticated, remote attacker to execute arbitrary SQL commands on an affected device. For more information about these vulnerabilities, see the Details section of this advisory.
534 CVE-2021-1247 89 Exec Code Sql 2021-01-20 2021-01-27
6.5
None Remote Low ??? Partial Partial Partial
Multiple vulnerabilities in certain REST API endpoints of Cisco Data Center Network Manager (DCNM) could allow an authenticated, remote attacker to execute arbitrary SQL commands on an affected device. For more information about these vulnerabilities, see the Details section of this advisory.
535 CVE-2021-1225 89 Sql 2021-01-20 2021-01-27
6.4
None Remote Low Not required Partial Partial None
Multiple vulnerabilities in the web-based management interface of Cisco SD-WAN vManage Software could allow an unauthenticated, remote attacker to conduct SQL injection attacks on an affected system. These vulnerabilities exist because the web-based management interface improperly validates values in SQL queries. An attacker could exploit these vulnerabilities by authenticating to the application and sending malicious SQL queries to an affected system. A successful exploit could allow the attacker to modify values on or return values from the underlying database or the operating system.
536 CVE-2021-1222 89 Sql 2021-01-20 2021-01-28
5.5
None Remote Low ??? Partial Partial None
A vulnerability in the web-based management interface of Cisco Smart Software Manager Satellite could allow an authenticated, remote attacker to conduct SQL injection attacks on an affected system. The vulnerability exists because the web-based management interface improperly validates values within SQL queries. An attacker could exploit this vulnerability by authenticating to the application and sending malicious SQL queries to an affected system. A successful exploit could allow the attacker to modify values on or return values from the underlying database or the operating system.
537 CVE-2020-36195 89 Sql +Info 2021-04-17 2021-04-23
7.5
None Remote Low Not required Partial Partial Partial
An SQL injection vulnerability has been reported to affect QNAP NAS running Multimedia Console or the Media Streaming add-on. If exploited, the vulnerability allows remote attackers to obtain application information. QNAP has already fixed this vulnerability in the following versions of Multimedia Console and the Media Streaming add-on. QTS 4.3.3: Media Streaming add-on 430.1.8.10 and later QTS 4.3.6: Media Streaming add-on 430.1.8.8 and later QTS 4.4.x and later: Multimedia Console 1.3.4 and later We have also fixed this vulnerability in the following versions of QTS 4.3.3 and QTS 4.3.6, respectively: QTS 4.3.3.1624 Build 20210416 or later QTS 4.3.6.1620 Build 20210322 or later
538 CVE-2020-36112 89 Sql 2021-01-04 2021-01-07
7.5
None Remote Low Not required Partial Partial Partial
CSE Bookstore version 1.0 is vulnerable to time-based blind, boolean-based blind and OR error-based SQL injection in pubid parameter in bookPerPub.php and in cart.php. A successful exploitation of this vulnerability will lead to an attacker dumping the entire database on which the web application is running.
539 CVE-2020-36033 89 Sql 2021-07-22 2021-07-30
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in SourceCodester Water Billing System 1.0 via the id parameter to edituser.php.
540 CVE-2020-36004 89 Sql +Info 2021-06-03 2021-06-08
4.0
None Remote Low ??? Partial None None
AppCMS 2.0.101 in /admin/download_frame.php has a SQL injection vulnerability which allows attackers to obtain sensitive database information.
541 CVE-2020-36003 89 Sql 2021-02-17 2021-02-18
5.0
None Remote Low Not required Partial None None
The id parameter in detail.php of Online Book Store v1.0 is vulnerable to union-based blind SQL injection, which leads to the ability to retrieve all databases.
542 CVE-2020-36002 89 Sql +Info 2021-02-17 2021-04-01
5.0
None Remote Low Not required Partial None None
Seat-Reservation-System 1.0 has a SQL injection vulnerability in index.php in the id parameter where attackers can obtain sensitive database information.
543 CVE-2020-35765 89 Sql 2021-02-05 2021-02-17
6.5
None Remote Low ??? Partial Partial Partial
doFilter in com.adventnet.appmanager.filter.UriCollector in Zoho ManageEngine Applications Manager through 14930 allows an authenticated SQL Injection via the resourceid parameter to showresource.do.
544 CVE-2020-35701 89 Exec Code Sql 2021-01-11 2021-05-21
6.5
None Remote Low ??? Partial Partial Partial
An issue was discovered in Cacti 1.2.x through 1.2.16. A SQL injection vulnerability in data_debug.php allows remote authenticated attackers to execute arbitrary SQL commands via the site_id parameter. This can lead to remote code execution.
545 CVE-2020-35700 89 Exec Code Sql 2021-02-08 2021-02-09
6.5
None Remote Low ??? Partial Partial Partial
A second-order SQL injection issue in Widgets/TopDevicesController.php (aka the Top Devices dashboard widget) of LibreNMS before 21.1.0 allows remote authenticated attackers to execute arbitrary SQL commands via the sort_order parameter against the /ajax/form/widget-settings endpoint.
546 CVE-2020-35441 89 Sql 2021-06-02 2021-06-10
7.5
None Remote Low Not required Partial Partial Partial
FDCMS (aka Fangfa Content Management System) 4.0 contains a front-end SQL injection via Admin/Lib/Action/FloginAction.class.php.
547 CVE-2020-35430 89 Sql 2021-04-29 2021-04-30
7.5
None Remote Low Not required Partial Partial Partial
SQL Injection in com/inxedu/OS/edu/controller/letter/AdminMsgSystemController in Inxedu v2.0.6 via the ids parameter to admin/letter/delsystem.
548 CVE-2020-35427 89 Exec Code Sql Bypass 2021-07-20 2021-09-21
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in PHPGurukul Employee Record Management System 1.1 allows remote attackers to execute arbitrary SQL commands and bypass authentication.
549 CVE-2020-35337 89 Exec Code Sql 2021-03-24 2021-03-24
7.5
None Remote Low Not required Partial Partial Partial
ThinkSAAS before 3.38 contains a SQL injection vulnerability through app/topic/action/admin/topic.php via the title parameter, which allows remote attackers to execute arbitrary SQL commands.
550 CVE-2020-35329 89 Sql 2021-03-04 2021-03-04
4.0
None Remote Low ??? Partial None None
Courier Management System 1.0 1.0 is affected by SQL Injection via 'MULTIPART street '.
Total number of vulnerabilities : 627   Page : 1 2 3 4 5 6 7 8 9 10 11 (This Page)12 13
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.