CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  What's the CVSS score of your company?
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In 2021(SQL Injection)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
101 CVE-2021-40814 89 Sql 2021-09-08 2021-09-15
7.5
None Remote Low Not required Partial Partial Partial
The Customer Photo Gallery addon before 2.9.4 for PrestaShop is vulnerable to SQL injection.
102 CVE-2021-40674 89 Sql 2021-09-20 2021-09-28
7.5
None Remote Low Not required Partial Partial Partial
An SQL injection vulnerability exists in Wuzhi CMS v4.1.0 via the KeyValue parameter in coreframe/app/order/admin/index.php.
103 CVE-2021-40670 89 Sql 2021-09-16 2021-09-27
7.5
None Remote Low Not required Partial Partial Partial
SQL Injection vulnerability exists in Wuzhi CMS 4.1.0 via the keywords iparameter under the /coreframe/app/order/admin/card.php file.
104 CVE-2021-40669 89 Sql 2021-09-16 2021-09-27
7.5
None Remote Low Not required Partial Partial Partial
SQL Injection vulnerability exists in Wuzhi CMS 4.1.0 via the keywords parameter under the coreframe/app/promote/admin/index.php file.
105 CVE-2021-40618 89 Sql 2021-10-12 2021-10-19
7.5
None Remote Low Not required Partial Partial Partial
An SQL Injection vulnerability exists in openSIS Classic 8.0 via the 1) ADDR_CONT_USRN, 2) ADDR_CONT_PSWD, 3) SECN_CONT_USRN or 4) SECN_CONT_PSWD parameters in HoldAddressFields.php.
106 CVE-2021-40617 89 Sql 2021-10-11 2021-10-19
7.5
None Remote Low Not required Partial Partial Partial
An SQL Injection vulnerability exists in openSIS Community Edition version 8.0 via ForgotPassUserName.php.
107 CVE-2021-40578 89 Exec Code Sql +Info 2021-12-07 2021-12-16
6.5
None Remote Low ??? Partial Partial Partial
Authenticated Blind & Error-based SQL injection vulnerability was discovered in Online Enrollment Management System in PHP and PayPal Free Source Code 1.0, that allows attackers to obtain sensitive information and execute arbitrary SQL commands via IDNO parameter.
108 CVE-2021-40543 89 Sql 2021-10-11 2021-10-18
7.5
None Remote Low Not required Partial Partial Partial
Opensis-Classic Version 8.0 is affected by a SQL injection vulnerability due to a lack of sanitization of input data at two parameters $_GET['usrid'] and $_GET['prof_id'] in the PasswordCheck.php file.
109 CVE-2021-40493 89 Sql 2021-10-13 2021-10-19
7.5
None Remote Low Not required Partial Partial Partial
Zoho ManageEngine OpManager before 125437 is vulnerable to SQL Injection in the support diagnostics module. This occurs via the pollingObject parameter of the getDataCollectionFailureReason API.
110 CVE-2021-40353 89 Sql 2021-09-01 2021-09-09
7.5
None Remote Low Not required Partial Partial Partial
A SQL injection vulnerability exists in version 8.0 of openSIS when MySQL or MariaDB is used as the application database. An attacker can then issue the SQL command through the index.php USERNAME parameter. NOTE: this issue may exist because of an incomplete fix for CVE-2020-6637.
111 CVE-2021-40313 89 Sql 2021-12-06 2021-12-07
6.5
None Remote Low ??? Partial Partial Partial
Piwigo v11.5 was discovered to contain a SQL injection vulnerability via the parameter pwg_token in /admin/batch_manager_global.php.
112 CVE-2021-40309 89 Sql 2021-09-24 2021-10-01
6.5
None Remote Low ??? Partial Partial Partial
A SQL injection vulnerability exists in the Take Attendance functionality of OS4Ed's OpenSIS 8.0. allows an attacker to inject their own SQL query. The cp_id_miss_attn parameter from TakeAttendance.php is vulnerable to SQL injection. An attacker can make an authenticated HTTP request as a user with access to "Take Attendance" functionality to trigger this vulnerability.
113 CVE-2021-40282 89 Sql 2021-12-09 2021-12-13
6.5
None Remote Low ??? Partial Partial Partial
An SQL Injection vulnerability exists in zzcms 8.2, 8.3, 2020, abd 2021 in dl/dl_download.php. when registering ordinary users.
114 CVE-2021-40281 89 Sql 2021-12-09 2021-12-13
6.5
None Remote Low ??? Partial Partial Partial
An SQL Injection vulnerability exists in zzcms 8.2, 8.3, 2020, and 2021 in dl/dl_print.php when registering ordinary users.
115 CVE-2021-40280 89 Sql 2021-12-09 2021-12-13
6.5
None Remote Low ??? Partial Partial Partial
An SQL Injection vulnerablitly exits in zzcms 8.2, 8.3, 2020, and 2021 via the id parameter in admin/dl_sendmail.php.
116 CVE-2021-40279 89 Sql 2021-12-09 2021-12-13
6.5
None Remote Low ??? Partial Partial Partial
An SQL Injection vulnerability exists in zzcms 8.2, 8.3, 2020, and 2021 via the id parameter in admin/bad.php.
117 CVE-2021-40129 89 Sql 2021-11-19 2021-11-23
4.0
None Remote Low ??? Partial None None
A vulnerability in the configuration dashboard of Cisco Common Services Platform Collector (CSPC) could allow an authenticated, remote attacker to submit a SQL query through the CSPC configuration dashboard. This vulnerability is due to insufficient input validation of uploaded files. An attacker could exploit this vulnerability by uploading a file containing a SQL query to the configuration dashboard. A successful exploit could allow the attacker to read restricted information from the CSPC SQL database.
118 CVE-2021-39379 89 Sql 2021-09-01 2021-09-09
7.5
None Remote Low Not required Partial Partial Partial
A SQL Injection vulnerability exists in openSIS 8.0 when MySQL (MariaDB) is being used as the application database. A malicious attacker can issue SQL commands to the MySQL (MariaDB) database through the ResetUserInfo.php password_stn_id parameter.
119 CVE-2021-39378 89 Sql 2021-09-01 2021-09-16
7.5
None Remote Low Not required Partial Partial Partial
A SQL Injection vulnerability exists in openSIS 8.0 when MySQL (MariaDB) is being used as the application database. A malicious attacker can issue SQL commands to the MySQL (MariaDB) database through the NamesList.php str parameter.
120 CVE-2021-39377 89 Sql 2021-09-01 2021-09-09
7.5
None Remote Low Not required Partial Partial Partial
A SQL Injection vulnerability exists in openSIS 8.0 when MySQL (MariaDB) is being used as the application database. A malicious attacker can issue SQL commands to the MySQL (MariaDB) database through the index.php username parameter.
121 CVE-2021-39376 89 Sql 2021-08-24 2021-08-31
6.5
None Remote Low ??? Partial Partial Partial
Philips Healthcare Tasy Electronic Medical Record (EMR) 3.06 allows SQL injection via the CorCad_F2/executaConsultaEspecifico IE_CORPO_ASSIST or CD_USUARIO_CONVENIO parameter.
122 CVE-2021-39375 89 Sql 2021-08-24 2021-09-14
6.5
None Remote Low ??? Partial Partial Partial
Philips Healthcare Tasy Electronic Medical Record (EMR) 3.06 allows SQL injection via the WAdvancedFilter/getDimensionItemsByCode FilterValue parameter.
123 CVE-2021-39351 89 Sql 2021-10-06 2021-10-14
4.0
None Remote Low ??? Partial None None
The WP Bannerize WordPress plugin is vulnerable to authenticated SQL injection via the id parameter found in the ~/Classes/wpBannerizeAdmin.php file which allows attackers to exfiltrate sensitive information from vulnerable sites. This issue affects versions 2.0.0 - 4.0.2.
124 CVE-2021-39302 89 Sql 2021-08-19 2021-08-23
6.8
None Remote Medium Not required Partial Partial Partial
MISP 2.4.148, in certain configurations, allows SQL injection via the app/Model/Log.php $conditions['org'] value.
125 CVE-2021-39179 89 Exec Code Sql 2021-10-29 2021-11-03
6.5
None Remote Low ??? Partial Partial Partial
DHIS 2 is an information system for data capture, management, validation, analytics and visualization. A SQL Injection vulnerability in the Tracker component in DHIS2 Server allows authenticated remote attackers to execute arbitrary SQL commands via unspecified vectors. This vulnerability affects the `/api/trackedEntityInstances` and `/api/trackedEntityInstances/query` API endpoints in all DHIS2 versions 2.34, 2.35, and 2.36. It also affects versions 2.32 and 2.33 which have reached _end of support_ - exceptional security updates have been added to the latest *end of support* builds for these versions. Versions 2.31 and older are unaffected. The system is vulnerable to attack only from users that are logged in to DHIS2, and there is no known way of exploiting the vulnerability without first being logged in as a DHIS2 user. The vulnerability is not exposed to a non-malicious user - the vulnerability requires a conscious attack to be exploited. A successful exploit of this vulnerability could allow the malicious user to read, edit and delete data in the DHIS2 instance. There are no known exploits of the security vulnerabilities addressed by these patch releases. Security patches are available in DHIS2 versions 2.32-EOS, 2.33-EOS, 2.34.7, 2.35.7, and 2.36.4. There is no straightforward known workaround for DHIS2 instances using the Tracker functionality other than upgrading the affected DHIS2 server to one of the patches in which this vulnerability has been fixed. For implementations which do NOT use Tracker functionality, it may be possible to block all network access to POST to the `/api/trackedEntityInstances`, and `/api/trackedEntityInstances/query` endpoints as a temporary workaround while waiting to upgrade.
126 CVE-2021-39165 287 Sql 2021-08-26 2021-09-01
5.0
None Remote Low Not required Partial None None
Cachet is an open source status page. With Cachet prior to and including 2.3.18, there is a SQL injection which is in the `SearchableTrait#scopeSearch()`. Attackers without authentication can utilize this vulnerability to exfiltrate sensitive data from the database such as administrator's password and session. The original repository of Cachet <https://github.com/CachetHQ/Cachet> is not active, the stable version 2.3.18 and it's developing 2.4 branch is affected.
127 CVE-2021-38840 89 Sql 2021-09-07 2021-11-28
7.5
None Remote Low Not required Partial Partial Partial
SQL Injection can occur in Simple Water Refilling Station Management System 1.0 via the water_refilling/classes/Login.php username parameter.
128 CVE-2021-38833 89 Sql 2021-09-13 2021-11-05
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in PHPGurukul Apartment Visitors Management System (AVMS) v. 1.0 allows attackers to execute arbitrary SQL statements and to gain RCE.
129 CVE-2021-38754 89 Sql 2021-08-16 2021-11-02
7.5
None Remote Low Not required Partial Partial Partial
SQL Injection vulnerability in Hospital Management System due to lack of input validation in messearch.php.
130 CVE-2021-38727 89 Sql 2021-09-09 2021-11-28
7.5
None Remote Low Not required Partial Partial Partial
FUEL CMS 1.5.0 allows SQL Injection via parameter 'col' in /fuel/index.php/fuel/logs/items
131 CVE-2021-38723 89 Sql 2021-09-09 2021-09-20
6.5
None Remote Low ??? Partial Partial Partial
FUEL CMS 1.5.0 allows SQL Injection via parameter 'col' in /fuel/index.php/fuel/pages/items
132 CVE-2021-38706 89 Exec Code Sql 2021-09-07 2021-09-10
6.5
None Remote Low ??? Partial Partial Partial
messages_load.php in ClinicCases 7.3.3 suffers from a blind SQL injection vulnerability, which allows low-privileged attackers to execute arbitrary SQL commands through a vulnerable parameter.
133 CVE-2021-38574 89 Sql 2021-08-11 2021-08-12
7.5
None Remote Low Not required Partial Partial Partial
An issue was discovered in Foxit Reader and PhantomPDF before 10.1.4. It allows SQL Injection via crafted data at the end of a string.
134 CVE-2021-38481 89 Sql 2021-10-22 2021-10-27
7.5
None Remote Low Not required Partial Partial Partial
The scheduler service running on a specific TCP port enables the user to start and stop jobs. There is no sanitation of the supplied JOB ID provided to the function. An attacker may send a malicious payload that can enable the user to execute another SQL expression by sending a specific string.
135 CVE-2021-38393 89 Exec Code Sql 2021-08-30 2021-09-07
10.0
None Remote Low Not required Complete Complete Complete
A Blind SQL injection vulnerability exists in the /DataHandler/HandlerAlarmGroup.ashx endpoint of Delta Electronics DIAEnergie Version 1.7.5 and prior. The application does not properly validate the user-controlled value supplied through the parameter agid before using it as part of an SQL query. A remote, unauthenticated attacker can exploit this issue to execute arbitrary code in the context of NT SERVICE\MSSQLSERVER.
136 CVE-2021-38391 89 Exec Code Sql 2021-08-30 2021-09-07
10.0
None Remote Low Not required Complete Complete Complete
A Blind SQL injection vulnerability exists in the /DataHandler/AM/AM_Handler.ashx endpoint of Delta Electronics DIAEnergie Version 1.7.5 and prior. The application does not properly validate the user-controlled value supplied through the parameter type before using it as part of an SQL query. A remote, unauthenticated attacker can exploit this issue to execute arbitrary code in the context of NT SERVICE\MSSQLSERVER.
137 CVE-2021-38390 89 Exec Code Sql 2021-08-30 2021-09-07
10.0
None Remote Low Not required Complete Complete Complete
A Blind SQL injection vulnerability exists in the /DataHandler/HandlerEnergyType.ashx endpoint of Delta Electronics DIAEnergie Version 1.7.5 and prior. The application does not properly validate the user-controlled value supplied through the parameter egyid before using it as part of an SQL query. A remote, unauthenticated attacker can exploit this issue to execute arbitrary code in the context of NT SERVICE\MSSQLSERVER.
138 CVE-2021-38324 89 Sql 2021-09-09 2021-09-22
5.0
None Remote Low Not required Partial None None
The SP Rental Manager WordPress plugin is vulnerable to SQL Injection via the orderby parameter found in the ~/user/shortcodes.php file which allows attackers to retrieve information contained in a site's database, in versions up to and including 1.5.3.
139 CVE-2021-38303 89 Sql 2021-09-28 2021-10-01
7.5
None Remote Low Not required Partial Partial Partial
A SQL injection vulnerability exists in Sureline SUREedge Migrator 7.0.7.29360.
140 CVE-2021-38302 89 Sql 2021-08-13 2021-08-23
7.5
None Remote Low Not required Partial Partial Partial
The Newsletter extension through 4.0.0 for TYPO3 allows SQL Injection.
141 CVE-2021-38168 89 Sql 2021-08-07 2021-08-12
6.5
None Remote Low ??? Partial Partial Partial
Roxy-WI through 5.2.2.0 allows authenticated SQL injection via select_servers.
142 CVE-2021-38167 89 Sql Bypass 2021-08-07 2021-08-13
7.5
None Remote Low Not required Partial Partial Partial
Roxy-WI through 5.2.2.0 allows SQL Injection via check_login. An unauthenticated attacker can extract a valid uuid to bypass authentication.
143 CVE-2021-38159 89 Sql 2021-08-07 2021-08-14
7.5
None Remote Low Not required Partial Partial Partial
In certain Progress MOVEit Transfer versions before 2021.0.4 (aka 13.0.4), SQL injection in the MOVEit Transfer web application could allow an unauthenticated remote attacker to gain access to the database. Depending on the database engine being used (MySQL, Microsoft SQL Server, or Azure SQL), an attacker may be able to infer information about the structure and contents of the database, or execute SQL statements that alter or delete database elements, via crafted strings sent to unique MOVEit Transfer transaction types. The fixed versions are 2019.0.8 (11.0.8), 2019.1.7 (11.1.7), 2019.2.4 (11.2.4), 2020.0.7 (12.0.7), 2020.1.6 (12.1.6), and 2021.0.4 (13.0.4).
144 CVE-2021-38145 89 Sql 2021-08-31 2021-09-08
7.5
None Remote Low Not required Partial Partial Partial
An issue was discovered in Form Tools through 3.0.20. SQL Injection can occur via the export_group_id field when a low-privileged user (client) tries to export a form with data, e.g., manipulation of modules/export_manager/export.php?export_group_id=1&export_group_1_results=all&export_type_id=1.
145 CVE-2021-37832 89 Sql 2021-08-03 2021-08-11
7.5
None Remote Low Not required Partial Partial Partial
A SQL injection vulnerability exists in version 3.0.2 of Hotel Druid when SQLite is being used as the application database. A malicious attacker can issue SQL commands to the SQLite database through the vulnerable idappartamenti parameter.
146 CVE-2021-37808 89 Sql 2021-10-27 2021-12-16
4.3
None Remote Medium Not required Partial None None
SQL Injection vulnerabilities exist in https://phpgurukul.com News Portal Project 3.1 via the (1) category, (2) subcategory, (3) sucatdescription, and (4) username parameters, the server response is about (N) seconds delay respectively which mean it is vulnerable to MySQL Blind (Time Based). An attacker can use sqlmap to further the exploitation for extracting sensitive information from the database.
147 CVE-2021-37807 89 Sql 2021-10-27 2021-11-03
5.0
None Remote Low Not required Partial None None
An SQL Injection vulneraility exists in https://phpgurukul.com Online Shopping Portal 3.1 via the email parameter on the /check_availability.php endpoint that serves as a checker whether a new user's email is already exist within the database.
148 CVE-2021-37806 89 Sql 2021-10-27 2021-11-28
4.3
None Remote Medium Not required Partial None None
An SQL Injection vulnerability exists in https://phpgurukul.com Vehicle Parking Management System affected version 1.0. The system is vulnerable to time-based SQL injection on multiple endpoints. Based on the SLEEP(N) function payload that will sleep for a number of seconds used on the (1) editid , (2) viewid, and (3) catename parameters, the server response is about (N) seconds delay respectively which mean it is vulnerable to MySQL Blind (Time Based). An attacker can use sqlmap to further the exploitation for extracting sensitive information from the database.
149 CVE-2021-37803 89 Sql 2021-10-27 2021-11-02
9.3
None Remote Medium Not required Complete Complete Complete
An SQL Injection vulnerability exists in Sourcecodester Online Covid Vaccination Scheduler System 1.0 via the username in lognin.php .
150 CVE-2021-37749 89 Sql 2021-08-30 2021-09-01
10.0
None Remote Low Not required Complete Complete Complete
MapService.svc in Hexagon GeoMedia WebMap 2020 before Update 2 (aka 16.6.2.66) allows blind SQL Injection via the Id (within sourceItems) parameter to the GetMap method.
Total number of vulnerabilities : 627   Page : 1 2 3 (This Page)4 5 6 7 8 9 10 11 12 13
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.