CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  What's the CVSS score of your company?
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In 2019(SQL Injection)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
151 CVE-2019-13447 89 Sql 2019-07-17 2019-07-18
10.0
None Remote Low Not required Complete Complete Complete
An issue was discovered in Sertek Xpare 3.67. The login form does not sanitize input data. Because of this, a malicious agent could access the backend database via SQL injection.
152 CVE-2019-13413 89 Sql 2019-07-08 2019-07-31
7.5
None Remote Low Not required Partial Partial Partial
The Rencontre plugin before 3.1.3 for WordPress allows SQL Injection via inc/rencontre_widget.php.
153 CVE-2019-13409 89 Sql 2019-10-17 2019-10-22
5.0
None Remote Low Not required Partial None None
A SQL injection vulnerability was discovered in TOPMeeting before version 8.8 (2019/08/19). An attacker can use a union based injection query string though a search meeting room feature to get databases schema and username/password.
154 CVE-2019-13375 89 Sql 2019-07-06 2019-07-09
7.5
None Remote Low Not required Partial Partial Partial
A SQL Injection was discovered in D-Link Central WiFi Manager CWM(100) before v1.03R0100_BETA6 in PayAction.class.php with the index.php/Pay/passcodeAuth parameter passcode. The vulnerability does not need any authentication.
155 CVE-2019-13373 89 Sql 2019-07-06 2019-07-09
7.5
None Remote Low Not required Partial Partial Partial
An issue was discovered in the D-Link Central WiFi Manager CWM(100) before v1.03R0100_BETA6. Input does not get validated and arbitrary SQL statements can be executed in the database via the /web/Public/Conn.php parameter dbSQL.
156 CVE-2019-13292 89 Sql 2019-07-04 2019-07-10
7.5
None Remote Low Not required Partial Partial Partial
A SQL Injection issue was discovered in webERP 4.15. Payments.php accepts payment data in base64 format. After this is decoded, it is deserialized. Then, this deserialized data goes directly into a SQL query, with no sanitizing checks.
157 CVE-2019-13275 89 Sql 2019-07-04 2019-07-10
7.5
None Remote Low Not required Partial Partial Partial
An issue was discovered in the VeronaLabs wp-statistics plugin before 12.6.7 for WordPress. The v1/hit endpoint of the API, when the non-default "use cache plugin" setting is enabled, is vulnerable to unauthenticated blind SQL Injection.
158 CVE-2019-13191 89 Exec Code Sql 2019-09-05 2019-09-05
5.0
None Remote Low Not required Partial None None
A SQL injection vulnerability in IntraMaps MapControl 8 allows attackers to execute arbitrary SQL commands via the /ApplicationEngine/Search/Refine/Set page.
159 CVE-2019-13146 74 Sql XSS 2019-07-09 2020-08-24
5.0
None Remote Low Not required None Partial None
The field_test gem 0.3.0 for Ruby has unvalidated input. A method call that is expected to return a value from a certain set of inputs can be made to return any input, which can be dangerous depending on how applications use it. If an application treats arbitrary variants as trusted, this can lead to a variety of potential vulnerabilities like SQL injection or cross-site scripting (XSS).
160 CVE-2019-13086 89 Sql CSRF 2019-06-30 2019-07-03
7.5
None Remote Low Not required Partial Partial Partial
core/MY_Security.php in CSZ CMS 1.2.2 before 2019-06-20 has member/login/check SQL injection by sending a crafted HTTP User-Agent header and omitting the csrf_csz parameter.
161 CVE-2019-13079 89 Exec Code Sql 2019-11-06 2019-11-07
6.5
None Remote Low ??? Partial Partial Partial
Quest KACE Systems Management Appliance Server Center 9.1.317 is vulnerable to SQL injection. An authenticated user has the ability to execute arbitrary commands against the database. The affected component is /adminui/history_log.php. The affected parameter is TYPE_NAME.
162 CVE-2019-13078 89 Exec Code Sql 2019-11-06 2019-11-07
6.5
None Remote Low ??? Partial Partial Partial
Quest KACE Systems Management Appliance Server Center 9.1.317 is vulnerable to SQL injection. An authenticated user has the ability to execute arbitrary commands against the database. The affected component is /common/user_profile.php. The affected parameter is sort_column.
163 CVE-2019-13076 89 Exec Code Sql 2019-11-06 2019-11-07
6.5
None Remote Low ??? Partial Partial Partial
Quest KACE Systems Management Appliance Server Center 9.1.317 is vulnerable to SQL injection. An authenticated user has the ability to execute arbitrary commands against the database. The affected component is /userui/ticket_list.php, and affected parameters are order[0][column] and order[0][dir].
164 CVE-2019-13027 89 Sql 2019-07-12 2019-07-15
7.5
None Remote Low Not required Partial Partial Partial
Realization Concerto Critical Chain Planner (aka CCPM) 5.10.8071 has SQL Injection in at least in the taskupdt/taskdetails.aspx webpage via the projectname parameter.
165 CVE-2019-13026 89 Sql 2019-07-30 2019-08-07
7.5
None Remote Low Not required Partial Partial Partial
OXID eShop 6.0.x before 6.0.5 and 6.1.x before 6.1.4 allows SQL Injection via a crafted URL, leading to full access by an attacker. This includes all shopping cart options, customer data, and the database. No interaction between the attacker and the victim is necessary.
166 CVE-2019-12989 89 Sql 2019-07-16 2019-11-20
7.5
None Remote Low Not required Partial Partial Partial
Citrix SD-WAN 10.2.x before 10.2.3 and NetScaler SD-WAN 10.0.x before 10.0.8 allow SQL Injection.
167 CVE-2019-12960 89 Sql 2019-06-25 2019-06-25
7.5
None Remote Low Not required Partial Partial Partial
LiveZilla Server before 8.0.1.1 is vulnerable to SQL Injection in functions.internal.build.inc.php via the parameter p_dt_s_d.
168 CVE-2019-12946 89 Sql 2019-07-19 2019-07-22
5.0
None Remote Low Not required Partial None None
Elcom CMS before 10.7 has SQL Injection via EventSearchByState.aspx and EventSearchAdv.aspx.
169 CVE-2019-12939 89 Sql 2019-06-24 2019-06-26
7.5
None Remote Low Not required Partial Partial Partial
LiveZilla Server before 8.0.1.1 is vulnerable to SQL Injection in server.php via the p_ext_rse parameter.
170 CVE-2019-12918 89 Sql 2019-11-06 2019-11-07
7.5
None Remote Low Not required Partial Partial Partial
Quest KACE Systems Management Appliance Server Center version 9.1.317 is vulnerable to SQL injection. The affected file is software_library.php and affected parameters are order[0][column] and order[0][dir].
171 CVE-2019-12872 89 Sql 2019-06-18 2019-06-18
6.5
None Remote Low ??? Partial Partial Partial
dotCMS before 5.1.6 is vulnerable to a SQL injection that can be exploited by an attacker of the role Publisher via view_unpushed_bundles.jsp.
172 CVE-2019-12850 89 Sql 2019-07-03 2019-07-10
7.5
None Remote Low Not required Partial Partial Partial
A query injection was possible in JetBrains YouTrack. The issue was fixed in YouTrack 2018.4.49168.
173 CVE-2019-12838 89 Sql 2019-07-11 2019-07-24
7.5
None Remote Low Not required Partial Partial Partial
SchedMD Slurm 17.11.x, 18.08.0 through 18.08.7, and 19.05.0 allows SQL Injection.
174 CVE-2019-12723 89 Sql 2019-07-10 2019-07-11
7.5
None Remote Low Not required Partial Partial Partial
An issue was discovered in the Teclib Fields plugin through 1.9.2 for GLPI. it allows SQL Injection via container_id and old_order parameters to ajax/reorder.php by an unauthenticated user.
175 CVE-2019-12720 89 Sql 2019-11-12 2019-11-15
5.0
None Remote Low Not required Partial None None
AUO SunVeillance Monitoring System before v1.1.9e is vulnerable to mvc_send_mail.aspx (MailAdd parameter) SQL Injection. An Attacker can carry a SQL Injection payload to the server, allowing the attacker to read privileged data. This also affects the picture_manage_mvc.aspx plant_no parameter, the swapdl_mvc.aspx plant_no parameter, and the account_management.aspx Text_Postal_Code and Text_Dis_Code parameters.
176 CVE-2019-12710 89 Sql 2019-10-02 2019-10-09
4.0
None Remote Low ??? Partial None None
A vulnerability in the web-based interface of Cisco Unified Communications Manager and Cisco Unified Communications Manager Session Management Edition (SME) could allow an authenticated, remote attacker to impact the confidentiality of an affected system by executing arbitrary SQL queries. The vulnerability exists because the affected software improperly validates user-supplied input in SQL queries. An attacker could exploit this vulnerability by sending crafted requests that contain malicious SQL statements to the affected application. A successful exploit could allow the attacker to determine the presence of certain values in the database, impacting the confidentiality of the system.
177 CVE-2019-12686 89 Exec Code Sql 2019-10-02 2019-10-09
9.0
None Remote Low ??? Complete Complete Complete
Multiple vulnerabilities in the web-based management interface of Cisco Firepower Management Center (FMC) Software could allow an authenticated, remote attacker to execute arbitrary SQL injections on an affected device. These vulnerabilities exist due to improper input validation. An attacker could exploit these vulnerabilities by sending crafted SQL queries to an affected device. A successful exploit could allow the attacker to view information that they are not authorized to view, make changes to the system that they are not authorized to make, and execute commands within the underlying operating system that may affect the availability of the device.
178 CVE-2019-12685 89 Exec Code Sql 2019-10-02 2019-10-09
9.0
None Remote Low ??? Complete Complete Complete
Multiple vulnerabilities in the web-based management interface of Cisco Firepower Management Center (FMC) Software could allow an authenticated, remote attacker to execute arbitrary SQL injections on an affected device. These vulnerabilities exist due to improper input validation. An attacker could exploit these vulnerabilities by sending crafted SQL queries to an affected device. A successful exploit could allow the attacker to view information that they are not authorized to view, make changes to the system that they are not authorized to make, and execute commands within the underlying operating system that may affect the availability of the device.
179 CVE-2019-12684 89 Exec Code Sql 2019-10-02 2019-10-09
9.0
None Remote Low ??? Complete Complete Complete
Multiple vulnerabilities in the web-based management interface of Cisco Firepower Management Center (FMC) Software could allow an authenticated, remote attacker to execute arbitrary SQL injections on an affected device. These vulnerabilities exist due to improper input validation. An attacker could exploit these vulnerabilities by sending crafted SQL queries to an affected device. A successful exploit could allow the attacker to view information that they are not authorized to view, make changes to the system that they are not authorized to make, and execute commands within the underlying operating system that may affect the availability of the device.
180 CVE-2019-12683 89 Exec Code Sql 2019-10-02 2019-10-09
9.0
None Remote Low ??? Complete Complete Complete
Multiple vulnerabilities in the web-based management interface of Cisco Firepower Management Center (FMC) Software could allow an authenticated, remote attacker to execute arbitrary SQL injections on an affected device. These vulnerabilities exist due to improper input validation. An attacker could exploit these vulnerabilities by sending crafted SQL queries to an affected device. A successful exploit could allow the attacker to view information that they are not authorized to view, make changes to the system that they are not authorized to make, and execute commands within the underlying operating system that may affect the availability of the device.
181 CVE-2019-12682 89 Exec Code Sql 2019-10-02 2019-10-09
9.0
None Remote Low ??? Complete Complete Complete
Multiple vulnerabilities in the web-based management interface of Cisco Firepower Management Center (FMC) Software could allow an authenticated, remote attacker to execute arbitrary SQL injections on an affected device. These vulnerabilities exist due to improper input validation. An attacker could exploit these vulnerabilities by sending crafted SQL queries to an affected device. A successful exploit could allow the attacker to view information that they are not authorized to view, make changes to the system that they are not authorized to make, and execute commands within the underlying operating system that may affect the availability of the device.
182 CVE-2019-12681 89 Exec Code Sql 2019-10-02 2019-10-09
9.0
None Remote Low ??? Complete Complete Complete
Multiple vulnerabilities in the web-based management interface of Cisco Firepower Management Center (FMC) Software could allow an authenticated, remote attacker to execute arbitrary SQL injections on an affected device. These vulnerabilities exist due to improper input validation. An attacker could exploit these vulnerabilities by sending crafted SQL queries to an affected device. A successful exploit could allow the attacker to view information that they are not authorized to view, make changes to the system that they are not authorized to make, and execute commands within the underlying operating system that may affect the availability of the device.
183 CVE-2019-12680 89 Exec Code Sql 2019-10-02 2019-10-09
9.0
None Remote Low ??? Complete Complete Complete
Multiple vulnerabilities in the web-based management interface of Cisco Firepower Management Center (FMC) Software could allow an authenticated, remote attacker to execute arbitrary SQL injections on an affected device. These vulnerabilities exist due to improper input validation. An attacker could exploit these vulnerabilities by sending crafted SQL queries to an affected device. A successful exploit could allow the attacker to view information that they are not authorized to view, make changes to the system that they are not authorized to make, and execute commands within the underlying operating system that may affect the availability of the device.
184 CVE-2019-12679 89 Exec Code Sql 2019-10-02 2019-10-09
9.0
None Remote Low ??? Complete Complete Complete
Multiple vulnerabilities in the web-based management interface of Cisco Firepower Management Center (FMC) Software could allow an authenticated, remote attacker to execute arbitrary SQL injections on an affected device. These vulnerabilities exist due to improper input validation. An attacker could exploit these vulnerabilities by sending crafted SQL queries to an affected device. A successful exploit could allow the attacker to view information that they are not authorized to view, make changes to the system that they are not authorized to make, and execute commands within the underlying operating system that may affect the availability of the device.
185 CVE-2019-12601 89 Sql 2019-06-07 2019-06-10
7.5
None Remote Low Not required Partial Partial Partial
SuiteCRM 7.8.x before 7.8.30, 7.10.x before 7.10.17, and 7.11.x before 7.11.5 allows SQL Injection (issue 3 of 3).
186 CVE-2019-12600 89 Sql 2019-06-07 2019-06-10
7.5
None Remote Low Not required Partial Partial Partial
SuiteCRM 7.8.x before 7.8.30, 7.10.x before 7.10.17, and 7.11.x before 7.11.5 allows SQL Injection (issue 2 of 3).
187 CVE-2019-12599 89 Sql 2019-06-07 2019-06-10
7.5
None Remote Low Not required Partial Partial Partial
SuiteCRM 7.10.x before 7.10.17 and 7.11.x before 7.11.5 allows SQL Injection.
188 CVE-2019-12598 89 Sql 2019-06-07 2019-06-10
7.5
None Remote Low Not required Partial Partial Partial
SuiteCRM 7.8.x before 7.8.30, 7.10.x before 7.10.17, and 7.11.x before 7.11.5 allows SQL Injection (issue 1 of 3).
189 CVE-2019-12570 89 Exec Code Sql 2019-07-03 2019-12-02
6.5
None Remote Low ??? Partial Partial Partial
A SQL injection vulnerability in the Xpert Solution "Server Status by Hostname/IP" plugin 4.6 for WordPress allows an authenticated user to execute arbitrary SQL commands via GET parameters.
190 CVE-2019-12516 89 Sql 2019-09-13 2019-10-29
6.5
None Remote Low ??? Partial Partial Partial
The slickquiz plugin through 1.3.7.1 for WordPress allows SQL Injection by Subscriber users, as demonstrated by a /wp-admin/admin.php?page=slickquiz-scores&id= or /wp-admin/admin.php?page=slickquiz-edit&id= or /wp-admin/admin.php?page=slickquiz-preview&id= URI.
191 CVE-2019-12465 89 Sql 2019-09-09 2019-09-10
5.5
None Remote Low ??? Partial Partial None
An issue was discovered in LibreNMS 1.50.1. A SQL injection flaw was identified in the ajax_rulesuggest.php file where the term parameter is used insecurely in a database query for showing columns of a table, as demonstrated by an ajax_rulesuggest.php?debug=1&term= request.
192 CVE-2019-12463 74 DoS Sql 2019-09-09 2020-08-24
6.5
None Remote Low ??? Partial Partial Partial
An issue was discovered in LibreNMS 1.50.1. The scripts that handle graphing options (includes/html/graphs/common.inc.php and includes/html/graphs/graphs.inc.php) do not sufficiently validate or encode several fields of user supplied input. Some parameters are filtered with mysqli_real_escape_string, which is only useful for preventing SQL injection attacks; other parameters are unfiltered. This allows an attacker to inject RRDtool syntax with newline characters via the html/graph.php and html/graph-realtime.php scripts. RRDtool syntax is quite versatile and an attacker could leverage this to perform a number of attacks, including disclosing directory structure and filenames, disclosing file content, denial of service, or writing arbitrary files. NOTE: relative to CVE-2019-10665, this requires authentication and the pathnames differ.
193 CVE-2019-12385 89 Sql 2019-08-22 2019-11-11
6.5
None Remote Low ??? Partial Partial Partial
An issue was discovered in Ampache through 3.9.1. The search engine is affected by a SQL Injection, so any user able to perform lib/class/search.class.php searches (even guest users) can dump any data contained in the database (sessions, hashed passwords, etc.). This may lead to a full compromise of admin accounts, when combined with the weak password generator algorithm used in the lostpassword functionality.
194 CVE-2019-12374 89 Sql 2019-06-03 2019-06-04
6.8
None Remote Medium Not required Partial Partial Partial
A SQL Injection vulnerability exists in Ivanti LANDESK Management Suite (LDMS, aka Endpoint Manager) 10.0.1.168 Service Update 5 due to improper username sanitization in the Basic Authentication implementation in core/provisioning.secure/ProvisioningSecure.asmx in Provisioning.Secure.dll.
195 CVE-2019-12372 89 Sql 2019-05-28 2019-05-29
4.6
None Local Low Not required Partial Partial Partial
Petraware pTransformer ADC before 2.1.7.22827 allows SQL Injection via the User ID parameter to the login form.
196 CVE-2019-12279 89 Sql 2019-05-22 2019-08-09
7.5
None Remote Low Not required Partial Partial Partial
** DISPUTED ** Nagios XI 5.6.1 allows SQL injection via the username parameter to login.php?forgotpass (aka the reset password form). NOTE: The vendor disputes this issues as not being a vulnerability because the issue does not seem to be a legitimate SQL Injection. The POC does not show any valid injection that can be done with the variable provided, and while the username value being passed does get used in a SQL query, it is passed through SQL escaping functions when creating the call. The vendor tried re-creating the issue with no luck.
197 CVE-2019-12251 89 Sql 2019-05-21 2019-05-21
6.5
None Remote Low ??? Partial Partial Partial
sadmin/ceditpost.php in UCMS 1.4.7 allows SQL Injection via the index.php?do=sadmin_ceditpost cvalue parameter.
198 CVE-2019-12239 352 Sql CSRF 2019-05-20 2020-08-24
6.5
None Remote Low ??? Partial Partial Partial
The WP Booking System plugin 1.5.1 for WordPress has no CSRF protection, which allows attackers to reach certain SQL injection issues that require administrative access.
199 CVE-2019-12196 89 Exec Code Sql 2019-06-05 2019-06-07
7.5
None Remote Low Not required Partial Partial Partial
A SQL injection vulnerability in /client/api/json/v2/nfareports/compareReport in Zoho ManageEngine NetFlow Analyzer 12.3 allows attackers to execute arbitrary SQL commands via the DeviceID parameter.
200 CVE-2019-12193 89 Sql 2019-07-19 2019-07-29
7.5
None Remote Low Not required Partial Partial Partial
H3C H3Cloud OS all versions allows SQL injection via the ear/grid_event sidx parameter.
Total number of vulnerabilities : 551   Page : 1 2 3 4 (This Page)5 6 7 8 9 10 11 12
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.