CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  What's the CVSS score of your company?
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In 2021(SQL Injection)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
151 CVE-2021-37737 89 Sql 2021-10-15 2021-10-20
6.5
None Remote Low ??? Partial Partial Partial
A remote SQL injection vulnerability was discovered in Aruba ClearPass Policy Manager version(s): ClearPass Policy Manager 6.10.x prior to 6.10.2 - - ClearPass Policy Manager 6.9.x prior to 6.9.7-HF1 - - ClearPass Policy Manager 6.8.x prior to 6.8.9-HF1. Aruba has released patches for ClearPass Policy Manager that address this security vulnerability.
152 CVE-2021-37614 89 Sql 2021-08-05 2021-08-17
6.5
None Remote Low ??? Partial Partial Partial
In certain Progress MOVEit Transfer versions before 2021.0.3 (aka 13.0.3), SQL injection in the MOVEit Transfer web application could allow an authenticated remote attacker to gain access to the database. Depending on the database engine being used (MySQL, Microsoft SQL Server, or Azure SQL), an attacker may be able to infer information about the structure and contents of the database, or execute SQL statements that alter or delete database elements, via crafted strings sent to unique MOVEit Transfer transaction types. The fixed versions are 2019.0.7 (11.0.7), 2019.1.6 (11.1.6), 2019.2.3 (11.2.3), 2020.0.6 (12.0.6), 2020.1.5 (12.1.5), and 2021.0.3 (13.0.3).
153 CVE-2021-37599 89 Exec Code Sql 2021-08-12 2021-08-23
7.5
None Remote Low Not required Partial Partial Partial
The exporter/Login.aspx login form in the Exporter in Nuance Winscribe Dictation 4.1.0.99 is vulnerable to SQL injection that allows a remote, unauthenticated attacker to read the database (and execute code in some situations) via the txtPassword parameter.
154 CVE-2021-37593 89 Exec Code Sql 2021-07-30 2021-09-21
6.4
None Remote Low Not required Partial Partial None
PEEL Shopping version 9.4.0 allows remote SQL injection. A public user/guest (unauthenticated) can inject a malicious SQL query in order to affect the execution of predefined SQL commands. Upon a successful SQL injection attack, an attacker can read sensitive data from the database and possibly modify database data.
155 CVE-2021-37558 89 Exec Code Sql 2021-08-03 2021-08-10
7.5
None Remote Low Not required Partial Partial Partial
A SQL injection vulnerability in a MediaWiki script in Centreon before 20.04.14, 20.10.8, and 21.04.2 allows remote unauthenticated attackers to execute arbitrary SQL commands via the host_name and service_description parameters. The vulnerability can be exploited only when a valid Knowledge Base URL is configured on the Knowledge Base configuration page and points to a MediaWiki instance. This relates to the proxy feature in class/centreon-knowledge/ProceduresProxy.class.php and include/configuration/configKnowledge/proxy/proxy.php.
156 CVE-2021-37557 89 Exec Code Sql 2021-08-03 2021-08-10
6.5
None Remote Low ??? Partial Partial Partial
A SQL injection vulnerability in image generation in Centreon before 20.04.14, 20.10.8, and 21.04.2 allows remote authenticated (but low-privileged) attackers to execute arbitrary SQL commands via the include/views/graphs/generateGraphs/generateImage.php index parameter.
157 CVE-2021-37556 89 Exec Code Sql 2021-08-03 2021-08-10
6.5
None Remote Low ??? Partial Partial Partial
A SQL injection vulnerability in reporting export in Centreon before 20.04.14, 20.10.8, and 21.04.2 allows remote authenticated (but low-privileged) attackers to execute arbitrary SQL commands via the include/reporting/dashboard/csvExport/csv_HostGroupLogs.php start and end parameters.
158 CVE-2021-37538 89 Exec Code Sql 2021-08-24 2021-08-31
7.5
None Remote Low Not required Partial Partial Partial
Multiple SQL injection vulnerabilities in SmartDataSoft SmartBlog for PrestaShop before 4.06 allow a remote unauthenticated attacker to execute arbitrary SQL commands via the day, month, or year parameter to the controllers/front/archive.php archive controller, or the id_category parameter to the controllers/front/category.php category controller.
159 CVE-2021-37478 89 Sql 2021-07-26 2021-08-03
7.5
None Remote Low Not required Partial Partial Partial
In NavigateCMS version 2.9.4 and below, function `block` is vulnerable to sql injection on parameter `block-order`, which results in arbitrary sql query execution in the backend database.
160 CVE-2021-37477 89 Sql 2021-07-26 2021-07-28
7.5
None Remote Low Not required Partial Partial Partial
In NavigateCMS version 2.9.4 and below, function in `structure.php` is vulnerable to sql injection on parameter `children_order`, which results in arbitrary sql query execution in the backend database.
161 CVE-2021-37476 89 Sql 2021-07-26 2021-07-28
7.5
None Remote Low Not required Partial Partial Partial
In NavigateCMS version 2.9.4 and below, function in `product.php` is vulnerable to sql injection on parameter `id` through a post request, which results in arbitrary sql query execution in the backend database.
162 CVE-2021-37475 89 Sql 2021-07-26 2021-07-28
7.5
None Remote Low Not required Partial Partial Partial
In NavigateCMS version 2.9.4 and below, function in `templates.php` is vulnerable to sql injection on parameter `template-properties-order`, which results in arbitrary sql query execution in the backend database.
163 CVE-2021-37473 89 Sql 2021-07-26 2021-07-28
7.5
None Remote Low Not required Partial Partial Partial
In NavigateCMS version 2.9.4 and below, function in `product.php` is vulnerable to sql injection on parameter `products-order` through a post request, which results in arbitrary sql query execution in the backend database.
164 CVE-2021-37422 89 Sql 2021-09-10 2021-09-17
7.5
None Remote Low Not required Partial Partial Partial
Zoho ManageEngine ADSelfService Plus 6111 and prior is vulnerable to SQL Injection while linking the databases.
165 CVE-2021-37371 89 Sql Bypass 2021-10-26 2021-10-28
7.5
None Remote Low Not required Partial Partial Partial
Online Student Admission System 1.0 is affected by an unauthenticated SQL injection bypass vulnerability in /admin/login.php.
166 CVE-2021-37358 89 Exec Code Sql 2021-08-18 2021-08-28
7.5
None Remote Low Not required Partial Partial Partial
SQL Injection in SEACMS v210530 (2021-05-30) allows remote attackers to execute arbitrary code via the component "admin_ajax.php?action=checkrepeat&v_name=".
167 CVE-2021-37350 89 Sql 2021-08-13 2021-08-23
7.5
None Remote Low Not required Partial Partial Partial
Nagios XI before version 5.8.5 is vulnerable to SQL injection vulnerability in Bulk Modifications Tool due to improper input sanitisation.
168 CVE-2021-36916 89 Sql 2021-11-24 2021-11-26
7.5
None Remote Low Not required Partial Partial Partial
The SQL injection vulnerability in the Hide My WP WordPress plugin (versions <= 6.2.3) is possible because of how the IP address is retrieved and used inside a SQL query. The function "hmwp_get_user_ip" tries to retrieve the IP address from multiple headers, including IP address headers that the user can spoof, such as "X-Forwarded-For." As a result, the malicious payload supplied in one of these IP address headers will be directly inserted into the SQL query, making SQL injection possible.
169 CVE-2021-36880 89 Sql 2021-09-27 2021-10-01
7.5
None Remote Low Not required Partial Partial Partial
Unauthenticated SQL Injection (SQLi) vulnerability in WordPress uListing plugin (versions <= 2.0.3), vulnerable parameter: custom.
170 CVE-2021-36807 89 Exec Code Sql 2021-11-26 2021-11-30
6.5
None Remote Low ??? Partial Partial Partial
An authenticated user could potentially execute code via an SQLi vulnerability in the user portal of SG UTM before version 9.708 MR8.
171 CVE-2021-36789 89 Sql 2021-08-13 2021-08-20
7.5
None Remote Low Not required Partial Partial Partial
The dated_news (aka Dated News) extension through 5.1.1 for TYPO3 allows SQL Injection.
172 CVE-2021-36748 89 Sql 2021-08-20 2021-08-30
5.0
None Remote Low Not required Partial None None
A SQL Injection issue in the list controller of the Prestahome Blog (aka ph_simpleblog) module before 1.7.8 for Prestashop allows a remote attacker to extract data from the database via the sb_category parameter.
173 CVE-2021-36722 89 Sql Bypass 2021-12-29 2022-01-11
10.0
None Remote Low Not required Complete Complete Complete
Emuse - eServices / eNvoice SQL injection can be used in various ways ranging from bypassing login authentication or dumping the whole database to full RCE on the affected endpoints. The SQLi caused by CWE-209: Generation of Error Message Containig Sensetive Information, showing parts of the aspx code and the webroot location , information an attacker can leverage to further compromise the host.
174 CVE-2021-36624 89 Sql Bypass 2021-07-30 2021-11-06
7.5
None Remote Low Not required Partial Partial Partial
Sourcecodester Phone Shop Sales Managements System version 1.0 suffers from a remote SQL injection vulnerability that allows for authentication bypass.
175 CVE-2021-36621 89 Sql 2021-07-30 2021-10-18
6.8
None Remote Medium Not required Partial Partial Partial
Sourcecodester Online Covid Vaccination Scheduler System 1.0 is vulnerable to SQL Injection. The username parameter is vulnerable to time-based SQL injection. Upon successful dumping the admin password hash, an attacker can decrypt and obtain the plain-text password. Hence, the attacker could authenticate as Administrator.
176 CVE-2021-36455 89 Sql 2021-08-06 2021-08-13
6.5
None Remote Low ??? Partial Partial Partial
SQL Injection vulnerability in Naviwebs Navigate CMS 2.9 via the quicksearch parameter in \lib\packages\comments\comments.php.
177 CVE-2021-36385 89 Exec Code Sql 2021-08-24 2021-08-31
10.0
None Remote Low Not required Complete Complete Complete
A SQL Injection vulnerability in Cerner Mobile Care 5.0.0 allows remote unauthenticated attackers to execute arbitrary SQL commands via a Fullwidth Apostrophe (aka U+FF07) in the default.aspx User ID field. Arbitrary system commands can be executed through the use of xp_cmdshell.
178 CVE-2021-36351 89 Sql 2021-08-06 2021-08-12
7.5
None Remote Low Not required Partial Partial Partial
SQL Injection Vulnerability in Care2x Open Source Hospital Information Management 2.7 Alpha via the (1) pday, (2) pmonth, and (3) pyear parameters in GET requests sent to /modules/nursing/nursing-station.php.
179 CVE-2021-36328 89 Exec Code Sql 2021-11-30 2021-12-01
6.5
None Remote Low ??? Partial Partial Partial
Dell EMC Streaming Data Platform versions before 1.3 contain a SQL Injection Vulnerability. A remote malicious user may potentially exploit this vulnerability to execute SQL commands to perform unauthorized actions and retrieve sensitive information from the database.
180 CVE-2021-36300 89 Sql 2021-11-23 2021-11-26
6.4
None Remote Low Not required Partial None Partial
iDRAC9 versions prior to 5.00.00.00 contain an improper input validation vulnerability. An unauthenticated remote attacker may potentially exploit this vulnerability by sending a specially crafted malicious request to crash the webserver or cause information disclosure.
181 CVE-2021-36299 89 DoS Sql 2021-11-23 2021-11-27
5.5
None Remote Low ??? Partial None Partial
Dell iDRAC9 versions 4.40.00.00 and later, but prior to 4.40.29.00 and 5.00.00.00 contain an SQL injection vulnerability. A remote authenticated malicious user with low privileges may potentially exploit this vulnerability to cause information disclosure or denial of service by supplying specially crafted input data to the affected application.
182 CVE-2021-36184 89 Sql 2021-11-02 2021-11-04
4.0
None Remote Low ??? Partial None None
A improper neutralization of Special Elements used in an SQL Command ('SQL Injection') in Fortinet FortiWLM version 8.6.1 and below allows attacker to disclosure device, users and database information via crafted HTTP requests.
183 CVE-2021-36124 287 Sql 2021-07-13 2021-07-15
7.5
None Remote Low Not required Partial Partial Partial
An issue was discovered in Echo ShareCare 8.15.5. It does not perform authentication or authorization checks when accessing a subset of sensitive resources, leading to the ability for unauthenticated users to access pages that are vulnerable to attacks such as SQL injection.
184 CVE-2021-35458 89 Sql 2021-07-30 2021-11-05
7.5
None Remote Low Not required Partial Partial Partial
Online Pet Shop We App 1.0 is vulnerable to Union SQL Injection in products.php (aka p=products) via the c or s parameter.
185 CVE-2021-35456 89 Sql 2021-06-28 2021-07-01
7.5
None Remote Low Not required Partial Partial Partial
Online Pet Shop We App 1.0 is vulnerable to remote SQL injection and shell upload
186 CVE-2021-35414 89 Sql 2021-12-03 2021-12-06
7.5
None Remote Low Not required Partial Partial Partial
Chamilo LMS v1.11.x was discovered to contain a SQL injection via the doc parameter in main/plagiarism/compilatio/upload.php.
187 CVE-2021-35234 89 Sql 2021-12-20 2022-01-03
6.5
None Remote Low ??? Partial Partial Partial
Numerous exposed dangerous functions within Orion Core has allows for read-only SQL injection leading to privileged escalation. An attacker with low-user privileges may steal password hashes and password salt information.
188 CVE-2021-35212 89 Sql 2021-08-31 2021-11-05
9.0
None Remote Low ??? Complete Complete Complete
An SQL injection Privilege Escalation Vulnerability was discovered in the Orion Platform reported by the ZDI Team. A blind Boolean SQL injection which could lead to full read/write over the Orion database content including the Orion certificate for any authenticated user.
189 CVE-2021-35048 89 Sql 2021-06-25 2021-09-14
7.5
None Remote Low Not required Partial Partial Partial
Vulnerability in Fidelis Network and Deception CommandPost enables unauthenticated SQL injection through the web interface. The vulnerability could lead to exposure of authentication tokens in some versions of Fidelis software. The vulnerability is present in Fidelis Network and Deception versions prior to 9.3.7 and in version 9.4. Patches and updates are available to address this vulnerability.
190 CVE-2021-35042 89 Sql 2021-07-02 2021-09-21
7.5
None Remote Low Not required Partial Partial Partial
Django 3.1.x before 3.1.13 and 3.2.x before 3.2.5 allows QuerySet.order_by SQL injection if order_by is untrusted input from a client of a web application.
191 CVE-2021-34684 89 Sql 2021-11-08 2021-11-09
7.5
None Remote Low Not required Partial Partial Partial
Hitachi Vantara Pentaho Business Analytics through 9.1 allows an unauthenticated user to execute arbitrary SQL queries on any Pentaho data source and thus retrieve data from the related databases, as demonstrated by an api/repos/dashboards/editor URI.
192 CVE-2021-34609 89 Sql 2021-07-08 2021-07-12
6.5
None Remote Low ??? Partial Partial Partial
A remote SQL injection vulnerability was discovered in Aruba ClearPass Policy Manager version(s): Prior to 6.10.0, 6.9.6 and 6.8.9. Aruba has released updates to ClearPass Policy Manager that address this security vulnerability.
193 CVE-2021-34187 89 Sql 2021-06-28 2021-07-01
7.5
None Remote Low Not required Partial Partial Partial
main/inc/ajax/model.ajax.php in Chamilo through 1.11.14 allows SQL Injection via the searchField, filters, or filters2 parameter.
194 CVE-2021-34166 287 Sql Bypass 2021-07-30 2021-08-04
7.5
None Remote Low Not required Partial Partial Partial
A SQL INJECTION vulnerability in Sourcecodester Simple Food Website 1.0 allows a remote attacker to Bypass Authentication and become Admin.
195 CVE-2021-34165 89 Sql Bypass 2021-07-30 2021-08-04
7.5
None Remote Low Not required Partial Partial Partial
A SQL Injection vulnerability in Sourcecodester Basic Shopping Cart 1.0 allows a remote attacker to Bypass Authentication and become Admin.
196 CVE-2021-33894 89 Sql 2021-06-09 2021-06-22
6.5
None Remote Low ??? Partial Partial Partial
In Progress MOVEit Transfer before 2019.0.6 (11.0.6), 2019.1.x before 2019.1.5 (11.1.5), 2019.2.x before 2019.2.2 (11.2.2), 2020.x before 2020.0.5 (12.0.5), 2020.1.x before 2020.1.4 (12.1.4), and 2021.x before 2021.0.1 (13.0.1), a SQL injection vulnerability exists in SILUtility.vb in MOVEit.DMZ.WebApp in the MOVEit Transfer web app. This could allow an authenticated attacker to gain unauthorized access to the database. Depending on the database engine being used (MySQL, Microsoft SQL Server, or Azure SQL), an attacker may be able to infer information about the structure and contents of the database and/or execute SQL statements that alter or delete database elements.
197 CVE-2021-33736 89 Exec Code Sql 2021-10-12 2021-10-18
6.5
None Remote Low ??? Partial Partial Partial
A vulnerability has been identified in SINEC NMS (All versions < V1.0 SP2 Update 1). A privileged authenticated attacker could execute arbitrary commands in the local database by sending crafted requests to the webserver of the affected application.
198 CVE-2021-33735 89 Exec Code Sql 2021-10-12 2021-10-18
6.5
None Remote Low ??? Partial Partial Partial
A vulnerability has been identified in SINEC NMS (All versions < V1.0 SP2 Update 1). A privileged authenticated attacker could execute arbitrary commands in the local database by sending crafted requests to the webserver of the affected application.
199 CVE-2021-33734 89 Exec Code Sql 2021-10-12 2021-10-18
6.5
None Remote Low ??? Partial Partial Partial
A vulnerability has been identified in SINEC NMS (All versions < V1.0 SP2 Update 1). A privileged authenticated attacker could execute arbitrary commands in the local database by sending crafted requests to the webserver of the affected application.
200 CVE-2021-33733 89 Exec Code Sql 2021-10-12 2021-10-18
6.5
None Remote Low ??? Partial Partial Partial
A vulnerability has been identified in SINEC NMS (All versions < V1.0 SP2 Update 1). A privileged authenticated attacker could execute arbitrary commands in the local database by sending crafted requests to the webserver of the affected application.
Total number of vulnerabilities : 627   Page : 1 2 3 4 (This Page)5 6 7 8 9 10 11 12 13
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.