CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  What's the CVSS score of your company?
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In 2019(SQL Injection)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
251 CVE-2019-10707 89 Sql 2019-04-02 2019-04-03
7.5
None Remote Low Not required Partial Partial Partial
MKCMS V5.0 has SQL injection via the bplay.php play parameter.
252 CVE-2019-10687 89 Sql 2019-08-21 2019-08-27
7.5
None Remote Low Not required Partial Partial Partial
KBPublisher 6.0.2.1 has SQL Injection via the admin/index.php?module=report entry_id[0] parameter, the admin/index.php?module=log id parameter, or an index.php?View=print&id[]= request.
253 CVE-2019-10671 89 Sql 2019-09-09 2019-09-10
6.5
None Remote Low ??? Partial Partial Partial
An issue was discovered in LibreNMS through 1.47. It does not parameterize all user supplied input within database queries, resulting in SQL injection. An authenticated attacker can subvert these database queries to extract or manipulate data, as demonstrated by the graph.php sort parameter.
254 CVE-2019-10669 78 Exec Code Sql 2019-09-09 2020-08-24
6.5
None Remote Low ??? Partial Partial Partial
An issue was discovered in LibreNMS through 1.47. There is a command injection vulnerability in html/includes/graphs/device/collectd.inc.php where user supplied parameters are filtered with the mysqli_escape_real_string function. This function is not the appropriate function to sanitize command arguments as it does not escape a number of command line syntax characters such as ` (backtick), allowing an attacker to inject commands into the variable $rrd_cmd, which gets executed via passthru().
255 CVE-2019-10665 74 DoS Sql 2019-09-09 2020-08-24
7.5
None Remote Low Not required Partial Partial Partial
An issue was discovered in LibreNMS through 1.47. The scripts that handle the graphing options (html/includes/graphs/common.inc.php and html/includes/graphs/graphs.inc.php) do not sufficiently validate or encode several fields of user supplied input. Some parameters are filtered with mysqli_real_escape_string, which is only useful for preventing SQL injection attacks; other parameters are unfiltered. This allows an attacker to inject RRDtool syntax with newline characters via the html/graph.php script. RRDtool syntax is quite versatile and an attacker could leverage this to perform a number of attacks, including disclosing directory structure and filenames, file content, denial of service, or writing arbitrary files.
256 CVE-2019-10664 89 Sql 2019-03-31 2019-05-03
7.5
None Remote Low Not required Partial Partial Partial
Domoticz before 4.10578 allows SQL Injection via the idx parameter in CWebServer::GetFloorplanImage in WebServer.cpp.
257 CVE-2019-10663 89 Sql 2019-03-30 2019-04-01
6.5
None Remote Low ??? Partial Partial Partial
Grandstream UCM6204 before 1.0.19.20 devices allow remote authenticated users to conduct SQL injection attacks via the sord parameter in a listCodeblueGroup API call to the /cgi? URI.
258 CVE-2019-10653 89 Sql 2019-07-10 2019-07-11
7.5
None Remote Low Not required Partial Partial Partial
An issue was discovered in Hsycms V1.1. There is a SQL injection vulnerability via a /news/*.html page.
259 CVE-2019-10262 89 Sql 2019-03-28 2019-03-29
7.5
None Remote Low Not required Partial Partial Partial
A SQL Injection issue was discovered in BlueCMS 1.6. The variable $ad_id is spliced directly in uploads/admin/ad.php in the admin folder, and is not wrapped in single quotes, resulting in injection around the escape of magic quotes.
260 CVE-2019-10232 89 Sql 2019-03-27 2019-03-28
7.5
None Remote Low Not required Partial Partial Partial
Teclib GLPI through 9.3.3 has SQL injection via the "cycle" parameter in /scripts/unlock_tasks.php.
261 CVE-2019-10208 89 Sql 2019-10-29 2020-08-17
6.5
None Remote Low ??? Partial Partial Partial
A flaw was discovered in postgresql versions 9.4.x before 9.4.24, 9.5.x before 9.5.19, 9.6.x before 9.6.15, 10.x before 10.10 and 11.x before 11.5 where arbitrary SQL statements can be executed given a suitable SECURITY DEFINER function. An attacker, with EXECUTE permission on the function, can execute arbitrary SQL as the owner of the function.
262 CVE-2019-10141 89 DoS Sql 2019-07-30 2021-08-04
6.4
None Remote Low Not required None Partial Partial
A vulnerability was found in openstack-ironic-inspector all versions excluding 5.0.2, 6.0.3, 7.2.4, 8.0.3 and 8.2.1. A SQL-injection vulnerability was found in openstack-ironic-inspector's node_cache.find_node(). This function makes a SQL query using unfiltered data from a server reporting inspection results (by a POST to the /v1/continue endpoint). Because the API is unauthenticated, the flaw could be exploited by an attacker with access to the network on which ironic-inspector is listening. Because of how ironic-inspector uses the query results, it is unlikely that data could be obtained. However, the attacker could pass malicious data and create a denial of service.
263 CVE-2019-10123 89 Exec Code Sql 2019-05-31 2019-06-03
7.5
None Remote Low Not required Partial Partial Partial
SQL Injection in Advanced InfoData Systems (AIS) ESEL-Server 67 (which is the backend for the AIS logistics mobile app) allows an anonymous attacker to execute arbitrary code in the context of the user of the MSSQL database. The default user for the database is the 'sa' user.
264 CVE-2019-9918 89 Sql 2019-03-29 2019-10-09
6.4
None Remote Low Not required Partial Partial None
An issue was discovered in the Harmis JE Messenger component 1.2.2 for Joomla!. Input does not get validated and queries are not written in a way to prevent SQL injection. Therefore arbitrary SQL-Statements can be executed in the database.
265 CVE-2019-9885 89 Exec Code Sql 2019-07-25 2019-10-09
7.5
None Remote Low Not required Partial Partial Partial
eClass platform < ip.2.5.10.2.1 allows an attacker to execute SQL command via /admin/academic/studenview_left.php StudentID parameter.
266 CVE-2019-9846 89 Sql +Info 2019-06-28 2019-07-05
4.0
None Remote Low ??? Partial None None
RockOA 1.8.7 allows remote attackers to obtain sensitive information because the webmain/webmainAction.php publictreestore method constructs a SQL WHERE clause unsafely by using the pidfields and idfields parameters, aka background SQL injection.
267 CVE-2019-9762 89 Sql 2019-03-14 2019-03-14
7.5
None Remote Low Not required Partial Partial Partial
A SQL Injection was discovered in PHPSHE 1.7 in include/plugin/payment/alipay/pay.php with the parameter id. The vulnerability does not need any authentication.
268 CVE-2019-9759 89 Sql 2019-04-02 2019-04-02
7.5
None Remote Low Not required Partial Partial Partial
An issue was discovered in TONGDA Office Anywhere 10.18.190121. There is a SQL Injection vulnerability via the general/approve_center/list/input_form/work_handle.php run_id parameter.
269 CVE-2019-9693 89 Sql 2019-03-11 2019-03-12
6.5
None Remote Low ??? Partial Partial Partial
In CMS Made Simple (CMSMS) before 2.2.10, an authenticated user can achieve SQL Injection in class.showtime2_data.php via the functions _updateshow (parameter show_id), _inputshow (parameter show_id), _Getshowinfo (parameter show_id), _Getpictureinfo (parameter picture_id), _AdjustNameSeq (parameter shownumber), _Updatepicture (parameter picture_id), and _Deletepicture (parameter picture_id).
270 CVE-2019-9626 89 Sql 2019-03-07 2019-03-07
7.5
None Remote Low Not required Partial Partial Partial
PHPSHE 1.7 allows module/index/cart.php pintuan_id SQL Injection to index.php.
271 CVE-2019-9615 89 Sql 2019-03-06 2019-03-07
6.5
None Remote Low ??? Partial Partial Partial
An issue was discovered in OFCMS before 1.1.3. It allows admin/system/generate/create?sql= SQL injection, related to SystemGenerateController.java.
272 CVE-2019-9594 89 Sql 2019-03-06 2019-03-07
7.5
None Remote Low Not required Partial Partial Partial
BlueCMS 1.6 allows SQL Injection via the user_id parameter in an uploads/admin/user.php?act=edit request.
273 CVE-2019-9568 89 Sql 2019-03-04 2019-03-07
4.0
None Remote Low ??? Partial None None
The "Forminator Contact Form, Poll & Quiz Builder" plugin before 1.6 for WordPress has SQL Injection via the wp-admin/admin.php?page=forminator-entries entry[] parameter if the attacker has the delete permission.
274 CVE-2019-9566 89 Sql 2019-03-04 2019-03-05
7.5
None Remote Low Not required Partial Partial Partial
FlarumChina v0.1.0-beta.7C has SQL injection via a /?q= request.
275 CVE-2019-9204 89 Exec Code Sql 2019-03-28 2019-04-15
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in Nagios IM (component of Nagios XI) before 2.2.7 allows attackers to execute arbitrary SQL commands.
276 CVE-2019-9184 89 Exec Code Sql 2019-02-26 2019-04-25
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in the J2Store plugin 3.x before 3.3.7 for Joomla! allows remote attackers to execute arbitrary SQL commands via the product_option[] parameter.
277 CVE-2019-9165 89 Exec Code Sql 2019-03-28 2019-04-15
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in Nagios XI before 5.5.11 allows attackers to execute arbitrary SQL commands via the API when using fusekeys and malicious user id.
278 CVE-2019-9087 89 Sql 2019-06-07 2019-07-01
7.5
None Remote Low Not required Partial Partial Partial
HotelDruid before v2.3.1 has SQL Injection via the /tab_tariffe.php numtariffa1 parameter.
279 CVE-2019-9086 89 Sql 2019-06-07 2019-07-01
7.5
None Remote Low Not required Partial Partial Partial
HotelDruid before v2.3.1 has SQL Injection via the /visualizza_tabelle.php anno parameter.
280 CVE-2019-9083 89 Sql 2019-03-21 2019-03-25
7.5
None Remote Low Not required Partial Partial Partial
SQLiteManager 1.20 and 1.24 allows SQL injection via the /sqlitemanager/main.php dbsel parameter. NOTE: This product is discontinued.
281 CVE-2019-9053 89 Sql 2019-03-26 2019-04-24
6.8
None Remote Medium Not required Partial Partial Partial
An issue was discovered in CMS Made Simple 2.2.8. It is possible with the News module, through a crafted URL, to achieve unauthenticated blind time-based SQL injection via the m1_idlist parameter.
282 CVE-2019-9047 89 Sql 2019-02-23 2019-02-25
7.5
None Remote Low Not required Partial Partial Partial
GoRose v1.0.4 has SQL Injection when the order_by or group_by parameter can be controlled.
283 CVE-2019-9039 89 DoS Sql 2019-06-26 2020-02-10
7.5
None Remote Low Not required Partial Partial Partial
In Couchbase Sync Gateway 2.1.2, an attacker with access to the Sync Gateway’s public REST API was able to issue additional N1QL statements and extract sensitive data or call arbitrary N1QL functions through the parameters "startkey" and "endkey" on the "_all_docs" endpoint. By issuing nested queries with CPU-intensive operations they may have been able to cause increased resource usage and denial of service conditions. The _all_docs endpoint is not required for Couchbase Mobile replication and external access to this REST endpoint has been blocked to mitigate this issue. This issue has been fixed in versions 2.5.0 and 2.1.3.
284 CVE-2019-8979 89 Sql 2019-02-21 2019-04-12
7.5
None Remote Low Not required Partial Partial Partial
Kohana through 3.3.6 has SQL Injection when the order_by() parameter can be controlled.
285 CVE-2019-8923 89 Sql 2019-05-14 2019-05-16
7.5
None Remote Low Not required Partial Partial Partial
XAMPP through 5.6.8 and previous allows SQL injection via the cds-fpdf.php jahr parameter. NOTE: This product is discontinued.
286 CVE-2019-8600 89 Exec Code Sql Mem. Corr. 2019-12-18 2020-08-24
7.5
None Remote Low Not required Partial Partial Partial
A memory corruption issue was addressed with improved input validation. This issue is fixed in iOS 12.3, macOS Mojave 10.14.5, tvOS 12.3, watchOS 5.2.1, iTunes for Windows 12.9.5, iCloud for Windows 7.12. A maliciously crafted SQL query may lead to arbitrary code execution.
287 CVE-2019-8429 89 Sql 2019-02-18 2019-02-19
7.5
None Remote Low Not required Partial Partial Partial
ZoneMinder before 1.32.3 has SQL Injection via the ajax/status.php filter[Query][terms][0][cnj] parameter.
288 CVE-2019-8428 89 Sql 2019-02-18 2019-02-19
7.5
None Remote Low Not required Partial Partial Partial
ZoneMinder before 1.32.3 has SQL Injection via the skins/classic/views/control.php groupSql parameter, as demonstrated by a newGroup[MonitorIds][] value.
289 CVE-2019-8424 89 Sql 2019-02-18 2019-02-19
7.5
None Remote Low Not required Partial Partial Partial
ZoneMinder before 1.32.3 has SQL Injection via the ajax/status.php sort parameter.
290 CVE-2019-8423 89 Sql 2019-02-18 2019-02-19
7.5
None Remote Low Not required Partial Partial Partial
ZoneMinder through 1.32.3 has SQL Injection via the skins/classic/views/events.php filter[Query][terms][0][cnj] parameter.
291 CVE-2019-8422 89 Sql 2019-02-17 2019-02-19
6.5
None Remote Low ??? Partial Partial Partial
A SQL Injection vulnerability exists in PbootCMS v1.3.2 via the description parameter in apps\admin\controller\content\ContentController.php.
292 CVE-2019-8421 89 Sql 2019-02-17 2019-02-20
6.5
None Remote Low ??? Partial Partial Partial
upload/protected/modules/admini/views/post/index.php in BageCMS through 3.1.4 allows SQL Injection via the title or titleAlias parameter.
293 CVE-2019-8393 89 Sql 2019-02-17 2019-02-20
7.5
None Remote Low Not required Partial Partial Partial
Hotels_Server through 2018-11-05 has SQL Injection via the API because the controller/api/login.php telephone parameter is mishandled.
294 CVE-2019-8360 89 Sql 2019-02-16 2019-02-20
7.5
None Remote Low Not required Partial Partial Partial
Themerig Find a Place CMS Directory 1.5 has SQL Injection via the find/assets/external/data_2.php cate parameter.
295 CVE-2019-8143 89 Sql +Info 2019-11-06 2019-11-06
4.0
None Remote Low ??? Partial None None
A SQL injection vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user with access to email templates can send malicious SQL queries and obtain access to sensitive information stored in the database.
296 CVE-2019-8134 89 Sql 2019-11-06 2019-11-07
6.5
None Remote Low ??? Partial Partial Partial
A SQL injection vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. A user with marketing privileges can execute arbitrary SQL queries in the database when accessing email template variables.
297 CVE-2019-8130 89 Sql 2019-11-06 2019-11-07
6.5
None Remote Low ??? Partial Partial Partial
A SQL injection vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. A user with store manipulation privileges can execute arbitrary SQL queries by getting access to the database connection through group instance in email templates.
298 CVE-2019-8127 89 Sql 2019-11-05 2019-11-07
6.5
None Remote Low ??? Partial Partial Partial
A SQL injection vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user with privileges to an account with Newsletter Template editing permission could exfiltrate the Admin login data, and reset their password, effectively performing a privilege escalation.
299 CVE-2019-7587 89 Sql 2019-02-07 2019-02-08
7.5
None Remote Low Not required Partial Partial Partial
Bo-blog Wind through 1.6.0-r allows SQL Injection via the admin.php/comments/batchdel/ comID parameter because this parameter is mishandled in the mode/admin.mode.php delBlockedBatch function.
300 CVE-2019-7585 89 Sql 2019-02-07 2019-02-08
7.5
None Remote Low Not required Partial Partial Partial
An issue was discovered in Waimai Super Cms 20150505. web/Lib/Action/PublicAction.class.php allows time-based SQL Injection via the param array parameter to the /index.php?m=public&a=checkemail URI.
Total number of vulnerabilities : 551   Page : 1 2 3 4 5 6 (This Page)7 8 9 10 11 12
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.