CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  What's the CVSS score of your company?
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities (SQL Injection)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2021-44427 89 Sql 2021-11-29 2021-11-30
7.5
None Remote Low Not required Partial Partial Partial
An unauthenticated SQL Injection vulnerability in Rosario Student Information System (aka rosariosis) before 8.1.1 allows remote attackers to execute PostgreSQL statements (e.g., SELECT, INSERT, UPDATE, and DELETE) through /Side.php via the syear parameter.
2 CVE-2021-44349 89 Sql 2021-12-03 2021-12-06
7.5
None Remote Low Not required Partial Partial Partial
SQL Injection vulnerability exists in TuziCMS v2.0.6 via the id parameter in App\Manage\Controller\DownloadController.class.php.
3 CVE-2021-44348 89 Sql 2021-12-03 2021-12-06
7.5
None Remote Low Not required Partial Partial Partial
SQL Injection vulnerability exists in TuziCMS v2.0.6 via the id parameer in App\Manage\Controller\AdvertController.class.php.
4 CVE-2021-44347 89 Sql 2021-12-03 2021-12-06
7.5
None Remote Low Not required Partial Partial Partial
SQL Injection vulnerability exists in TuziCMS v2.0.6 in App\Manage\Controller\GuestbookController.class.php.
5 CVE-2021-44280 89 Sql 2021-12-01 2021-12-02
7.5
None Remote Low Not required Partial Partial Partial
attendance management system 1.0 is affected by a SQL injection vulnerability in admin/incFunctions.php through the makeSafe function.
6 CVE-2021-44050 89 Sql 2021-12-02 2021-12-06
4.0
None Remote Low ??? Partial None None
CA Network Flow Analysis (NFA) 21.2.1 and earlier contain a SQL injection vulnerability in the NFA web application, due to insufficient input validation, that could potentially allow an authenticated user to access sensitive data.
7 CVE-2021-44026 89 Sql 2021-11-19 2021-12-06
7.5
None Remote Low Not required Partial Partial Partial
Roundcube before 1.3.17 and 1.4.x before 1.4.12 is prone to a potential SQL injection via search or search_params.
8 CVE-2021-43789 89 Sql 2021-12-07 2021-12-07
0.0
None ??? ??? ??? ??? ??? ???
PrestaShop is an Open Source e-commerce web application. Versions of PrestaShop prior to 1.7.8.2 are vulnerable to blind SQL injection using search filters with `orderBy` and `sortOrder` parameters. The problem is fixed in version 1.7.8.2.
9 CVE-2021-43679 89 Sql 2021-12-02 2021-12-03
7.5
None Remote Low Not required Partial Partial Partial
ecshop v2.7.3 is affected by a SQL injection vulnerability in shopex\ecshop\upload\api\client\api.php.
10 CVE-2021-43451 89 Sql 2021-12-01 2021-12-03
7.5
None Remote Low Not required Partial Partial Partial
SQL Injection vulnerability exists in PHPGURUKUL Employee Record Management System 1.2 via the Email POST parameter in /forgetpassword.php.
11 CVE-2021-43408 89 Exec Code Sql 2021-11-19 2021-11-24
9.0
None Remote Low ??? Complete Complete Complete
The "Duplicate Post" WordPress plugin up to and including version 1.1.9 is vulnerable to SQL Injection. SQL injection vulnerabilities occur when client supplied data is included within an SQL Query insecurely. SQL Injection can typically be exploited to read, modify and delete SQL table data. In many cases it also possible to exploit features of SQL server to execute system commands and/or access the local file system. This particular vulnerability can be exploited by any authenticated user who has been granted access to use the Duplicate Post plugin. By default, this is limited to Administrators, however the plugin presents the option to permit access to the Editor, Author, Contributor and Subscriber roles.
12 CVE-2021-43362 89 Sql 2021-11-16 2021-11-17
7.5
None Remote Low Not required Partial Partial Partial
Due to improper sanitization MedData HBYS software suffers from a remote SQL injection vulnerability. An unauthenticated attacker with the web access is able to extract critical information from the system.
13 CVE-2021-43361 89 Sql 2021-11-16 2021-11-17
7.5
None Remote Low Not required Partial Partial Partial
Due to improper sanitization MedData HBYS software suffers from a remote SQL injection vulnerability. An unauthenticated attacker with the web access is able to extract critical information from the system.
14 CVE-2021-43338 89 Sql 2021-11-03 2021-11-05
6.5
None Remote Low ??? Partial Partial Partial
In Ericsson Network Location MPS GMPC21, it is possible to creates a new admin user with a SQL Query for file_name in the export functionality.
15 CVE-2021-43140 89 Sql 2021-11-03 2021-11-17
7.5
None Remote Low Not required Partial Partial Partial
SQL Injection vulnerability exists in Sourcecodester. Simple Subscription Website 1.0. via the login.
16 CVE-2021-43130 89 Sql 2021-11-03 2021-11-17
10.0
None Remote Low Not required Complete Complete Complete
An SQL Injection vulnerability exists in Sourcecodester Customer Relationship Management System (CRM) 1.0 via the username parameter in customer/login.php.
17 CVE-2021-43035 89 Exec Code Sql 2021-12-06 2021-12-06
7.5
None Remote Low Not required Partial Partial Partial
An issue was discovered in Kaseya Unitrends Backup Appliance before 10.5.5. Two unauthenticated SQL injection vulnerabilities were discovered, allowing arbitrary SQL queries to be injected and executed under the postgres superuser account. Remote code execution was possible, leading to full access to the postgres user account.
18 CVE-2021-42670 89 Exec Code Sql 2021-11-05 2021-11-17
7.5
None Remote Low Not required Partial Partial Partial
A SQL injection vulnerability exists in Sourcecodester Engineers Online Portal in PHP via the id parameter to the announcements_student.php web page. As a result a malicious user can extract sensitive data from the web server and in some cases use this vulnerability in order to get a remote code execution on the remote web server.
19 CVE-2021-42668 89 Exec Code Sql 2021-11-05 2021-11-09
7.5
None Remote Low Not required Partial Partial Partial
A SQL Injection vulnerability exists in Sourcecodester Engineers Online Portal in PHP via the id parameter in the my_classmates.php web page.. As a result, an attacker can extract sensitive data from the web server and in some cases can use this vulnerability in order to get a remote code execution on the remote web server.
20 CVE-2021-42667 89 Exec Code Sql 2021-11-05 2021-11-28
7.5
None Remote Low Not required Partial Partial Partial
A SQL Injection vulnerability exists in Sourcecodester Online Event Booking and Reservation System in PHP in event-management/views. An attacker can leverage this vulnerability in order to manipulate the sql query performed. As a result he can extract sensitive data from the web server and in some cases he can use this vulnerability in order to get a remote code execution on the remote web server.
21 CVE-2021-42666 89 Exec Code Sql 2021-11-05 2021-11-30
6.5
None Remote Low ??? Partial Partial Partial
A SQL Injection vulnerability exists in Sourcecodester Engineers Online Portal in PHP via the id parameter to quiz_question.php, which could let a malicious user extract sensitive data from the web server and in some cases use this vulnerability in order to get a remote code execution on the remote web server.
22 CVE-2021-42665 89 Sql Bypass 2021-11-05 2021-11-23
7.5
None Remote Low Not required Partial Partial Partial
An SQL Injection vulnerability exists in Sourcecodester Engineers Online Portal in PHP via the login form inside of index.php, which can allow an attacker to bypass authentication.
23 CVE-2021-42663 74 Sql 2021-11-05 2021-11-09
4.3
None Remote Medium Not required Partial None None
An HTML injection vulnerability exists in Sourcecodester Online Event Booking and Reservation System in PHP/MySQL via the msg parameter to /event-management/index.php. An attacker can leverage this vulnerability in order to change the visibility of the website. Once the target user clicks on a given link he will display the content of the HTML code of the attacker's choice.
24 CVE-2021-42580 89 Exec Code Sql Bypass 2021-11-15 2021-11-26
7.5
None Remote Low Not required Partial Partial Partial
Sourcecodester Online Learning System 2.0 is vunlerable to sql injection authentication bypass in admin login file (/admin/login.php) and authenticated file upload in (Master.php) file , we can craft these two vunlerablities to get unauthenticated remote command execution.
25 CVE-2021-42369 89 Sql 2021-10-14 2021-10-21
6.5
None Remote Low ??? Partial Partial Partial
Imagicle Application Suite (for Cisco UC) before 2021.Summer.2 allows SQL injection. A low-privileged user could inject a SQL statement through the "Export to CSV" feature of the Contact Manager web GUI.
26 CVE-2021-42334 89 Sql 2021-10-15 2021-10-20
6.5
None Remote Low ??? Partial Partial Partial
The Easytest contains SQL injection vulnerabilities. After obtaining a user’s privilege, remote attackers can inject SQL commands into the parameters of the elective course management page to obtain all database and administrator permissions.
27 CVE-2021-42333 89 Sql 2021-10-15 2021-10-20
6.5
None Remote Low ??? Partial Partial Partial
The Easytest contains SQL injection vulnerabilities. After obtaining user’s privilege, remote attackers can inject SQL commands into the parameters of the learning history page to access all database and obtain administrator permissions.
28 CVE-2021-42325 89 Sql 2021-10-12 2021-11-26
7.5
None Remote Low Not required Partial Partial Partial
Froxlor through 0.10.29.1 allows SQL injection in Database/Manager/DbManagerMySQL.php via a custom DB name.
29 CVE-2021-42258 89 Exec Code Sql 2021-10-22 2021-10-28
6.8
None Remote Medium Not required Partial Partial Partial
BQE BillQuick Web Suite 2018 through 2021 before 22.0.9.1 allows SQL injection for unauthenticated remote code execution, as exploited in the wild in October 2021 for ransomware installation. SQL injection can, for example, use the txtID (aka username) parameter. Successful exploitation can include the ability to execute arbitrary code as MSSQLSERVER$ via xp_cmdshell.
30 CVE-2021-42224 89 Sql 2021-10-13 2021-10-19
7.5
None Remote Low Not required Partial Partial Partial
SQL Injection vulnerability exists in IFSC Code Finder Project 1.0 via the searchifsccode POST parameter in /search.php.
31 CVE-2021-42169 89 Sql Bypass 2021-10-22 2021-12-03
7.5
None Remote Low Not required Partial Partial Partial
The Simple Payroll System with Dynamic Tax Bracket in PHP using SQLite Free Source Code (by: oretnom23 ) is vulnerable from remote SQL-Injection-Bypass-Authentication for the admin account. The parameter (username) from the login form is not protected correctly and there is no security and escaping from malicious payloads.
32 CVE-2021-42131 Sql 2021-12-07 2021-12-07
0.0
None ??? ??? ??? ??? ??? ???
A SQL Injection vulnerability exists in Ivanti Avalance before 6.3.3 allows an attacker with access to the Inforail Service to perform privilege escalation.
33 CVE-2021-42077 89 Sql Bypass 2021-11-08 2021-11-09
10.0
None Remote Low Not required Complete Complete Complete
PHP Event Calendar before 2021-09-03 allows SQL injection, as demonstrated by the /server/ajax/user_manager.php username parameter. This can be used to execute SQL statements directly on the database, allowing an adversary in some cases to completely compromise the database system. It can also be used to bypass the login form.
34 CVE-2021-41971 89 Sql 2021-10-18 2021-10-22
6.0
None Remote Medium ??? Partial Partial Partial
Apache Superset up to and including 1.3.0 when configured with ENABLE_TEMPLATE_PROCESSING on (disabled by default) allowed SQL injection when a malicious authenticated user sends an http request with a custom URL.
35 CVE-2021-41947 89 Sql 2021-10-08 2021-11-30
6.5
None Remote Low ??? Partial Partial Partial
A SQL injection vulnerability exists in Subrion CMS v4.2.1 in the visual-mode.
36 CVE-2021-41931 89 Sql 2021-11-17 2021-11-18
7.5
None Remote Low Not required Partial Partial Partial
The Company's Recruitment Management System in id=2 of the parameter from view_vacancy app on-page appears to be vulnerable to SQL injection. The payloads 19424269' or '1309'='1309 and 39476597' or '2917'='2923 were each submitted in the id parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
37 CVE-2021-41920 89 Sql 2021-10-08 2021-10-15
5.0
None Remote Low Not required Partial None None
webTareas version 2.4 and earlier allows an unauthenticated user to perform Time and Boolean-based blind SQL Injection on the endpoint /includes/library.php, via the sor_cible, sor_champs, and sor_ordre HTTP POST parameters. This allows an attacker to access all the data in the database and obtain access to the webTareas application.
38 CVE-2021-41845 89 Sql 2021-10-01 2021-10-07
4.0
None Remote Low ??? None Partial None
A SQL injection issue was discovered in ThycoticCentrify Secret Server before 11.0.000007. The only affected versions are 10.9.000032 through 11.0.000006.
39 CVE-2021-41765 89 Exec Code Sql 2021-11-15 2021-11-17
7.5
None Remote Low Not required Partial Partial Partial
A SQL injection issue in pages/edit_fields/9_ajax/add_keyword.php of ResourceSpace 9.5 and 9.6 < rev 18274 allows remote unauthenticated attackers to execute arbitrary SQL commands via the k parameter. This allows attackers to uncover the full contents of the ResourceSpace database, including user session cookies. An attacker who gets an admin user session cookie can use the session cookie to execute arbitrary code on the server.
40 CVE-2021-41746 89 Sql +Info 2021-10-29 2021-12-06
5.0
None Remote Low Not required Partial None None
SQL Injection vulnerability exists in all versions of Yonyou TurboCRM.via the orgcode parameter in changepswd.php. Attackers can use the vulnerabilities to obtain sensitive database information.
41 CVE-2021-41679 89 Sql 2021-11-30 2021-11-30
6.8
None Remote Medium Not required Partial Partial Partial
A SQL injection vulnerability exists in version 8.0 of openSIS when MySQL or MariaDB is used as the application database. An attacker can then issue the SQL command through the /opensis/modules/grades/InputFinalGrades.php, period parameter.
42 CVE-2021-41678 89 Sql 2021-11-30 2021-11-30
6.8
None Remote Medium Not required Partial Partial Partial
A SQL injection vulnerability exists in version 8.0 of openSIS when MySQL or MariaDB is used as the application database. An attacker can then issue the SQL command through the /opensis/modules/users/Staff.php, staff{TITLE] parameter.
43 CVE-2021-41677 89 Sql 2021-11-30 2021-11-30
6.8
None Remote Medium Not required Partial Partial Partial
A SQL injection vulnerability exists in version 8.0 of openSIS when MySQL or MariaDB is used as the application database. An attacker can then issue the SQL command through the /opensis/functions/GetStuListFnc.php &Grade= parameter.
44 CVE-2021-41676 89 Sql 2021-10-29 2021-11-26
7.5
None Remote Low Not required Partial Partial Partial
An SQL Injection vulnerabilty exists in the oretnom23 Pharmacy Point of Sale System 1.0 in the login function in actions.php.
45 CVE-2021-41674 89 Sql 2021-10-29 2021-11-26
7.5
None Remote Low Not required Partial Partial Partial
An SQL Injection vulnerability exists in Sourcecodester E-Negosyo System 1.0 via the user_email parameter in /admin/login.php.
46 CVE-2021-41651 89 Sql 2021-10-04 2021-10-12
5.0
None Remote Low Not required Partial None None
A blind SQL injection vulnerability exists in the Raymart DG / Ahmed Helal Hotel-mgmt-system. A malicious attacker can retrieve sensitive database information and interact with the database using the vulnerable cid parameter in process_update_profile.php.
47 CVE-2021-41649 89 Sql 2021-10-01 2021-11-05
7.5
None Remote Low Not required Partial Partial Partial
An un-authenticated SQL Injection exists in PuneethReddyHC online-shopping-system-advanced through the /homeaction.php cat_id parameter. Using a post request does not sanitize the user input.
48 CVE-2021-41648 89 Sql 2021-10-01 2021-11-26
5.0
None Remote Low Not required Partial None None
An un-authenticated SQL Injection exists in PuneethReddyHC online-shopping-system-advanced through the /action.php prId parameter. Using a post request does not sanitize the user input.
49 CVE-2021-41647 89 Sql 2021-10-01 2021-10-08
6.4
None Remote Low Not required Partial Partial None
An un-authenticated error-based and time-based blind SQL injection vulnerability exists in Kaushik Jadhav Online Food Ordering Web App 1.0. An attacker can exploit the vulnerable "username" parameter in login.php and retrieve sensitive database information, as well as add an administrative user.
50 CVE-2021-41511 89 Sql Bypass 2021-10-04 2021-11-30
7.5
None Remote Low Not required Partial Partial Partial
The username and password field of login in Lodging Reservation Management System V1 can give access to any user by using SQL injection to bypass authentication.
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.