CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  What's the CVSS score of your company?
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Debian » Debian Linux » 9.0 * * * : Security Vulnerabilities (SQL Injection)

Cpe Name:cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2021-44026 89 Sql 2021-11-19 2021-12-16
7.5
None Remote Low Not required Partial Partial Partial
Roundcube before 1.3.17 and 1.4.x before 1.4.12 is prone to a potential SQL injection via search or search_params.
2 CVE-2021-27928 78 Exec Code Sql 2021-03-19 2022-01-04
9.0
None Remote Low ??? Complete Complete Complete
A remote code execution issue was discovered in MariaDB 10.2 before 10.2.37, 10.3 before 10.3.28, 10.4 before 10.4.18, and 10.5 before 10.5.9; Percona Server through 2021-03-03; and the wsrep patch through 2021-03-03 for MySQL. An untrusted search path leads to eval injection, in which a database SUPER user can execute OS commands after modifying wsrep_provider and wsrep_notify_cmd. NOTE: this does not affect an Oracle product.
3 CVE-2020-26935 89 Sql 2020-10-10 2021-03-30
7.5
None Remote Low Not required Partial Partial Partial
An issue was discovered in SearchController in phpMyAdmin before 4.9.6 and 5.x before 5.0.3. A SQL injection vulnerability was discovered in how phpMyAdmin processes SQL statements in the search feature. An attacker could use this flaw to inject malicious SQL in to a query.
4 CVE-2020-25638 89 Sql 2020-12-02 2021-10-18
5.8
None Remote Medium Not required Partial Partial None
A flaw was found in hibernate-core in versions prior to and including 5.4.23.Final. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SQL comments of the query. This flaw could allow an attacker to access unauthorized information or possibly conduct further attacks. The highest threat from this vulnerability is to data confidentiality and integrity.
5 CVE-2020-15180 20 Exec Code Sql 2021-05-27 2021-06-10
6.8
None Remote Medium Not required Partial Partial Partial
A flaw was found in the mysql-wsrep component of mariadb. Lack of input sanitization in `wsrep_sst_method` allows for command injection that can be exploited by a remote attacker to execute arbitrary commands on galera cluster nodes. This threatens the system's confidentiality, integrity, and availability. This flaw affects mariadb versions before 10.1.47, before 10.2.34, before 10.3.25, before 10.4.15 and before 10.5.6.
6 CVE-2020-9402 89 Sql Bypass 2020-03-05 2020-07-14
6.5
None Remote Low ??? Partial Partial Partial
Django 1.11 before 1.11.29, 2.2 before 2.2.11, and 3.0 before 3.0.4 allows SQL Injection if untrusted data is used as a tolerance parameter in GIS functions and aggregates on Oracle. By passing a suitably crafted tolerance to GIS functions and aggregates on Oracle, it was possible to break escaping and inject malicious SQL.
7 CVE-2019-18890 89 Sql 2019-11-21 2019-11-26
4.0
None Remote Low ??? Partial None None
A SQL injection vulnerability in Redmine through 3.2.9 and 3.3.x before 3.3.10 allows Redmine users to access protected information via a crafted object query.
8 CVE-2019-14234 89 Sql 2019-08-09 2019-08-28
7.5
None Remote Low Not required Partial Partial Partial
An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. Due to an error in shallow key transformation, key and index lookups for django.contrib.postgres.fields.JSONField, and key lookups for django.contrib.postgres.fields.HStoreField, were subject to SQL injection. This could, for example, be exploited via crafted use of "OR 1=1" in a key or index name to return all records, using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed to the QuerySet.filter() function.
9 CVE-2019-7548 89 Sql 2019-02-06 2021-11-30
6.8
None Remote Medium Not required Partial Partial Partial
SQLAlchemy 1.2.17 has SQL Injection when the group_by parameter can be controlled.
10 CVE-2019-7164 89 Sql 2019-02-20 2021-12-03
7.5
None Remote Low Not required Partial Partial Partial
SQLAlchemy through 1.2.17 and 1.3.x through 1.3.0b2 allows SQL Injection via the order_by parameter.
11 CVE-2018-10915 89 Sql Bypass 2018-08-09 2021-08-04
6.0
None Remote Medium ??? Partial Partial Partial
A vulnerability was found in libpq, the default PostgreSQL client library where libpq failed to properly reset its internal state between connections. If an affected version of libpq was used with "host" or "hostaddr" connection parameters from untrusted input, attackers could bypass client-side connection security features, obtain access to higher privileged connections or potentially cause other impact through SQL injection, by causing the PQescape() functions to malfunction. Postgresql versions before 10.5, 9.6.10, 9.5.14, 9.4.19, and 9.3.24 are affected.
12 CVE-2018-7033 89 Sql 2018-03-15 2019-02-28
7.5
None Remote Low Not required Partial Partial Partial
SchedMD Slurm before 17.02.10 and 17.11.x before 17.11.5 allows SQL Injection attacks against SlurmDBD.
13 CVE-2018-4056 89 Sql Bypass 2019-02-05 2019-02-20
7.5
None Remote Low Not required Partial Partial Partial
An exploitable SQL injection vulnerability exists in the administrator web portal function of coTURN prior to version 4.5.0.9. A login message with a specially crafted username can cause an SQL injection, resulting in authentication bypass, which could give access to the TURN server administrator web portal. An attacker can log in via the external interface of the TURN server to trigger this vulnerability.
14 CVE-2017-14990 312 Sql 2017-10-03 2019-10-03
4.0
None Remote Low ??? Partial None None
WordPress 4.8.2 stores cleartext wp_signups.activation_key values (but stores the analogous wp_users.user_activation_key values as hashes), which might make it easier for remote attackers to hijack unactivated user accounts by leveraging database read access (such as access gained through an unspecified SQL injection vulnerability).
15 CVE-2017-11509 89 Exec Code Sql 2018-03-28 2021-11-23
9.0
None Remote Low ??? Complete Complete Complete
An authenticated remote attacker can execute arbitrary code in Firebird SQL Server versions 2.5.7 and 3.0.2 by executing a malformed SQL statement.
16 CVE-2017-5611 89 Exec Code Sql 2017-01-30 2021-01-30
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in wp-includes/class-wp-query.php in WP_Query in WordPress before 4.7.2 allows remote attackers to execute arbitrary SQL commands by leveraging the presence of an affected plugin or theme that mishandles a crafted post type name.
17 CVE-2013-2745 89 Sql 2019-12-04 2019-12-10
7.5
None Remote Low Not required Partial Partial Partial
An SQL Injection vulnerability exists in MiniDLNA prior to 1.1.0
Total number of vulnerabilities : 17   Page : 1 (This Page)
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.