CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  What's the CVSS score of your company?
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In 2019(SQL Injection)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2019-1010259 89 Sql 2019-07-18 2019-08-13
7.5
None Remote Low Not required Partial Partial Partial
SaltStack Salt 2018.3, 2019.2 is affected by: SQL Injection. The impact is: An attacker could escalate privileges on MySQL server deployed by cloud provider. It leads to RCE. The component is: The mysql.user_chpass function from the MySQL module for Salt. The attack vector is: specially crafted password string. The fixed version is: 2018.3.4.
2 CVE-2019-1010248 89 Sql 2019-07-18 2019-07-23
7.5
None Remote Low Not required Partial Partial Partial
Synetics GmbH I-doit 1.12 and earlier is affected by: SQL Injection. The impact is: Unauthenticated mysql database access. The component is: Web login form. The attack vector is: An attacker can exploit the vulnerability by sending a malicious HTTP POST request. The fixed version is: 1.12.1.
3 CVE-2019-1010201 89 Sql 2019-07-23 2019-07-24
4.0
None Remote Low ??? Partial None None
Jeesite 1.2.7 is affected by: SQL Injection. The impact is: sensitive information disclosure. The component is: updateProcInsIdByBusinessId() function in src/main/java/com.thinkgem.jeesite/modules/act/ActDao.java has SQL Injection vulnerability. The attack vector is: network connectivity,authenticated. The fixed version is: 4.0 and later.
4 CVE-2019-1010191 89 Sql 2019-07-24 2019-07-29
7.5
None Remote Low Not required Partial Partial Partial
marginalia < 1.6 is affected by: SQL Injection. The impact is: The impact is a injection of any SQL queries when a user controller argument is added as a component. The component is: Affects users that add a component that is user controller, for instance a parameter or a header. The attack vector is: Hacker inputs a SQL to a vulnerable vector(header, http parameter, etc). The fixed version is: 1.6.
5 CVE-2019-1010153 89 Sql 2019-07-23 2019-07-24
7.5
None Remote Low Not required Partial Partial Partial
zzcms 8.3 and earlier is affected by: SQL Injection. The impact is: sql inject. The component is: zs/subzs.php.
6 CVE-2019-1010148 89 Exec Code Sql 2019-07-23 2019-07-24
7.5
None Remote Low Not required Partial Partial Partial
zzcms version 8.3 and earlier is affected by: SQL Injection. The impact is: zzcms File Delete to Code Execution.
7 CVE-2019-1010104 89 Sql 2019-07-18 2019-07-23
7.5
None Remote Low Not required Partial Partial Partial
TechyTalk Quick Chat WordPress Plugin All up to the latest is affected by: SQL Injection. The impact is: Access to the database. The component is: like_escape is used in Quick-chat.php line 399. The attack vector is: Crafted ajax request.
8 CVE-2019-1010034 89 Sql 2019-07-15 2019-08-21
4.0
None Remote Low ??? Partial None None
Deepwoods Software WebLibrarian 3.5.2 and earlier is affected by: SQL Injection. The impact is: Exposing the entire database. The component is: Function "AllBarCodes" (defined at database_code.php line 1018) is vulnerable to a boolean-based blind sql injection. This function call can be triggered by any user logged-in with at least Volunteer role or manage_circulation capabilities. PoC : /wordpress/wp-admin/admin.php?page=weblib-circulation-desk&orderby=title&order=DESC.
9 CVE-2019-1000023 89 Exec Code Sql 2019-02-04 2019-02-06
7.5
None Remote Low Not required Partial Partial Partial
OPT/NET BV OPTOSS Next Gen Network Management System (NG-NetMS) version v3.6-2 and earlier versions contains a SQL Injection vulnerability in Identified vulnerable parameters: id, id_access_type and id_attr_access that can result in a malicious attacker can include own SQL commands which database will execute. This attack appears to be exploitable via network connectivity.
10 CVE-2019-19850 89 Sql 2019-12-17 2019-12-20
6.5
None Remote Low ??? Partial Partial Partial
An issue was discovered in TYPO3 before 8.7.30, 9.x before 9.5.12, and 10.x before 10.2.2. Because escaping of user-submitted content is mishandled, the class QueryGenerator is vulnerable to SQL injection. Exploitation requires having the system extension ext:lowlevel installed, and a valid backend user who has administrator privileges.
11 CVE-2019-19846 89 Sql 2019-12-18 2019-12-18
7.5
None Remote Low Not required Partial Partial Partial
In Joomla! before 3.9.14, the lack of validation of configuration parameters used in SQL queries caused various SQL injection vectors.
12 CVE-2019-19740 89 Sql 2019-12-12 2020-01-21
7.5
None Remote Low Not required Partial Partial Partial
Octeth Oempro 4.7 and 4.8 allow SQL injection. The parameter CampaignID in Campaign.Get is vulnerable.
13 CVE-2019-19734 89 Sql 2019-12-30 2020-01-07
6.5
None Remote Low ??? Partial Partial Partial
_account_move_file_in_folder.ajax.php in MFScripts YetiShare 3.5.2 directly inserts values from the fileIds parameter into a SQL string. This allows an attacker to inject their own SQL and manipulate the query, typically extracting data from the database, aka SQL Injection.
14 CVE-2019-19732 89 Sql 2019-12-30 2020-01-08
6.5
None Remote Low ??? Partial Partial Partial
translation_manage_text.ajax.php and various *_manage.ajax.php in MFScripts YetiShare 3.5.2 through 4.5.3 directly insert values from the aSortDir_0 and/or sSortDir_0 parameter into a SQL string. This allows an attacker to inject their own SQL and manipulate the query, typically extracting data from the database, aka SQL Injection.
15 CVE-2019-19650 89 Sql 2019-12-11 2019-12-19
6.5
None Remote Low ??? Partial Partial Partial
Zoho ManageEngine Applications Manager before 13640 allows a remote authenticated SQL injection via the Agent servlet agentid parameter to the Agent.java process function.
16 CVE-2019-19649 89 Sql 2019-12-11 2019-12-19
7.5
None Remote Low Not required Partial Partial Partial
Zoho ManageEngine Applications Manager before 13620 allows a remote unauthenticated SQL injection via the SyncEventServlet eventid parameter to the SyncEventServlet.java doGet function.
17 CVE-2019-19250 89 Sql 2019-11-25 2019-12-04
7.5
None Remote Low Not required Partial Partial Partial
OpenTrade before 2019-11-23 allows SQL injection, related to server/modules/api/v1.js and server/utils.js.
18 CVE-2019-19245 89 Sql 2019-12-02 2019-12-11
7.5
None Remote Low Not required Partial Partial Partial
NAPC Xinet Elegant 6 Asset Library 6.1.655 allows Pre-Authentication SQL Injection via the /elegant6/login LoginForm[username] field when double quotes are used.
19 CVE-2019-19207 89 Sql 2019-11-21 2019-11-26
6.5
None Remote Low ??? Partial Partial Partial
rConfig 3.9.2 allows devices.php?searchColumn= SQL injection.
20 CVE-2019-19113 89 Sql 2019-11-18 2019-12-03
7.5
None Remote Low Not required Partial Partial Partial
main/resources/mapper/NewBeeMallGoodsMapper.xml in newbee-mall (aka New Bee) before 2019-10-23 allows search?goodsCategoryId=&keyword= SQL Injection.
21 CVE-2019-19016 89 Sql 2019-12-02 2019-12-04
5.0
None Remote Low Not required Partial None None
An issue was discovered in TitanHQ WebTitan before 5.18. Some functions, such as /history-x.php, of the administration interface are vulnerable to SQL Injection through the results parameter. This could be used by an attacker to extract sensitive information from the appliance database.
22 CVE-2019-18890 89 Sql 2019-11-21 2019-11-26
4.0
None Remote Low ??? Partial None None
A SQL injection vulnerability in Redmine through 3.2.9 and 3.3.x before 3.3.10 allows Redmine users to access protected information via a crafted object query.
23 CVE-2019-18784 89 Sql 2019-11-06 2019-11-06
7.5
None Remote Low Not required Partial Partial Partial
SuiteCRM 7.10.x versions prior to 7.10.21 and 7.11.x versions prior to 7.11.9 allow SQL Injection.
24 CVE-2019-18663 89 Exec Code Sql 2019-11-04 2019-11-05
7.5
None Remote Low Not required Partial Partial Partial
A SQL injection vulnerability in a /login/forgot1 POST request in ARP-GUARD 4.0.0-5 allows unauthenticated remote attackers to execute arbitrary SQL commands via the user_id parameter.
25 CVE-2019-18662 89 Sql 2019-11-02 2019-12-04
7.5
None Remote Low Not required Partial Partial Partial
An issue was discovered in YouPHPTube through 7.7. User input passed through the live_stream_code POST parameter to /plugin/LiveChat/getChat.json.php is not properly sanitized (in getFromChat in plugin/LiveChat/Objects/LiveChatObj.php) before being used to construct a SQL query. This can be exploited by malicious users to, e.g., read sensitive data from the database through in-band SQL Injection attacks. Successful exploitation of this vulnerability requires the Live Chat plugin to be enabled.
26 CVE-2019-18646 89 Sql 2019-11-14 2019-11-14
6.5
None Remote Low ??? Partial Partial Partial
The Untangle NG firewall 14.2.0 is vulnerable to authenticated inline-query SQL injection within the timeDataDynamicColumn parameter when logged in as an admin user.
27 CVE-2019-18622 89 Sql 2019-11-22 2020-01-14
7.5
None Remote Low Not required Partial Partial Partial
An issue was discovered in phpMyAdmin before 4.9.2. A crafted database/table name can be used to trigger a SQL injection attack through the designer feature.
28 CVE-2019-18464 89 Sql 2019-10-31 2019-11-06
7.5
None Remote Low Not required Partial Partial Partial
In Progress MOVEit Transfer 10.2 before 10.2.6 (2018.3), 11.0 before 11.0.4 (2019.0.4), and 11.1 before 11.1.3 (2019.1.3), multiple SQL Injection vulnerabilities have been found in the REST API that could allow an unauthenticated attacker to gain unauthorized access to the database. Depending on the database engine being used (MySQL, Microsoft SQL Server, or Azure SQL), an attacker may be able to infer information about the structure and contents of the database or may be able to alter the database.
29 CVE-2019-18413 79 Sql XSS Bypass 2019-10-24 2021-12-07
7.5
None Remote Low Not required Partial Partial Partial
In TypeStack class-validator 0.10.2, validate() input validation can be bypassed because certain internal attributes can be overwritten via a conflicting name. Even though there is an optional forbidUnknownValues parameter that can be used to reduce the risk of this bypass, this option is not documented and thus most developers configure input validation in the vulnerable default manner. With this vulnerability, attackers can launch SQL Injection or XSS attacks by injecting arbitrary malicious input. NOTE: a software maintainer agrees with the "is not documented" finding but suggests that much of the responsibility for the risk lies in a different product.
30 CVE-2019-18387 89 Exec Code Sql 2019-10-23 2019-10-28
7.5
None Remote Low Not required Partial Partial Partial
Sourcecodester Hotel and Lodge Management System 1.0 is vulnerable to unauthenticated SQL injection and can allow remote attackers to execute arbitrary SQL commands via the id parameter to the edit page for Customer, Room, Currency, Room Booking Details, or Tax Details.
31 CVE-2019-18344 89 Exec Code Sql 2019-10-23 2020-09-03
7.5
None Remote Low Not required Partial Partial Partial
Sourcecodester Online Grading System 1.0 is vulnerable to unauthenticated SQL injection and can allow remote attackers to execute arbitrary SQL commands via the student, instructor, department, room, class, or user page (id or classid parameter).
32 CVE-2019-18234 89 Exec Code Sql 2019-12-23 2019-12-30
7.5
None Remote Low Not required Partial Partial Partial
Equinox Control Expert all versions, is vulnerable to an SQL injection attack, which may allow an attacker to remotely execute arbitrary code.
33 CVE-2019-18229 89 Sql 2019-10-31 2021-05-13
4.0
None Remote Low ??? Partial None None
Advantech WISE-PaaS/RMM, Versions 3.3.29 and prior. Lack of sanitization of user-supplied input cause SQL injection vulnerabilities. An attacker can leverage these vulnerabilities to disclose information.
34 CVE-2019-17612 89 Sql 2019-10-15 2019-10-17
6.5
None Remote Low ??? Partial Partial Partial
An issue was discovered in 74CMS v5.2.8. There is a SQL Injection generated by the _list method in the Common/Controller/BackendController.class.php file via the index.php?m=Admin&c=Ad&a=category sort parameter.
35 CVE-2019-17602 89 Sql 2019-10-15 2021-05-04
7.5
None Remote Low Not required Partial Partial Partial
An issue was discovered in Zoho ManageEngine OpManager before 12.4 build 124089. The OPMDeviceDetailsServlet servlet is prone to SQL injection. Depending on the configuration, this vulnerability could be exploited unauthenticated or authenticated.
36 CVE-2019-17580 89 Sql 2019-10-14 2019-10-16
7.5
None Remote Low Not required Partial Partial Partial
tonyy dormsystem through 1.3 allows SQL Injection in admin.php.
37 CVE-2019-17553 89 Sql 2019-10-14 2019-10-17
7.5
None Remote Low Not required Partial Partial Partial
An issue was discovered in MetInfo v7.0.0 beta. There is SQL Injection via the admin/?n=tags&c=index&a=doSaveTags URI.
38 CVE-2019-17552 89 Sql 2019-10-14 2019-10-16
7.5
None Remote Low Not required Partial Partial Partial
An issue was discovered in idreamsoft iCMS v7.0.14. There is a spider_project.admincp.php SQL injection vulnerability in the 'upload spider project scheme' feature via a two-dimensional payload.
39 CVE-2019-17527 89 Sql 2019-12-19 2020-01-02
7.5
None Remote Low Not required Partial Partial Partial
dataForDepandantField in models/custormfields.php in the JS JOBS FREE extension before 1.2.7 for Joomla! allows SQL Injection via the index.php?option=com_jsjobs&task=customfields.getfieldtitlebyfieldandfieldfo child parameter.
40 CVE-2019-17429 89 Sql 2019-10-10 2019-10-11
7.5
None Remote Low Not required Partial Partial Partial
Adhouma CMS through 2019-10-09 has SQL Injection via the post.php p_id parameter.
41 CVE-2019-17419 89 Sql 2019-10-10 2019-10-10
6.5
None Remote Low ??? Partial Partial Partial
An issue was discovered in MetInfo 7.0. There is SQL injection via the admin/?n=user&c=admin_user&a=doGetUserInfo id parameter.
42 CVE-2019-17418 89 Sql 2019-10-10 2019-10-10
6.5
None Remote Low ??? Partial Partial Partial
An issue was discovered in MetInfo 7.0. There is SQL injection via the admin/?n=language&c=language_general&a=doSearchParameter appno parameter, a different issue than CVE-2019-16997.
43 CVE-2019-17319 89 Sql 2019-10-07 2019-10-09
6.5
None Remote Low ??? Partial Partial Partial
SugarCRM before 8.0.4 and 9.x before 9.0.2 allows SQL injection in the Emails module by a Regular user.
44 CVE-2019-17318 89 Sql 2019-10-07 2019-10-09
6.5
None Remote Low ??? Partial Partial Partial
SugarCRM before 8.0.4 and 9.x before 9.0.2 allows SQL injection in the pmse_Inbox module by a Regular user.
45 CVE-2019-17298 89 Sql 2019-10-07 2019-10-09
6.5
None Remote Low ??? Partial Partial Partial
SugarCRM before 8.0.4 and 9.x before 9.0.2 allows SQL injection in the Administration module by a Developer user.
46 CVE-2019-17297 89 Sql 2019-10-07 2019-10-09
6.5
None Remote Low ??? Partial Partial Partial
SugarCRM before 8.0.4 and 9.x before 9.0.2 allows SQL injection in the Quotes module by a Regular user.
47 CVE-2019-17296 89 Sql 2019-10-07 2019-10-09
6.5
None Remote Low ??? Partial Partial Partial
SugarCRM before 8.0.4 and 9.x before 9.0.2 allows SQL injection in the Contacts module by a Regular user.
48 CVE-2019-17295 89 Sql 2019-10-07 2019-10-09
6.5
None Remote Low ??? Partial Partial Partial
SugarCRM before 8.0.4 and 9.x before 9.0.2 allows SQL injection in the history function by a Regular user.
49 CVE-2019-17294 89 Sql 2019-10-07 2019-10-09
6.5
None Remote Low ??? Partial Partial Partial
SugarCRM before 8.0.4 and 9.x before 9.0.2 allows SQL injection in the export function by a Regular user.
50 CVE-2019-17293 89 Sql 2019-10-07 2019-10-10
6.5
None Remote Low ??? Partial Partial Partial
SugarCRM before 8.0.4 and 9.x before 9.0.2 allows SQL injection in the pmse_Project module by a Regular user.
Total number of vulnerabilities : 551   Page : 1 (This Page)2 3 4 5 6 7 8 9 10 11 12
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.