CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Related To CWE-89

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2016-1000217 89 Sql 2016-10-06 2016-11-28
7.5
None Remote Low Not required Partial Partial Partial
Zotpress plugin for WordPress SQLi in zp_get_account()
2 CVE-2016-1000125 89 Sql 2016-10-06 2016-11-07
7.5
None Remote Low Not required Partial Partial Partial
Unauthenticated SQL Injection in Huge-IT Catalog v1.0.7 for Joomla
3 CVE-2016-1000124 89 Sql 2016-10-06 2016-11-28
7.5
None Remote Low Not required Partial Partial Partial
Unauthenticated SQL Injection in Huge-IT Portfolio Gallery Plugin v1.0.6
4 CVE-2016-1000123 89 Sql 2016-10-06 2016-11-28
7.5
None Remote Low Not required Partial Partial Partial
Unauthenticated SQL Injection in Huge-IT Video Gallery v1.0.9 for Joomla
5 CVE-2016-1000122 89 Sql XSS 2016-10-27 2016-11-28
6.5
None Remote Low Single system Partial Partial Partial
XSS and SQLi in Huge IT Joomla Slider v1.0.9 extension
6 CVE-2016-1000120 89 Sql XSS 2016-10-27 2016-11-28
6.5
None Remote Low Single system Partial Partial Partial
SQLi and XSS in Huge IT catalog extension v1.0.4 for Joomla
7 CVE-2016-1000113 89 Sql XSS 2016-10-06 2016-11-28
7.5
None Remote Low Not required Partial Partial Partial
XSS and SQLi in huge IT gallery v1.1.5 for Joomla
8 CVE-2016-1000000 89 Sql 2016-10-06 2016-11-28
6.5
None Remote Low Single system Partial Partial Partial
Ipswitch WhatsUp Gold 16.4.1 WrFreeFormText.asp sUniqueID Parameter Blind SQL Injection
9 CVE-2016-9481 89 Sql 2016-11-29 2016-12-02
7.5
None Remote Low Not required Partial Partial Partial
In framework/modules/core/controllers/expCommentController.php of Exponent CMS 2.4.0, content_id input is passed into showComments. The method showComments is defined in the expCommentControllercontroller with the parameter '$this->params['content_id']' used directly in SQL. Impact is a SQL injection.
10 CVE-2016-9288 89 Sql 2016-11-11 2016-11-29
7.5
None Remote Low Not required Partial Partial Partial
In framework/modules/navigation/controllers/navigationController.php in Exponent CMS v2.4.0 or older, the parameter "target" of function "DragnDropReRank" is directly used without any filtration which caused SQL injection. The payload can be used like this: /navigation/DragnDropReRank/target/1.
11 CVE-2016-9287 89 Sql 2016-11-15 2016-11-29
7.5
None Remote Low Not required Partial Partial Partial
In /framework/modules/notfound/controllers/notfoundController.php of Exponent CMS 2.4.0 patch1, untrusted input is passed into getSearchResults. The method getSearchResults is defined in the search model with the parameter '$term' used directly in SQL. Impact is a SQL injection.
12 CVE-2016-9283 89 Sql 2016-11-11 2016-11-29
5.0
None Remote Low Not required Partial None None
SQL Injection in framework/core/subsystems/expRouter.php in Exponent CMS v2.4.0 allows remote attackers to read database information via address/addContentToSearch/id/ and a trailing string, related to a "sef URL" issue.
13 CVE-2016-9282 89 Sql 2016-11-11 2016-11-29
5.0
None Remote Low Not required Partial None None
SQL Injection in framework/modules/search/controllers/searchController.php in Exponent CMS v2.4.0 allows remote attackers to read database information via action=search&module=search with the search_string parameter.
14 CVE-2016-9272 89 DoS Sql 2016-11-11 2016-11-29
6.4
None Remote Low Not required Partial None Partial
A Blind SQL Injection Vulnerability in Exponent CMS through 2.4.0, with the rerank array parameter, can lead to site database information disclosure and denial of service.
15 CVE-2016-9242 89 Exec Code Sql 2016-11-07 2016-11-29
6.5
None Remote Low Single system Partial Partial Partial
Multiple SQL injection vulnerabilities in the update method in framework/modules/core/controllers/expRatingController.php in Exponent CMS 2.4.0 allow remote authenticated users to execute arbitrary SQL commands via the (1) content_type or (2) subtype parameter.
16 CVE-2016-9184 89 Sql 2016-11-04 2016-11-29
5.0
None Remote Low Not required Partial None None
In /framework/modules/core/controllers/expHTMLEditorController.php of Exponent CMS 2.4.0, untrusted input is used to construct a table name, and in the selectObject method in mysqli class, table names are wrapped with a character that common filters do not filter, allowing for SQL Injection. Impact is Information Disclosure.
17 CVE-2016-9135 89 Sql 2016-11-03 2016-11-29
5.0
None Remote Low Not required Partial None None
Exponent CMS 2.3.9 suffers from a SQL injection vulnerability in "/framework/modules/help/controllers/helpController.php" affecting the version parameter. Impact is Information Disclosure.
18 CVE-2016-9134 89 Sql 2016-11-03 2016-11-29
5.0
None Remote Low Not required Partial None None
Exponent CMS 2.3.9 suffers from a SQL injection vulnerability in "/expPaginator.php" affecting the order parameter. Impact is Information Disclosure.
19 CVE-2016-8908 89 Exec Code Sql 2016-11-14 2016-11-29
6.5
None Remote Low Single system Partial Partial Partial
SQL injection vulnerability in the "Site Browser > HTML pages" screen in dotCMS before 3.3.1 allows remote authenticated attackers to execute arbitrary SQL commands via the orderby parameter.
20 CVE-2016-8907 89 Exec Code Sql 2016-11-14 2016-11-29
6.5
None Remote Low Single system Partial Partial Partial
SQL injection vulnerability in the "Content Types > Content Types" screen in dotCMS before 3.3.1 allows remote authenticated attackers to execute arbitrary SQL commands via the orderby parameter.
21 CVE-2016-8906 89 Exec Code Sql 2016-11-14 2016-11-29
6.5
None Remote Low Single system Partial Partial Partial
SQL injection vulnerability in the "Site Browser > Links pages" screen in dotCMS before 3.3.1 allows remote authenticated attackers to execute arbitrary SQL commands via the orderby parameter.
22 CVE-2016-8905 89 Exec Code Sql 2016-11-14 2016-11-29
6.5
None Remote Low Single system Partial Partial Partial
SQL injection vulnerability in the JSONTags servlet in dotCMS before 3.3.1 allows remote authenticated attackers to execute arbitrary SQL commands via the sort parameter.
23 CVE-2016-8904 89 Exec Code Sql 2016-11-14 2016-11-29
6.5
None Remote Low Single system Partial Partial Partial
SQL injection vulnerability in the "Site Browser > Containers pages" screen in dotCMS before 3.3.1 allows remote authenticated attackers to execute arbitrary SQL commands via the orderby parameter.
24 CVE-2016-8903 89 Exec Code Sql 2016-11-14 2016-11-29
6.5
None Remote Low Single system Partial Partial Partial
SQL injection vulnerability in the "Site Browser > Templates pages" screen in dotCMS before 3.3.1 allows remote authenticated attackers to execute arbitrary SQL commands via the orderby parameter.
25 CVE-2016-8902 89 Exec Code Sql 2016-11-14 2016-11-29
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in the categoriesServlet servlet in dotCMS before 3.3.1 allows remote not authenticated attackers to execute arbitrary SQL commands via the sort parameter.
26 CVE-2016-8582 89 Sql 2016-10-28 2016-11-28
7.5
None Remote Low Not required Partial Partial Partial
A vulnerability exists in gauge.php of AlienVault OSSIM and USM before 5.3.2 that allows an attacker to execute an arbitrary SQL query and retrieve database information or read local system files via MySQL's LOAD_FILE.
27 CVE-2016-8564 89 Exec Code Sql 2016-10-13 2016-12-02
6.4
None Remote Low Not required Partial Partial None
SQL injection vulnerability in Siemens Automation License Manager (ALM) before 5.3 SP3 Update 1 allows remote attackers to execute arbitrary SQL commands via crafted traffic to TCP port 4410.
28 CVE-2016-7919 89 Sql +Info 2016-10-28 2016-12-02
5.0
None Remote Low Not required Partial None None
** DISPUTED ** Moodle 3.1.2 allows remote attackers to obtain sensitive information via unspecified vectors, related to a "SQL Injection" issue affecting the Administration panel function in the installation process component. NOTE: the vendor disputes the relevance of this report, noting that "the person who is installing Moodle must know database access credentials and they can access the database directly; there is no need for them to create a SQL injection in one of the installation dialogue fields."
29 CVE-2016-7453 89 Sql 2016-11-03 2016-12-02
7.5
None Remote Low Not required Partial Partial Partial
The Pixidou Image Editor in Exponent CMS prior to v2.3.9 patch 2 could be used to perform an fid SQL Injection.
30 CVE-2016-7405 89 Sql 2016-10-03 2016-10-04
7.5
None Remote Low Not required Partial Partial Partial
The qstr method in the PDO driver in the ADOdb Library for PHP before 5.x before 5.20.7 might allow remote attackers to conduct SQL injection attacks via vectors related to incorrect quoting.
31 CVE-2016-6652 89 Exec Code Sql 2016-10-05 2016-11-28
6.8
None Remote Medium Not required Partial Partial Partial
SQL injection vulnerability in Pivotal Spring Data JPA before 1.9.6 (Gosling SR6) and 1.10.x before 1.10.4 (Hopper SR4), when used with a repository that defines a String query using the @Query annotation, allows attackers to execute arbitrary JPQL commands via a sort instance with a function call.
32 CVE-2016-6453 89 Exec Code Sql 2016-11-03 2016-11-28
4.9
None Remote Medium Single system Partial Partial None
A vulnerability in the web framework code of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to execute arbitrary SQL commands on the database. More Information: CSCva46542. Known Affected Releases: 1.3(0.876).
33 CVE-2016-6443 89 Sql 2016-10-27 2016-11-28
6.5
None Remote Low Single system Partial Partial Partial
A vulnerability in the Cisco Prime Infrastructure and Evolved Programmable Network Manager SQL database interface could allow an authenticated, remote attacker to impact system confidentiality by executing a subset of arbitrary SQL queries that can cause product instability. More Information: CSCva27038, CSCva28335. Known Affected Releases: 3.1(0.128), 1.2(400), 2.0(1.0.34A).
34 CVE-2016-6419 89 Exec Code Sql 2016-10-05 2016-11-28
6.0
None Remote Medium Single system Partial Partial Partial
SQL injection vulnerability in Cisco Firepower Management Center 4.10.3 through 5.4.0 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors, aka Bug ID CSCur25485.
35 CVE-2016-6195 89 Exec Code Sql 2016-08-30 2016-11-28
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in forumrunner/includes/moderation.php in vBulletin before 4.2.2 Patch Level 5 and 4.2.3 before Patch Level 1 allows remote attackers to execute arbitrary SQL commands via the postids parameter to forumrunner/request.php, as exploited in the wild in July 2016.
36 CVE-2016-5843 89 Exec Code Sql 2016-09-16 2016-11-28
9.0
None Remote Low Not required Complete Partial Partial
Multiple SQL injection vulnerabilities in the FAQ package 2.x before 2.3.6, 4.x before 4.0.5, and 5.x before 5.0.5 in Open Ticket Request System (OTRS) allow remote attackers to execute arbitrary SQL commands via crafted search parameters.
37 CVE-2016-5817 89 Exec Code Sql 2016-08-22 2016-08-22
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in news pages in Cargotec Navis WebAccess before 2016-08-10 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
38 CVE-2016-5792 89 Exec Code Sql 2016-08-07 2016-11-28
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in Moxa SoftCMS before 1.5 allows remote attackers to execute arbitrary SQL commands via unspecified fields.
39 CVE-2016-5703 89 Exec Code Sql 2016-07-02 2016-11-28
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in libraries/central_columns.lib.php in phpMyAdmin 4.4.x before 4.4.15.7 and 4.6.x before 4.6.3 allows remote attackers to execute arbitrary SQL commands via a crafted database name that is mishandled in a central column query.
40 CVE-2016-5653 89 Exec Code Sql 2016-07-19 2016-11-28
4.0
None Remote Low Single system Partial None None
Multiple SQL injection vulnerabilities in Misys FusionCapital Opics Plus allow remote authenticated users to execute arbitrary SQL commands via the (1) ID or (2) Branch parameter.
41 CVE-2016-5048 89 Exec Code Sql 2016-08-26 2016-11-28
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in chat/staff/default.aspx in ReadyDesk 9.1 allows remote attackers to execute arbitrary SQL commands via the user name field.
42 CVE-2016-4999 89 Exec Code Sql 2016-08-05 2016-08-11
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in the getStringParameterSQL method in main/java/org/dashbuilder/dataprovider/sql/dialect/DefaultDialect.java in Dashbuilder before 0.6.0.Beta1 allows remote attackers to execute arbitrary SQL commands via a data set lookup filter in the (1) Data Set Authoring or (2) Displayer editor UI.
43 CVE-2016-4837 89 Exec Code Sql 2016-07-31 2016-11-28
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in the Seed Coupon plugin before 1.6 for EC-CUBE allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
44 CVE-2016-4522 89 Exec Code Sql 2016-07-27 2016-11-28
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in Rockwell Automation FactoryTalk EnergyMetrix before 2.20.00 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
45 CVE-2016-4507 89 Exec Code Sql 2016-07-06 2016-07-08
5.5
None Remote Low Single system Partial Partial None
SQL injection vulnerability in Rexroth Bosch BLADEcontrol-WebVIS 3.0.2 and earlier allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors.
46 CVE-2016-4351 89 Exec Code Sql 2016-05-05 2016-05-09
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in the authentication functionality in Trend Micro Email Encryption Gateway (TMEEG) 5.5 before build 1107 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
47 CVE-2016-4350 89 Exec Code Sql 2016-05-09 2016-05-16
10.0
None Remote Low Not required Complete Complete Complete
Multiple SQL injection vulnerabilities in the Web Services web server in SolarWinds Storage Resource Monitor (SRM) Profiler (formerly Storage Manager (STM)) before 6.2.3 allow remote attackers to execute arbitrary SQL commands via the (1) ScriptSchedule parameter in the ScriptServlet servlet; the (2) winEventId or (3) winEventLog parameter in the WindowsEventLogsServlet servlet; the (4) processOS parameter in the ProcessesServlet servlet; the (5) group, (6) groupName, or (7) clientName parameter in the BackupExceptionsServlet servlet; the (8) valDB or (9) valFS parameter in the BackupAssociationServlet servlet; the (10) orderBy or (11) orderDir parameter in the HostStorageServlet servlet; the (12) fileName, (13) sortField, or (14) sortDirection parameter in the DuplicateFilesServlet servlet; the (15) orderFld or (16) orderDir parameter in the QuantumMonitorServlet servlet; the (17) exitCode parameter in the NbuErrorMessageServlet servlet; the (18) udfName, (19) displayName, (20) udfDescription, (21) udfDataValue, (22) udfSectionName, or (23) udfId parameter in the UserDefinedFieldConfigServlet servlet; the (24) sortField or (25) sortDirection parameter in the XiotechMonitorServlet servlet; the (26) sortField or (27) sortDirection parameter in the BexDriveUsageSummaryServlet servlet; the (28) state parameter in the ScriptServlet servlet; the (29) assignedNames parameter in the FileActionAssignmentServlet servlet; the (30) winEventSource parameter in the WindowsEventLogsServlet servlet; or the (31) name, (32) ipOne, (33) ipTwo, or (34) ipThree parameter in the XiotechMonitorServlet servlet.
48 CVE-2016-4040 89 Exec Code Sql 2016-04-19 2016-04-22
6.5
None Remote Low Single system Partial Partial Partial
SQL injection vulnerability in the Workflow Screen in dotCMS before 3.3.2 allows remote administrators to execute arbitrary SQL commands via the orderby parameter.
49 CVE-2016-3675 89 Exec Code Sql 2016-04-11 2016-04-13
6.5
None Remote Low Single system Partial Partial Partial
SQL injection vulnerability in Huawei Policy Center with software before V100R003C10SPC020 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors related to system databases.
50 CVE-2016-3659 89 Exec Code Sql 2016-04-11 2016-11-30
6.5
None Remote Low Single system Partial Partial Partial
SQL injection vulnerability in graph_view.php in Cacti 0.8.8.g allows remote authenticated users to execute arbitrary SQL commands via the host_group_data parameter.
Total number of vulnerabilities : 4227   Page : 1 (This Page)2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.