CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Related To CWE-89

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2017-7879 89 Sql 2017-04-14 2017-04-21
5.0
None Remote Low Not required Partial None None
SQL Injection vulnerability in flatCore version 1.4.6 allows an attacker to read the content database.
2 CVE-2017-7878 89 Sql 2017-04-14 2017-04-21
7.5
None Remote Low Not required Partial Partial Partial
SQL Injection vulnerability in flatCore version 1.4.6 allows an attacker to read and write to the users database.
3 CVE-2017-7719 89 Sql 2017-04-12 2017-04-20
7.5
None Remote Low Not required Partial Partial Partial
SQL injection in the Spider Event Calendar (aka spider-event-calendar) plugin before 1.5.52 for WordPress is exploitable with the order_by parameter to calendar_functions.php or widget_Theme_functions.php, related to front_end/frontend_functions.php.
4 CVE-2017-7717 89 Exec Code Sql 2017-04-14 2017-04-21
6.5
None Remote Low Single system Partial Partial Partial
SQL injection vulnerability in the getUserUddiElements method in the ES UDDI component in SAP NetWeaver AS Java 7.4 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors, aka SAP Security Note 2356504.
5 CVE-2017-7628 89 Sql 2017-04-12 2017-04-20
7.5
None Remote Low Not required Partial Partial Partial
The "Smart related articles" extension 1.1 for Joomla! has SQL injection in dialog.php (attacker must use search_cats variable in POST method to exploit this vulnerability).
6 CVE-2017-7581 89 Exec Code Sql 2017-04-07 2017-04-13
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in NewsController.php in the News module 5.3.2 and earlier for TYPO3 allows unauthenticated users to execute arbitrary SQL commands via vectors involving overwriteDemand for order and OrderByAllowed.
7 CVE-2017-7410 89 Exec Code Sql 2017-04-03 2017-04-11
7.5
None Remote Low Not required Partial Partial Partial
Multiple SQL injection vulnerabilities in account/signup.php and account/signup2.php in WebsiteBaker 2.10.0 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) username, (2) display_name parameter.
8 CVE-2017-7290 89 Exec Code Sql 2017-03-30 2017-04-03
6.5
None Remote Low Single system Partial Partial Partial
SQL injection vulnerability in XOOPS 2.5.7.2 and other versions before 2.5.8.1 allows remote authenticated administrators to execute arbitrary SQL commands via the url parameter to findusers.php. An example attack uses "into outfile" to create a backdoor program.
9 CVE-2017-6578 89 Sql 2017-03-09 2017-03-13
6.5
None Remote Low Single system Partial Partial Partial
A SQL injection issue is exploitable, with WordPress admin access, in the Mail Masta (aka mail-masta) plugin 1.0 for WordPress. This affects ./inc/subscriber_list.php with the POST Parameter: subscriber_email.
10 CVE-2017-6577 89 Sql 2017-03-09 2017-03-13
6.5
None Remote Low Single system Partial Partial Partial
A SQL injection issue is exploitable, with WordPress admin access, in the Mail Masta (aka mail-masta) plugin 1.0 for WordPress. This affects ./inc/subscriber_list.php with the POST Parameter: list_id.
11 CVE-2017-6576 89 Sql 2017-03-09 2017-03-13
6.5
None Remote Low Single system Partial Partial Partial
A SQL injection issue is exploitable, with WordPress admin access, in the Mail Masta (aka mail-masta) plugin 1.0 for WordPress. This affects ./inc/campaign/campaign-delete.php with the GET Parameter: id.
12 CVE-2017-6575 89 Sql 2017-03-09 2017-03-13
6.5
None Remote Low Single system Partial Partial Partial
A SQL injection issue is exploitable, with WordPress admin access, in the Mail Masta (aka mail-masta) plugin 1.0 for WordPress. This affects ./inc/lists/edit_member.php with the GET Parameter: member_id.
13 CVE-2017-6574 89 Sql 2017-03-09 2017-03-13
6.5
None Remote Low Single system Partial Partial Partial
A SQL injection issue is exploitable, with WordPress admin access, in the Mail Masta (aka mail-masta) plugin 1.0 for WordPress. This affects ./inc/lists/edit_member.php with the GET Parameter: filter_list.
14 CVE-2017-6573 89 Sql 2017-03-09 2017-03-13
6.5
None Remote Low Single system Partial Partial Partial
A SQL injection issue is exploitable, with WordPress admin access, in the Mail Masta (aka mail-masta) plugin 1.0 for WordPress. This affects ./inc/lists/edit-list.php with the GET Parameter: id.
15 CVE-2017-6572 89 Sql 2017-03-09 2017-03-13
6.5
None Remote Low Single system Partial Partial Partial
A SQL injection issue is exploitable, with WordPress admin access, in the Mail Masta (aka mail-masta) plugin 1.0 for WordPress. This affects ./inc/lists/add_member.php with the GET Parameter: filter_list.
16 CVE-2017-6571 89 Sql 2017-03-09 2017-03-13
6.5
None Remote Low Single system Partial Partial Partial
A SQL injection issue is exploitable, with WordPress admin access, in the Mail Masta (aka mail-masta) plugin 1.0 for WordPress. This affects ./inc/campaign/view-campaign.php with the GET Parameter: id.
17 CVE-2017-6570 89 Sql 2017-03-09 2017-03-13
6.5
None Remote Low Single system Partial Partial Partial
A SQL injection issue is exploitable, with WordPress admin access, in the Mail Masta (aka mail-masta) plugin 1.0 for WordPress. This affects ./inc/campaign/view-campaign-list.php with the GET Parameter: id.
18 CVE-2017-6550 89 Exec Code Sql 2017-03-20 2017-03-23
7.5
None Remote Low Not required Partial Partial Partial
Multiple SQL injection vulnerabilities in Kinsey Infor-Lawson (formerly ESBUS) allow remote attackers to execute arbitrary SQL commands via the (1) TABLE parameter to esbus/servlet/GetSQLData or (2) QUERY parameter to KK_LS9ReportingPortal/GetData.
19 CVE-2017-6492 89 Sql 2017-03-05 2017-03-24
9.0
None Remote Low Single system Complete Complete Complete
SQL Injection was discovered in adm_program/modules/dates/dates_function.php in Admidio 3.2.5. The POST parameter dat_cat_id is concatenated into a SQL query without any input validation/sanitization.
20 CVE-2017-6098 89 Sql 2017-02-21 2017-02-23
6.5
None Remote Low Single system Partial Partial Partial
A SQL injection issue was discovered in the Mail Masta (aka mail-masta) plugin 1.0 for WordPress. This affects /inc/campaign_save.php (Requires authentication to Wordpress admin) with the POST Parameter: list_id.
21 CVE-2017-6097 89 Sql 2017-02-21 2017-02-23
6.5
None Remote Low Single system Partial Partial Partial
A SQL injection issue was discovered in the Mail Masta (aka mail-masta) plugin 1.0 for WordPress. This affects /inc/campaign/count_of_send.php (Requires authentication to Wordpress admin) with the POST Parameter: camp_id.
22 CVE-2017-6096 89 Sql 2017-02-21 2017-02-23
6.5
None Remote Low Single system Partial Partial Partial
A SQL injection issue was discovered in the Mail Masta (aka mail-masta) plugin 1.0 for WordPress. This affects /inc/lists/view-list.php (Requires authentication to Wordpress admin) with the GET Parameter: filter_list.
23 CVE-2017-6095 89 Sql 2017-02-21 2017-02-23
7.5
None Remote Low Not required Partial Partial Partial
A SQL injection issue was discovered in the Mail Masta (aka mail-masta) plugin 1.0 for WordPress. This affects /inc/lists/csvexport.php (Unauthenticated) with the GET Parameter: list_id.
24 CVE-2017-6088 89 Exec Code Sql 2017-04-11 2017-04-17
9.0
None Remote Low Single system Complete Complete Complete
Multiple SQL injection vulnerabilities in EyesOfNetwork (aka EON) 5.0 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) bp_name, (2) display, (3) search, or (4) equipment parameter in module/monitoring_ged/ged_functions.php or the (5) type parameter in monitoring_ged/ajax.php.
25 CVE-2017-6065 89 Exec Code Sql 2017-02-17 2017-02-23
6.5
None Remote Low Single system Partial Partial Partial
SQL injection vulnerability in inc/lib/Control/Backend/menus.control.php in GeniXCMS through 1.0.2 allows remote authenticated users to execute arbitrary SQL commands via the order parameter.
26 CVE-2017-6013 89 Sql 2017-03-26 2017-03-28
7.5
None Remote Low Not required Partial Partial Partial
Subrion CMS 4.0.5.10 has SQL injection in admin/database/ via the query parameter.
27 CVE-2017-5879 89 Sql 2017-02-06 2017-02-08
7.5
None Remote Low Not required Partial Partial Partial
An issue was discovered in Exponent CMS 2.4.1. This is a blind SQL injection that can be exploited by un-authenticated users via an HTTP GET request and which can be used to dump database data out to a malicious server, using an out-of-band technique, such as select_loadfile(). The vulnerability affects source_selector.php and the following parameter: src.
28 CVE-2017-5611 89 Exec Code Sql 2017-01-29 2017-02-05
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in wp-includes/class-wp-query.php in WP_Query in WordPress before 4.7.2 allows remote attackers to execute arbitrary SQL commands by leveraging the presence of an affected plugin or theme that mishandles a crafted post type name.
29 CVE-2017-5609 89 Exec Code Sql 2017-01-28 2017-03-23
6.5
None Remote Low Single system Partial Partial Partial
SQL injection vulnerability in include/functions_entries.inc.php in Serendipity 2.0.5 allows remote authenticated users to execute arbitrary SQL commands via the cat parameter.
30 CVE-2017-5598 89 Sql 2017-01-27 2017-01-31
5.0
None Remote Low Not required Partial None None
An issue was discovered in eClinicalWorks healow@work 8.0 build 8. This is a blind SQL injection within the EmployeePortalServlet, which can be exploited by un-authenticated users via an HTTP POST request and which can be used to dump database data out to a malicious server, using an out-of-band technique, such as select_loadfile(). The vulnerability affects the EmployeePortalServlet page and the following parameter: employer.
31 CVE-2017-5575 89 Exec Code Sql 2017-01-23 2017-01-26
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in inc/lib/Options.class.php in GeniXCMS before 1.0.0 allows remote attackers to execute arbitrary SQL commands via the modules parameter.
32 CVE-2017-5574 89 Exec Code Sql 2017-01-23 2017-01-26
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in register.php in GeniXCMS before 1.0.0 allows unauthenticated users to execute arbitrary SQL commands via the activation parameter.
33 CVE-2017-5570 89 Sql 2017-01-23 2017-01-26
6.5
None Remote Low Single system Partial Partial Partial
An issue was discovered in eClinicalWorks Patient Portal 7.0 build 13. This is a blind SQL injection within the messageJson.jsp, which can only be exploited by authenticated users via an HTTP POST request and which can be used to dump database data out to a malicious server, using an out-of-band technique such as select_loadfile().
34 CVE-2017-5569 89 Sql 2017-01-23 2017-01-26
7.5
None Remote Low Not required Partial Partial Partial
An issue was discovered in eClinicalWorks Patient Portal 7.0 build 13. This is a blind SQL injection within the template.jsp, which can be exploited without the need of authentication and via an HTTP POST request, and which can be used to dump database data out to a malicious server, using an out-of-band technique such as select_loadfile().
35 CVE-2017-5519 89 Exec Code Sql 2017-01-17 2017-01-27
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in Posts.class.php in GeniXCMS through 0.0.8 allows remote attackers to execute arbitrary SQL commands via the id parameter.
36 CVE-2017-5517 89 Exec Code Sql 2017-01-17 2017-01-27
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in author.control.php in GeniXCMS through 0.0.8 allows remote attackers to execute arbitrary SQL commands via the type parameter.
37 CVE-2017-5347 89 Exec Code Sql 2017-01-12 2017-01-27
6.5
None Remote Low Single system Partial Partial Partial
SQL injection vulnerability in inc/mod/newsletter/options.php in GeniXCMS 0.0.8 allows remote authenticated administrators to execute arbitrary SQL commands via the recipient parameter to gxadmin/index.php.
38 CVE-2017-5346 89 Exec Code Sql 2017-01-12 2017-01-27
6.5
None Remote Low Single system Partial Partial Partial
SQL injection vulnerability in inc/lib/Control/Backend/posts.control.php in GeniXCMS 0.0.8 allows remote authenticated administrators to execute arbitrary SQL commands via the id parameter to gxadmin/index.php.
39 CVE-2017-5345 89 Exec Code Sql 2017-01-12 2017-01-27
6.5
None Remote Low Single system Partial Partial Partial
SQL injection vulnerability in inc/lib/Control/Ajax/tags-ajax.control.php in GeniXCMS 0.0.8 allows remote authenticated editors to execute arbitrary SQL commands via the term parameter to the default URI.
40 CVE-2017-5344 89 Sql 2017-02-17 2017-03-06
7.5
None Remote Low Not required Partial Partial Partial
An issue was discovered in dotCMS through 3.6.1. The findChildrenByFilter() function which is called by the web accessible path /categoriesServlet performs string interpolation and direct SQL query execution. SQL quote escaping and a keyword blacklist were implemented in a new class, SQLUtil (main/java/com/dotmarketing/common/util/SQLUtil.java), as part of the remediation of CVE-2016-8902; however, these can be overcome in the case of the q and inode parameters to the /categoriesServlet path. Overcoming these controls permits a number of blind boolean SQL injection vectors in either parameter. The /categoriesServlet web path can be accessed remotely and without authentication in a default dotCMS deployment.
41 CVE-2017-5218 89 Sql 2017-02-02 2017-03-02
6.5
None Remote Low Single system Partial Partial Partial
A SQL Injection issue was discovered in SageCRM 7.x before 7.3 SP3. The AP_DocumentUI.asp web resource includes Utilityfuncs.js when the file is opened or viewed. This file crafts a SQL statement to identify the database that is to be in use with the current user's session. The database variable can be populated from the URL, and when supplied non-expected characters, can be manipulated to obtain access to the underlying database. The /CRM/CustomPages/ACCPAC/AP_DocumentUI.asp?SID=<VALID-SID>&database=1';WAITFOR DELAY '0:0:5'-- URI is a Proof of Concept.
42 CVE-2017-5154 89 Sql 2017-02-13 2017-02-17
7.5
None Remote Low Not required Partial Partial Partial
An issue was discovered in Advantech WebAccess Version 8.1. To be able to exploit the SQL injection vulnerability, an attacker must supply malformed input to the WebAccess software. Successful attack could result in administrative access to the application and its data files.
43 CVE-2017-5151 89 Exec Code Sql 2017-02-13 2017-02-16
7.5
None Remote Low Not required Partial Partial Partial
An issue was discovered in VideoInsight Web Client Version 6.3.5.11 and previous versions. A SQL Injection vulnerability has been identified, which may allow remote code execution.
44 CVE-2017-3899 89 Sql +Info 2017-03-14 2017-03-23
4.0
None Remote Low Single system Partial None None
SQL injection vulnerability in Intel Security Advanced Threat Defense (ATD) Linux 3.6.0 and earlier allows remote authenticated users to obtain product information via a crafted HTTP request parameter.
45 CVE-2017-3886 89 Sql 2017-04-07 2017-04-13
4.0
None Remote Low Single system Partial None None
A vulnerability in the Cisco Unified Communications Manager web interface could allow an authenticated, remote attacker to impact the confidentiality of the system by executing arbitrary SQL queries, aka SQL Injection. The attacker must be authenticated as an administrative user to execute SQL database queries. More Information: CSCvc74291. Known Affected Releases: 1.0(1.10000.10) 11.5(1.10000.6). Known Fixed Releases: 12.0(0.98000.619) 12.0(0.98000.485) 12.0(0.98000.212) 11.5(1.13035.1) 11.0(1.23900.5) 11.0(1.23900.2) 11.0(1.23067.1) 10.5(2.15900.2).
46 CVE-2017-3835 89 Sql 2017-02-21 2017-03-06
6.5
None Remote Low Single system Partial Partial Partial
A vulnerability in the sponsor portal of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to access notices owned by other users, because of SQL Injection. More Information: CSCvb15627. Known Affected Releases: 1.4(0.908).
47 CVE-2017-2641 89 Sql 2017-03-26 2017-03-28
7.5
None Remote Low Not required Partial Partial Partial
In Moodle 2.x and 3.x, SQL injection can occur via user preferences.
48 CVE-2016-1000217 89 Sql 2016-10-06 2016-12-22
7.5
None Remote Low Not required Partial Partial Partial
Zotpress plugin for WordPress SQLi in zp_get_account()
49 CVE-2016-1000125 89 Sql 2016-10-06 2017-03-28
7.5
None Remote Low Not required Partial Partial Partial
Unauthenticated SQL Injection in Huge-IT Catalog v1.0.7 for Joomla
50 CVE-2016-1000124 89 Sql 2016-10-06 2017-03-28
7.5
None Remote Low Not required Partial Partial Partial
Unauthenticated SQL Injection in Huge-IT Portfolio Gallery Plugin v1.0.6
Total number of vulnerabilities : 4329   Page : 1 (This Page)2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.