CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities (SQL Injection)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2017-9848 Exec Code Sql 2017-06-24 2017-06-24
0.0
None ??? ??? ??? ??? ??? ???
SQL injection vulnerability in C_InfoService.asmx in WebServices in Easysite 7.0 could allow remote attackers to execute arbitrary SQL commands via an XML document containing a crafted ArticleIDs element within a GetArticleHitsArray element.
2 CVE-2017-9759 89 Sql 2017-06-19 2017-06-22
6.5
None Remote Low Single system Partial Partial Partial
SQL Injection exists in admin/index.php in Zenbership 1.0.8 via the filters array parameter, exploitable by a privileged account.
3 CVE-2017-9730 89 Exec Code Sql 2017-06-19 2017-06-23
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in rdr.php in nuevoMailer version 6.0 and earlier allows remote attackers to execute arbitrary SQL commands via the "r" parameter.
4 CVE-2017-9603 89 Exec Code Sql 2017-06-13 2017-06-20
6.5
None Remote Low Single system Partial Partial Partial
SQL injection vulnerability in the WP Jobs plugin before 1.5 for WordPress allows authenticated users to execute arbitrary SQL commands via the jobid parameter to wp-admin/edit.php.
5 CVE-2017-9463 89 Sql +Info 2017-06-14 2017-06-19
4.0
None Remote Low Single system Partial None None
The application Piwigo is affected by a SQL injection vulnerability in version 2.9.0 and possibly prior. This vulnerability allows remote authenticated attackers to obtain information in the context of the user used by the application to retrieve data from the database. The user_list_backend.php component is affected: values of the iDisplayStart & iDisplayLength parameters are not sanitized; these are used to construct a SQL query and retrieve a list of registered users into the application.
6 CVE-2017-9449 89 Exec Code Sql 2017-06-06 2017-06-12
6.5
None Remote Low Single system Partial Partial Partial
SQL injection vulnerability in BigTree CMS through 4.2.18 allows remote authenticated users to execute arbitrary SQL commands via core/admin/modules/developer/modules/views/create.php. The attacker creates a crafted table name at admin/developer/modules/views/create/ and the injection is visible at admin/ajax/auto-modules/views/searchable-page/ or admin/modules_name.
7 CVE-2017-9443 89 Sql 2017-06-05 2017-06-09
6.5
None Remote Low Single system Partial Partial Partial
** DISPUTED ** BigTree CMS through 4.2.18 allows remote authenticated users to conduct SQL injection attacks via a crafted tables object in manifest.json in an uploaded package. This issue exists in core\admin\modules\developer\extensions\install\process.php and core\admin\modules\developer\packages\install\process.php. NOTE: the vendor states "You must implicitly trust any package or extension you install as they all have the ability to write PHP files."
8 CVE-2017-9437 89 Sql 2017-06-05 2017-06-13
6.5
None Remote Low Single system Partial Partial Partial
Openbravo Business Suite 3.0 is affected by SQL injection. This vulnerability could allow remote authenticated attackers to inject arbitrary SQL code.
9 CVE-2017-9436 89 Sql 2017-06-05 2017-06-13
7.5
None Remote Low Not required Partial Partial Partial
TeamPass before 2.1.27.4 is vulnerable to a SQL injection in users.queries.php.
10 CVE-2017-9435 89 Sql 2017-06-05 2017-06-08
7.5
None Remote Low Not required Partial Partial Partial
Dolibarr ERP/CRM before 5.0.3 is vulnerable to a SQL injection in user/index.php (search_supervisor and search_statut parameters).
11 CVE-2017-9429 89 Exec Code Sql 2017-06-13 2017-06-20
6.5
None Remote Low Single system Partial Partial Partial
SQL injection vulnerability in the Event List plugin 0.7.8 for WordPress allows an authenticated user to execute arbitrary SQL commands via the id parameter to wp-admin/admin.php.
12 CVE-2017-9427 89 Exec Code Sql 2017-06-04 2017-06-06
6.5
None Remote Low Single system Partial Partial Partial
SQL injection vulnerability in BigTree CMS through 4.2.18 allows remote authenticated users to execute arbitrary SQL commands via core\admin\modules\developer\modules\designer\form-create.php. The attacker creates a crafted table name at admin/developer/modules/designer/ and the injection is visible at admin/dashboard/vitals-statistics/integrity/check/?external=true.
13 CVE-2017-9418 89 Exec Code Sql 2017-06-12 2017-06-20
6.5
None Remote Low Single system Partial Partial Partial
SQL injection vulnerability in the WP-Testimonials plugin 3.4.1 for WordPress allows an authenticated user to execute arbitrary SQL commands via the testid parameter to wp-admin/admin.php.
14 CVE-2017-9360 89 Sql 2017-06-02 2017-06-06
7.5
None Remote Low Not required Partial Partial Partial
WebsiteBaker v2.10.0 has a SQL injection vulnerability in /account/details.php.
15 CVE-2017-9246 Sql Bypass 2017-06-13 2017-06-13
0.0
None ??? ??? ??? ??? ??? ???
New Relic .NET Agent before 6.3.123.0 adds SQL injection flaws to safe applications via vectors involving failure to escape quotes during use of the Slow Queries feature, as demonstrated by a mishandled quote in a VALUES clause of an INSERT statement, after bypassing a SET SHOWPLAN_ALL ON protection mechanism.
16 CVE-2017-8917 89 Exec Code Sql 2017-05-17 2017-05-30
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in Joomla! 3.7.x before 3.7.1 allows attackers to execute arbitrary SQL commands via unspecified vectors.
17 CVE-2017-8835 89 Sql 2017-06-05 2017-06-12
7.5
None Remote Low Not required Partial Partial Partial
SQL injection exists on Peplink Balance 305, 380, 580, 710, 1350, and 2500 devices with firmware before fw-b305hw2_380hw6_580hw2_710hw3_1350hw2_2500-7.0.1-build2093. An attack vector is the bauth cookie to cgi-bin/MANGA/admin.cgi. One impact is enumeration of user accounts by observing whether a session ID can be retrieved from the sessions database.
18 CVE-2017-8796 89 Sql 2017-05-05 2017-05-17
7.5
None Remote Low Not required Partial Partial Partial
An issue was discovered on Accellion FTA devices before FTA_9_12_180. Because mysql_real_escape_string is misused, seos/courier/communication_p2p.php allows SQL injection with the app_id parameter.
19 CVE-2017-8789 89 Sql 2017-05-05 2017-05-17
7.5
None Remote Low Not required Partial Partial Partial
An issue was discovered on Accellion FTA devices before FTA_9_12_180. A report_error.php?year='payload SQL injection vector exists.
20 CVE-2017-8377 89 Sql 2017-05-01 2017-05-10
6.5
None Remote Low Single system Partial Partial Partial
GeniXCMS 1.0.2 has SQL Injection in inc/lib/Control/Backend/menus.control.php via the menuid parameter.
21 CVE-2017-7991 89 Sql 2017-04-21 2017-04-27
7.5
None Remote Low Not required Partial Partial Partial
Exponent CMS 2.4.1 and earlier has SQL injection via a base64 serialized API key (apikey parameter) in the api function of framework/modules/eaas/controllers/eaasController.php.
22 CVE-2017-7952 89 Sql 2017-05-16 2017-05-24
6.5
None Remote Low Single system Partial Partial Partial
INFOR EAM V11.0 Build 201410 has SQL injection via search fields, related to the filtervalue parameter.
23 CVE-2017-7886 89 Sql 2017-05-10 2017-05-15
7.5
None Remote Low Not required Partial Partial Partial
Dolibarr ERP/CRM 4.0.4 has SQL Injection in doli/theme/eldy/style.css.php via the lang parameter.
24 CVE-2017-7879 89 Sql 2017-04-14 2017-04-21
5.0
None Remote Low Not required Partial None None
SQL Injection vulnerability in flatCore version 1.4.6 allows an attacker to read the content database.
25 CVE-2017-7878 89 Sql 2017-04-14 2017-04-21
7.5
None Remote Low Not required Partial Partial Partial
SQL Injection vulnerability in flatCore version 1.4.6 allows an attacker to read and write to the users database.
26 CVE-2017-7719 89 Sql 2017-04-12 2017-04-20
7.5
None Remote Low Not required Partial Partial Partial
SQL injection in the Spider Event Calendar (aka spider-event-calendar) plugin before 1.5.52 for WordPress is exploitable with the order_by parameter to calendar_functions.php or widget_Theme_functions.php, related to front_end/frontend_functions.php.
27 CVE-2017-7717 89 Exec Code Sql 2017-04-14 2017-04-21
6.5
None Remote Low Single system Partial Partial Partial
SQL injection vulnerability in the getUserUddiElements method in the ES UDDI component in SAP NetWeaver AS Java 7.4 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors, aka SAP Security Note 2356504.
28 CVE-2017-7628 89 Sql 2017-04-12 2017-04-20
7.5
None Remote Low Not required Partial Partial Partial
The "Smart related articles" extension 1.1 for Joomla! has SQL injection in dialog.php (attacker must use search_cats variable in POST method to exploit this vulnerability).
29 CVE-2017-7581 89 Exec Code Sql 2017-04-07 2017-04-13
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in NewsController.php in the News module 5.3.2 and earlier for TYPO3 allows unauthenticated users to execute arbitrary SQL commands via vectors involving overwriteDemand for order and OrderByAllowed.
30 CVE-2017-7410 89 Exec Code Sql 2017-04-03 2017-04-11
7.5
None Remote Low Not required Partial Partial Partial
Multiple SQL injection vulnerabilities in account/signup.php and account/signup2.php in WebsiteBaker 2.10.0 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) username, (2) display_name parameter.
31 CVE-2017-7290 89 Exec Code Sql 2017-03-30 2017-04-03
6.5
None Remote Low Single system Partial Partial Partial
SQL injection vulnerability in XOOPS 2.5.7.2 and other versions before 2.5.8.1 allows remote authenticated administrators to execute arbitrary SQL commands via the url parameter to findusers.php. An example attack uses "into outfile" to create a backdoor program.
32 CVE-2017-7236 89 Exec Code Sql 2017-05-25 2017-06-02
5.0
None Remote Low Not required Partial None None
SQL injection vulnerability in NetApp OnCommand Unified Manager Core Package 5.x before 5.2.2P1 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
33 CVE-2017-7221 89 Exec Code +Priv Sql 2017-04-25 2017-05-05
6.5
None Remote Low Single system Partial Partial Partial
OpenText Documentum Content Server has an inadequate protection mechanism against SQL injection, which allows remote authenticated users to execute arbitrary code with super-user privileges by leveraging the availability of the dm_bp_transition docbase method with a user-created dm_procedure object, as demonstrated by use of a backspace character in an injected string. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-2513.
34 CVE-2017-6668 89 Sql 2017-06-13 2017-06-26
4.0
None Remote Low Single system Partial None None
Vulnerabilities in the web-based GUI of Cisco Unified Communications Domain Manager (CUCDM) could allow an authenticated, remote attacker to impact the confidentiality of the system by executing arbitrary SQL queries, aka SQL Injection. More Information: CSCvc52784 CSCvc97648. Known Affected Releases: 8.1(7)ER1.
35 CVE-2017-6578 89 Sql 2017-03-09 2017-03-13
6.5
None Remote Low Single system Partial Partial Partial
A SQL injection issue is exploitable, with WordPress admin access, in the Mail Masta (aka mail-masta) plugin 1.0 for WordPress. This affects ./inc/subscriber_list.php with the POST Parameter: subscriber_email.
36 CVE-2017-6577 89 Sql 2017-03-09 2017-03-13
6.5
None Remote Low Single system Partial Partial Partial
A SQL injection issue is exploitable, with WordPress admin access, in the Mail Masta (aka mail-masta) plugin 1.0 for WordPress. This affects ./inc/subscriber_list.php with the POST Parameter: list_id.
37 CVE-2017-6576 89 Sql 2017-03-09 2017-03-13
6.5
None Remote Low Single system Partial Partial Partial
A SQL injection issue is exploitable, with WordPress admin access, in the Mail Masta (aka mail-masta) plugin 1.0 for WordPress. This affects ./inc/campaign/campaign-delete.php with the GET Parameter: id.
38 CVE-2017-6575 89 Sql 2017-03-09 2017-03-13
6.5
None Remote Low Single system Partial Partial Partial
A SQL injection issue is exploitable, with WordPress admin access, in the Mail Masta (aka mail-masta) plugin 1.0 for WordPress. This affects ./inc/lists/edit_member.php with the GET Parameter: member_id.
39 CVE-2017-6574 89 Sql 2017-03-09 2017-03-13
6.5
None Remote Low Single system Partial Partial Partial
A SQL injection issue is exploitable, with WordPress admin access, in the Mail Masta (aka mail-masta) plugin 1.0 for WordPress. This affects ./inc/lists/edit_member.php with the GET Parameter: filter_list.
40 CVE-2017-6573 89 Sql 2017-03-09 2017-03-13
6.5
None Remote Low Single system Partial Partial Partial
A SQL injection issue is exploitable, with WordPress admin access, in the Mail Masta (aka mail-masta) plugin 1.0 for WordPress. This affects ./inc/lists/edit-list.php with the GET Parameter: id.
41 CVE-2017-6572 89 Sql 2017-03-09 2017-03-13
6.5
None Remote Low Single system Partial Partial Partial
A SQL injection issue is exploitable, with WordPress admin access, in the Mail Masta (aka mail-masta) plugin 1.0 for WordPress. This affects ./inc/lists/add_member.php with the GET Parameter: filter_list.
42 CVE-2017-6571 89 Sql 2017-03-09 2017-03-13
6.5
None Remote Low Single system Partial Partial Partial
A SQL injection issue is exploitable, with WordPress admin access, in the Mail Masta (aka mail-masta) plugin 1.0 for WordPress. This affects ./inc/campaign/view-campaign.php with the GET Parameter: id.
43 CVE-2017-6570 89 Sql 2017-03-09 2017-03-13
6.5
None Remote Low Single system Partial Partial Partial
A SQL injection issue is exploitable, with WordPress admin access, in the Mail Masta (aka mail-masta) plugin 1.0 for WordPress. This affects ./inc/campaign/view-campaign-list.php with the GET Parameter: id.
44 CVE-2017-6557 89 Exec Code Sql 2017-05-05 2017-05-17
6.5
None Remote Low Single system Partial Partial Partial
SQL injection vulnerability in ArrayOS before AG 9.4.0.135, when the portal bookmark function is enabled, allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors.
45 CVE-2017-6550 89 Exec Code Sql 2017-03-20 2017-03-23
7.5
None Remote Low Not required Partial Partial Partial
Multiple SQL injection vulnerabilities in Kinsey Infor-Lawson (formerly ESBUS) allow remote attackers to execute arbitrary SQL commands via the (1) TABLE parameter to esbus/servlet/GetSQLData or (2) QUERY parameter to KK_LS9ReportingPortal/GetData.
46 CVE-2017-6492 89 Sql 2017-03-05 2017-03-24
9.0
None Remote Low Single system Complete Complete Complete
SQL Injection was discovered in adm_program/modules/dates/dates_function.php in Admidio 3.2.5. The POST parameter dat_cat_id is concatenated into a SQL query without any input validation/sanitization.
47 CVE-2017-6195 89 Sql 2017-05-18 2017-05-26
7.5
None Remote Low Not required Partial Partial Partial
Ipswitch MOVEit Transfer (formerly DMZ) allows pre-authentication blind SQL injection. The fixed versions are MOVEit Transfer 2017 9.0.0.201, MOVEit DMZ 8.3.0.30, and MOVEit DMZ 8.2.0.20.
48 CVE-2017-6098 89 Sql 2017-02-21 2017-02-23
6.5
None Remote Low Single system Partial Partial Partial
A SQL injection issue was discovered in the Mail Masta (aka mail-masta) plugin 1.0 for WordPress. This affects /inc/campaign_save.php (Requires authentication to Wordpress admin) with the POST Parameter: list_id.
49 CVE-2017-6097 89 Sql 2017-02-21 2017-02-23
6.5
None Remote Low Single system Partial Partial Partial
A SQL injection issue was discovered in the Mail Masta (aka mail-masta) plugin 1.0 for WordPress. This affects /inc/campaign/count_of_send.php (Requires authentication to Wordpress admin) with the POST Parameter: camp_id.
50 CVE-2017-6096 89 Sql 2017-02-21 2017-02-23
6.5
None Remote Low Single system Partial Partial Partial
A SQL injection issue was discovered in the Mail Masta (aka mail-masta) plugin 1.0 for WordPress. This affects /inc/lists/view-list.php (Requires authentication to Wordpress admin) with the GET Parameter: filter_list.
Total number of vulnerabilities : 6554   Page : 1 (This Page)2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.