CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities (SQL Injection)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2017-1002028 89 Sql 2017-09-14 2017-09-20
7.5
None Remote Low Not required Partial Partial Partial
Vulnerability in wordpress plugin wordpress-gallery-transformation v1.0, SQL injection is in ./wordpress-gallery-transformation/gallery.php via $jpic parameter being unsanitized before being passed into an SQL query.
2 CVE-2017-1002027 89 Sql 2017-09-14 2017-09-20
7.5
None Remote Low Not required Partial Partial Partial
Vulnerability in wordpress plugin rk-responsive-contact-form v1.0, The variable $delid isn't sanitized before being passed into an SQL query in file ./rk-responsive-contact-form/include/rk_user_list.php.
3 CVE-2017-1002026 89 Sql 2017-09-14 2017-09-20
6.5
None Remote Low Single system Partial Partial Partial
Vulnerability in wordpress plugin Event Expresso Free v3.1.37.11.L, The function edit_event_category does not sanitize user-supplied input via the $id parameter before passing it into an SQL statement.
4 CVE-2017-1002025 89 Sql 2017-09-14 2017-09-21
6.5
None Remote Low Single system Partial Partial Partial
Vulnerability in wordpress plugin add-edit-delete-listing-for-member-module v1.0, The plugin author does not sanitize user supplied input via $act before passing it into an SQL statement.
5 CVE-2017-1002023 89 Sql 2017-09-14 2017-09-21
7.5
None Remote Low Not required Partial Partial Partial
Vulnerability in wordpress plugin Easy Team Manager v1.3.2, The code does not sanitize id before making it part of an SQL statement in file ./easy-team-manager/inc/easy_team_manager_desc_edit.php
6 CVE-2017-1002022 89 Sql 2017-09-14 2017-09-18
7.5
None Remote Low Not required Partial Partial Partial
Vulnerability in wordpress plugin surveys v1.01.8, The code in questions.php does not sanitize the survey variable before placing it inside of an SQL query.
7 CVE-2017-1002021 89 Sql 2017-09-14 2017-09-18
7.5
None Remote Low Not required Partial Partial Partial
Vulnerability in wordpress plugin surveys v1.01.8, The code in individual_responses.php does not sanitize the survey_id variable before placing it inside of an SQL query.
8 CVE-2017-1002020 89 Sql 2017-09-14 2017-09-19
7.5
None Remote Low Not required Partial Partial Partial
Vulnerability in wordpress plugin surveys v1.01.8, The code in survey_form.php does not sanitize the action variable before placing it inside of an SQL query.
9 CVE-2017-1002019 89 Sql 2017-09-14 2017-09-18
7.5
None Remote Low Not required Partial Partial Partial
Vulnerability in wordpress plugin eventr v1.02.2, The edit.php form and event_form.php code do not sanitize input, this allows for blind SQL injection via the event parameter.
10 CVE-2017-1002018 89 Sql 2017-09-14 2017-09-18
7.5
None Remote Low Not required Partial Partial Partial
Vulnerability in wordpress plugin eventr v1.02.2, The edit.php form and attendees.php code do not sanitize input, this allows for blind SQL injection via the event parameter.
11 CVE-2017-1002015 89 Sql 2017-09-14 2017-09-20
7.5
None Remote Low Not required Partial Partial Partial
Vulnerability in wordpress plugin image-gallery-with-slideshow v1.5.2, Blind SQL Injection in image-gallery-with-slideshow/admin_setting.php via selectMulGallery parameter.
12 CVE-2017-1002014 89 Sql 2017-09-14 2017-09-20
7.5
None Remote Low Not required Partial Partial Partial
Vulnerability in wordpress plugin image-gallery-with-slideshow v1.5.2, Blind SQL Injection in image-gallery-with-slideshow/admin_setting.php via gallery_name parameter.
13 CVE-2017-1002013 89 Sql 2017-09-14 2017-09-20
7.5
None Remote Low Not required Partial Partial Partial
Vulnerability in wordpress plugin image-gallery-with-slideshow v1.5.2, Blind SQL Injection via imgid parameter in image-gallery-with-slideshow/admin_setting.php.
14 CVE-2017-1002010 89 Sql 2017-09-14 2017-09-21
7.5
None Remote Low Not required Partial Partial Partial
Vulnerability in wordpress plugin Membership Simplified v1.58, The code in membership-simplified-for-oap-members-only/updateDB.php is vulnerable to blind SQL injection because it doesn't sanitize user input via recordId in the delete_media function.
15 CVE-2017-1002009 89 Sql 2017-09-14 2017-09-21
7.5
None Remote Low Not required Partial Partial Partial
Vulnerability in wordpress plugin Membership Simplified v1.58, The code in membership-simplified-for-oap-members-only/updateDB.php is vulnerable to blind SQL injection because it doesn't sanitize user input via recordId in the delete function.
16 CVE-2017-1000120 89 Exec Code Sql 2017-10-04 2017-10-13
6.5
None Remote Low Single system Partial Partial Partial
[ERPNext][Frappe Version <= 7.1.27] SQL injection vulnerability in frappe.share.get_users allows remote authenticated users to execute arbitrary SQL commands via the fields parameter.
17 CVE-2017-1000067 89 Sql 2017-07-17 2017-07-21
6.5
None Remote Low Single system Partial Partial Partial
MODX Revolution version 2.x - 2.5.6 is vulnerable to blind SQL injection caused by improper sanitization by the escape method resulting in authenticated user accessing database and possibly escalating privileges.
18 CVE-2017-1000060 89 Sql 2017-07-17 2017-07-19
10.0
None Remote Low Not required Complete Complete Complete
EyesOfNetwork (EON) 5.1 Unauthenticated SQL Injection in eonweb leading to remote root
19 CVE-2017-1000031 89 Exec Code Sql 2017-07-17 2017-07-19
6.5
None Remote Low Single system Partial Partial Partial
SQL injection vulnerability in graph_templates_inputs.php in Cacti 0.8.8b allows remote attackers to execute arbitrary SQL commands via the graph_template_input_id and graph_template_id parameters.
20 CVE-2017-1000004 89 Exec Code Sql 2017-07-17 2017-08-04
7.5
None Remote Low Not required Partial Partial Partial
ATutor version 2.2.1 and earlier are vulnerable to a SQL injection in the Assignment Dropbox, BasicLTI, Blog Post, Blog, Group Course Email, Course Alumni, Course Enrolment, Group Membership, Course unenrolment, Course Enrolment List Search, Glossary, Social Group Member Search, Social Friend Search, Social Group Search, File Comment, Gradebook Test Title, User Group Membership, Inbox/Sent Items, Sent Messages, Links, Photo Album, Poll, Social Application, Social Profile, Test, Content Menu, Auto-Login, and Gradebook components resulting in information disclosure, database modification, or potential code execution.
21 CVE-2017-15579 Sql 2017-10-17 2017-10-17
0.0
None ??? ??? ??? ??? ??? ???
In PHPSUGAR PHP Melody before 2.7.3, SQL Injection exists via an aa_pages_per_page cookie in a playlist action to watch.php.
22 CVE-2017-15578 Sql 2017-10-17 2017-10-17
0.0
None ??? ??? ??? ??? ??? ???
In PHPSUGAR PHP Melody before 2.7.3, SQL Injection exists via the image parameter to admin/edit_category.php.
23 CVE-2017-15539 Sql 2017-10-17 2017-10-17
0.0
None ??? ??? ??? ??? ??? ???
SQL Injection exists in zorovavi/blog through 2017-10-17 via the id parameter to recept.php.
24 CVE-2017-15373 Sql 2017-10-16 2017-10-16
0.0
None ??? ??? ??? ??? ??? ???
E-Sic 1.0 allows SQL injection via the q parameter to esiclivre/restrito/inc/lkpcep.php (aka the search private area).
25 CVE-2017-14990 200 Sql +Info 2017-10-02 2017-10-13
4.0
None Remote Low Single system Partial None None
WordPress 4.8.2 stores cleartext wp_signups.activation_key values (but stores the analogous wp_users.user_activation_key values as hashes), which might make it easier for remote attackers to hijack unactivated user accounts by leveraging database read access (such as access gained through an unspecified SQL injection vulnerability).
26 CVE-2017-14848 89 Sql 2017-10-02 2017-10-12
6.5
None Remote Low Single system Partial Partial Partial
WPHRM Human Resource Management System for WordPress 1.0 allows SQL Injection via the employee_id parameter.
27 CVE-2017-14847 89 Sql 2017-09-27 2017-10-05
6.5
None Remote Low Single system Partial Partial Partial
Mojoomla WPAMS Apartment Management System for WordPress allows SQL Injection via the id parameter.
28 CVE-2017-14846 89 Sql 2017-09-27 2017-10-05
6.5
None Remote Low Single system Partial Partial Partial
Mojoomla Hospital Management System for WordPress allows SQL Injection via the id parameter.
29 CVE-2017-14845 89 Sql 2017-09-27 2017-10-05
6.5
None Remote Low Single system Partial Partial Partial
Mojoomla WPCHURCH Church Management System for WordPress allows SQL Injection via the id parameter.
30 CVE-2017-14844 89 Sql 2017-09-27 2017-10-05
6.5
None Remote Low Single system Partial Partial Partial
Mojoomla WPGYM WordPress Gym Management System allows SQL Injection via the id parameter.
31 CVE-2017-14843 89 Sql 2017-09-27 2017-10-05
6.5
None Remote Low Single system Partial Partial Partial
Mojoomla School Management System for WordPress allows SQL Injection via the id parameter.
32 CVE-2017-14842 89 Sql 2017-09-27 2017-10-05
6.5
None Remote Low Single system Partial Partial Partial
Mojoomla SMSmaster Multipurpose SMS Gateway for WordPress allows SQL Injection via the id parameter.
33 CVE-2017-14760 89 Sql 2017-09-27 2017-10-06
7.5
None Remote Low Not required Partial Partial Partial
SQL Injection exists in /includes/event-management/index.php in the event-espresso-free (aka Event Espresso Lite) plugin v3.1.37.12.L for WordPress via the recurrence_id parameter to /wp-admin/admin.php.
34 CVE-2017-14758 89 Sql 2017-10-02 2017-10-17
6.5
None Remote Low Single system Partial Partial Partial
OpenText Document Sciences xPression (formerly EMC Document Sciences xPression) v4.5SP1 Patch 13 (older versions might be affected as well) is prone to SQL Injection: /xAdmin/html/cm_doclist_view_uc.jsp, parameter: documentId. In order for this vulnerability to be exploited, an attacker must authenticate to the application first.
35 CVE-2017-14757 89 Sql 2017-10-02 2017-10-17
6.5
None Remote Low Single system Partial Partial Partial
OpenText Document Sciences xPression (formerly EMC Document Sciences xPression) v4.5SP1 Patch 13 (older versions might be affected as well) is prone to SQL Injection: /xDashboard/html/jobhistory/downloadSupportFile.action, parameter: jobRunId. In order for this vulnerability to be exploited, an attacker must authenticate to the application first.
36 CVE-2017-14743 89 Sql 2017-09-26 2017-10-10
9.3
None Remote Medium Not required Complete Complete Complete
Faleemi FSC-880 00.01.01.0048P2 devices allow unauthenticated SQL injection via the Username element in an XML document to /onvif/device_service, as demonstrated by reading the admin password.
37 CVE-2017-14738 89 Sql 2017-09-29 2017-10-10
7.5
None Remote Low Not required Partial Partial Partial
FileRun (version 2017.09.18 and below) suffers from a remote SQL injection vulnerability due to a failure to sanitize input in the metafield parameter inside the metasearch module (under the search function).
38 CVE-2017-14723 89 Sql 2017-09-23 2017-10-15
7.5
None Remote Low Not required Partial Partial Partial
Before version 4.8.2, WordPress mishandled % characters and additional placeholder values in $wpdb->prepare, and thus did not properly address the possibility of plugins and themes enabling SQL injection attacks.
39 CVE-2017-14703 89 Exec Code Sql 2017-09-26 2017-10-06
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in Cash Back Comparison Script 1.0 allows remote attackers to execute arbitrary SQL commands via the PATH_INFO to search/.
40 CVE-2017-14652 89 Sql 2017-09-21 2017-10-03
7.5
None Remote Low Not required Partial Partial Partial
SQL Injection vulnerability in mobiquo/lib/classTTForum.php in the Tapatalk plugin before 4.5.8 for MyBB allows an unauthenticated remote attacker to inject arbitrary SQL commands via an XML-RPC encoded document sent as part of the user registration process.
41 CVE-2017-14601 89 Sql 2017-09-19 2017-09-22
4.0
None Remote Low Single system Partial None None
Pragyan CMS v3.0 is vulnerable to a Boolean-based SQL injection in cms/admin.lib.php via $_GET['forwhat'], resulting in Information Disclosure.
42 CVE-2017-14600 89 Sql 2017-09-19 2017-09-22
4.0
None Remote Low Single system Partial None None
Pragyan CMS v3.0 is vulnerable to an Error-Based SQL injection in cms/admin.lib.php via $_GET['del_black'], resulting in Information Disclosure.
43 CVE-2017-14512 89 Sql 2017-09-17 2017-09-21
7.5
None Remote Low Not required Partial Partial Partial
NexusPHP 1.5.beta5.20120707 has SQL Injection in forummanage.php via the sort parameter in an editforum action, a different vulnerability than CVE-2017-12981.
44 CVE-2017-14508 89 Sql 2017-09-17 2017-09-22
6.5
None Remote Low Single system Partial Partial Partial
An issue was discovered in SugarCRM before 7.7.2.3, 7.8.x before 7.8.2.2, and 7.9.x before 7.9.2.0 (and Sugar Community Edition 6.5.26). Several areas have been identified in the Documents and Emails module that could allow an authenticated user to perform SQL injection, as demonstrated by a backslash character at the end of a bean_id to modules/Emails/DetailView.php. An attacker could exploit these vulnerabilities by sending a crafted SQL request to the affected areas. An exploit could allow the attacker to modify the SQL database. Proper SQL escaping has been added to prevent such exploits.
45 CVE-2017-14507 89 Exec Code Sql 2017-09-28 2017-10-10
7.5
None Remote Low Not required Partial Partial Partial
Multiple SQL injection vulnerabilities in the Content Timeline plugin 4.4.2 for WordPress allow remote attackers to execute arbitrary SQL commands via the (1) timeline parameter in content_timeline_class.php; or the id parameter to (2) pages/content_timeline_edit.php or (3) pages/content_timeline_index.php.
46 CVE-2017-14403 89 Sql 2017-09-12 2017-09-18
7.5
None Remote Low Not required Partial Partial Partial
The EyesOfNetwork web interface (aka eonweb) 5.1-0 has SQL injection via the term parameter to module/admin_group/search.php.
47 CVE-2017-14402 89 Sql 2017-09-12 2017-09-18
7.5
None Remote Low Not required Partial Partial Partial
The EyesOfNetwork web interface (aka eonweb) 5.1-0 has SQL injection via the user_name parameter to module/admin_user/add_modify_user.php in the "ACCOUNT CREATION" section, related to lack of input validation in include/function.php.
48 CVE-2017-14401 89 Sql 2017-09-12 2017-09-18
7.5
None Remote Low Not required Partial Partial Partial
The EyesOfNetwork web interface (aka eonweb) 5.1-0 has SQL injection via the user_name parameter to module/admin_user/add_modify_user.php in the "ACCOUNT UPDATE" section.
49 CVE-2017-14396 89 Sql 2017-09-12 2017-09-21
7.5
None Remote Low Not required Partial Partial Partial
In osTicket before 1.10.1, SQL injection is possible by constructing an array via use of square brackets at the end of a parameter name, as demonstrated by the key parameter to file.php.
50 CVE-2017-14345 89 Sql 2017-09-12 2017-09-21
7.5
None Remote Low Not required Partial Partial Partial
SQL Injection exists in tianchoy/blog through 2017-09-12 via the id parameter to view.php.
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.