CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In April 2006(SQL Injection)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2006-2103 89 Exec Code Sql 2006-04-29 2018-10-18
2.1
None Remote High Single system None Partial None
SQL injection vulnerability in MyBB (MyBulletinBoard) 1.1.1 allows remote authenticated administrators to execute arbitrary SQL commands via the (1) query string ($querystring variable) in (a) admin/adminlogs.php, which is not properly handled by adminfunctions.php; or (2) setid, (3) expand, (4) title, or (5) sid2 parameters to (b) admin/templates.php.
2 CVE-2006-2097 Exec Code Sql 2006-04-29 2018-10-18
7.5
User Remote Low Not required Partial Partial Partial
SQL injection vulnerability in func_msg.php in Invision Power Board (IPB) 2.1.4 allows remote attackers to execute arbitrary SQL commands via the from_contact field in a private message (PM).
3 CVE-2006-2090 89 Exec Code Sql 2006-04-29 2018-10-18
7.5
User Remote Low Not required Partial Partial Partial
Multiple SQL injection vulnerabilities in misc.php in MySmartBB 1.1.x allow remote attackers to execute arbitrary SQL commands via the (1) id and (2) username parameters.
4 CVE-2006-2088 Sql XSS 2006-04-29 2018-10-18
4.3
None Remote Medium Not required None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in Devsyn Open Bulletin Board (OpenBB) 1.0.6 allow remote attackers to inject arbitrary web script or HTML via (1) the FID parameter in board.php and (2) the TID parameter in read.php. NOTE: the SQL injection issues are already covered by CVE-2005-1612 (read.php) and CVE-2005-2566 (board.php).
5 CVE-2006-2081 Sql 2006-04-27 2018-10-18
4.6
User Local Low Not required Partial Partial Partial
Oracle Database Server 10g Release 2 allows local users to execute arbitrary SQL queries via the GET_DOMAIN_INDEX_METADATA function in the DBMS_EXPORT_EXTENSION package. NOTE: this issue was originally linked to DB05 (CVE-2006-1870), but a reliable third party has claimed that it is not the same issue. Based on details of the problem, the primary issue appears to be insecure privileges that facilitate the introduction of SQL in a way that is not related to special characters, so this is not "SQL injection" per se.
6 CVE-2006-2080 Exec Code Sql XSS 2006-04-27 2018-10-18
6.8
User Remote Medium Not required Partial Partial Partial
SQL injection vulnerability in portfolio_photo_popup.php in Verosky Media Instant Photo Gallery 1.0.2 allows remote attackers to execute arbitrary SQL commands via the id parameter, which is not cleansed before calling the count_click function in includes/functions/fns_std.php. NOTE: this issue could produce resultant XSS.
7 CVE-2006-2067 Exec Code Sql 2006-04-27 2018-10-18
7.5
User Remote Low Not required Partial Partial Partial
SQL injection vulnerability in vb_board_functions.php in MKPortal 1.1, as used with vBulletin 3.5.4 and earlier, allows remote attackers to execute arbitrary SQL commands via the userid parameter.
8 CVE-2006-2065 Exec Code Sql Dir. Trav. 2006-04-27 2018-10-18
7.5
User Remote Low Not required Partial Partial Partial
SQL injection vulnerability in save.php in PHPSurveyor 0.995 and earlier allows remote attackers to execute arbitrary SQL commands via the surveyid cookie. NOTE: this issue could be leveraged to execute arbitrary PHP code, as demonstrated by inserting directory traversal sequences into the database, which are then processed by the thissurvey['language'] variable.
9 CVE-2006-2062 Exec Code Sql 2006-04-26 2008-11-03
6.4
None Remote Low Not required None Partial Partial
Multiple SQL injection vulnerabilities in Leadhound Full and LITE 2.1, and probably the Network Version "Full Version", allow remote attackers to execute arbitrary SQL commands via the (1) banner parameter in agent_links.pl; the offset parameter in (2) agent_links.pl, (3) agent_transactions.pl, (4) agent_subaffiliates.pl, and (5) agent_summary.pl; the camp_id parameter in (6) agent_transactions_csv.pl, (7) agent_subaffiliates.pl, and (8) agent_camp_det.pl; the (9) login parameter in agent_commission_statement.pl; the logged parameter in (10) agent_commission_statement.pl and (11) agent_camp_det.pl; the (12) agent_id parameter in agent_commission_statement.pl; and the (13) sub parameter in unspecified files.
10 CVE-2006-2061 Exec Code Sql 2006-04-26 2018-10-18
5.0
None Remote Low Not required None Partial None
SQL injection vulnerability in lib/func_taskmanager.php in Invision Power Board (IPB) 2.1.x and 2.0.x before 20060425 allows remote attackers to execute arbitrary SQL commands via the ck parameter, which can inject at most 32 characters.
11 CVE-2006-2053 Exec Code Sql 2006-04-26 2017-07-19
6.4
None Remote Low Not required Partial Partial None
Multiple SQL injection vulnerabilities in QuickEStore 7.9 and earlier allow remote attackers to execute arbitrary SQL commands via (1) the OrderID parameter in (a) shipping.cfm and (b) checkout.cfm, (2) ItemID parameter in (c) proddetail.cfm, (3) SubCatID parameter in (d) index.cfm, the (4) CategoryID parameter in (e) prodpage.cfm, and (5) ProdID parameter in (f) Details.cfm. NOTE: these issues can also be exploited for path disclosure.
12 CVE-2006-2050 Exec Code Sql 2006-04-26 2018-10-18
5.0
None Remote Low Not required Partial None None
SQL injection vulnerability in dcboard.cgi in DCScripts DCForumLite 3.0 allows remote attackers to execute arbitrary SQL commands via the az parameter.
13 CVE-2006-2047 Sql +Info 2006-04-26 2017-07-19
5.0
None Remote Low Not required Partial None None
Application Dynamics Cartweaver ColdFusion 2.16.11 and earlier allows remote attackers to obtain sensitive information via an invalid (1) secondary, (2) PageNum_Results, (3) category, or (4) keywords parameter in (a) Results.cfm; or an invalid (5) ProdID parameter in (b) Details.cfm; which reveal the path in various error messages. NOTE: the behavior for the category, keywords, and ProdID parameters might be resultant from SQL injection.
14 CVE-2006-2046 Exec Code Sql 2006-04-26 2017-10-10
6.4
None Remote Low Not required Partial Partial None
Multiple SQL injection vulnerabilities in Application Dynamics Cartweaver ColdFusion 2.16.11 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) category and (2) keywords parameters in (a) Results.cfm, and the (3) ProdID parameter in (b) Details.cfm.
15 CVE-2006-2040 Exec Code Sql 2006-04-26 2018-10-18
6.4
None Remote Low Not required Partial Partial None
Multiple SQL injection vulnerabilities in photokorn 1.53 and 1.542 allow remote attackers to execute arbitrary SQL commands via the (1) cat, (2) pic and (3) page parameter in index.php; (4) id parameter in postcard.php; and (5) cat parameter in print.php.
16 CVE-2006-2039 Exec Code Sql 2006-04-26 2017-07-19
7.5
User Remote Low Not required Partial Partial Partial
Multiple SQL injection vulnerabilities in the osTicket module in Help Center Live before 2.1.0 allow remote attackers to execute arbitrary SQL commands via unknown vectors.
17 CVE-2006-2038 Exec Code Sql 2006-04-26 2017-07-19
7.5
User Remote Low Not required Partial Partial Partial
Multiple SQL injection vulnerabilities in ampleShop 2.1 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) RecordID parameter in (a) Customeraddresses_RecordAction.cfm and (b) youraccount.cfm; (2) solus parameter in (c) detail.cfm; and (3) cat parameter in (d) category.cfm.
18 CVE-2006-2034 Exec Code Sql 2006-04-25 2018-10-18
7.5
User Remote Low Not required Partial Partial Partial
SQL injection vulnerability in function/showprofile.php in FlexBB 0.5.5 allows remote attackers to execute arbitrary SQL commands, and view all usernames and passwords, via the id parameter to the showprofile page in index.php.
19 CVE-2006-2032 Exec Code Sql 2006-04-25 2018-10-18
6.4
None Remote Low Not required Partial Partial None
Multiple SQL injection vulnerabilities in Core CoreNews 2.0.1 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) icon_id and (2) userid parameters in preview.php.
20 CVE-2006-2029 Exec Code Sql 2006-04-25 2018-10-18
6.4
None Remote Low Not required Partial Partial None
Multiple SQL injection vulnerabilities in Jeremy Ashcraft Simplog 0.9.3 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) tid parameter in (a) preview.php; the (2) cid, (3) pid, and (4) eid parameters in (b) archive.php; and the (5) pid parameter in (c) comments.php.
21 CVE-2006-2018 Exec Code Sql 2006-04-25 2018-10-18
7.5
User Remote Low Not required Partial Partial Partial
SQL injection vulnerability in calendar.php in vBulletin 3.0.x allows remote attackers to execute arbitrary SQL commands via the eventid parameter. NOTE: the affected version has been disputed by the vendor. It appears that this is the same issue as CVE-2004-0036, which was fixed in 2.3.4.
22 CVE-2006-2013 Exec Code Sql XSS 2006-04-25 2017-07-19
7.5
User Remote Low Not required Partial Partial Partial
SQL injection vulnerability in page.php in SL_site 1.0 allows remote attackers to execute arbitrary SQL commands via the id_page parameter. NOTE: this issue could be used to produce resultant XSS from an error message.
23 CVE-2006-2010 Exec Code Sql 2006-04-25 2018-10-18
7.5
User Remote Low Not required Partial Partial Partial
Multiple SQL injection vulnerabilities in check_login.asp in Bloggage allow remote attackers to execute arbitrary SQL commands via the (1) acc_name and (2) password parameter.
24 CVE-2006-2004 Exec Code Sql 2006-04-25 2018-10-18
7.5
User Remote Low Not required Partial Partial Partial
Multiple SQL injection vulnerabilities in RI Blog 1.1 allow remote attackers to execute arbitrary SQL command via the (1) username or (2) password fields.
25 CVE-2006-1978 89 Exec Code Sql 2006-04-21 2018-10-18
7.5
User Remote Low Not required Partial Partial Partial
SQL injection vulnerability in inc/start.php in FlexBB 0.5.5 and earlier allows remote attackers to execute arbitrary SQL commands via the flexbb_username COOKIE parameter.
26 CVE-2006-1974 Exec Code Sql 2006-04-21 2008-09-05
7.5
User Remote Low Not required Partial Partial Partial
SQL injection vulnerability in index.php in MyBB (MyBulletinBoard) before 1.04 allows remote attackers to execute arbitrary SQL commands via the referrer parameter.
27 CVE-2006-1964 Exec Code Sql 2006-04-21 2018-10-18
7.5
User Remote Low Not required Partial Partial Partial
SQL injection vulnerability in Haberler.asp in ASPSitem 1.83 and earlier allows remote attackers to execute arbitrary SQL commands via the id parameter.
28 CVE-2006-1962 89 Exec Code Sql 2006-04-21 2018-10-18
7.5
User Remote Low Not required Partial Partial Partial
SQL injection vulnerability in PCPIN Chat 5.0.4 and earlier allows remote attackers to execute arbitrary SQL commands via the username field (login parameter) to main.php.
29 CVE-2006-1958 Exec Code Sql 2006-04-21 2018-10-18
6.4
None Remote Low Not required Partial Partial None
Multiple SQL injection vulnerabilities in WWWThreads RC 3 allow remote attackers to execute arbitrary SQL commands via (1) the forumreferrer cookie to register.php and (2) the messages parameter in message_list.php.
30 CVE-2006-1954 Exec Code Sql 2006-04-21 2017-10-18
5.0
None Remote Low Not required None Partial None
SQL injection vulnerability in authent.php4 in Nicolas Fischer (aka NFec) RechnungsZentrale V2 1.1.3, and possibly earlier versions, allows remote attackers to execute arbitrary SQL commands via the User field.
31 CVE-2006-1949 Exec Code Sql 2006-04-20 2017-07-19
7.5
User Remote Low Not required Partial Partial Partial
SQL injection vulnerability in plexcart.pl in NicPlex PlexCart X3 and earlier allows remote attackers to execute arbitrary SQL commands via the catid parameter.
32 CVE-2006-1947 Exec Code Sql 2006-04-20 2017-07-19
7.5
User Remote Low Not required Partial Partial Partial
Multiple SQL injection vulnerabilities in plexum.php in NicPlex Plexum X5 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) pagesize, (2) maxrec, and (3) startpos parameters.
33 CVE-2006-1930 Exec Code Sql 2006-04-20 2017-07-19
6.4
None Remote Low Not required Partial Partial None
** DISPUTED ** Multiple SQL injection vulnerabilities in userscript.php in Green Minute 1.0 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) huserid, (2) pituus, or (3) date parameters. NOTE: this issue has been disputed by the vendor, saying "those parameters mentioned ARE checked (preg_match) before they are used in SQL-query... If someone decided to add SQL-injection stuff to certain parameter, they would see an error text, but only because _nothing_ was passed inside that parameter (to MySQL-database)." As allowed by the vendor, CVE investigated this report on 20060525 and found that the demo site demonstrated a non-sensitive SQL error when given standard SQL injection manipulations.
34 CVE-2006-1926 Exec Code Sql 2006-04-20 2018-10-18
5.0
None Remote Low Not required None Partial None
SQL injection vulnerability in showtopic.php in ThWboard 2.84 beta 3 and earlier allows remote attackers to execute arbitrary SQL commands via the pagenum parameter.
35 CVE-2006-1924 Exec Code Sql 2006-04-20 2017-07-19
6.4
None Remote Low Not required Partial Partial None
SQL injection vulnerability in functions/db_api.php in LinPHA 1.1.1 allows remote attackers to execute arbitrary SQL commands via unknown vectors.
36 CVE-2006-1920 Exec Code Sql 2006-04-20 2017-07-19
6.4
None Remote Low Not required Partial Partial None
SQL injection vulnerability in index.php in PMTool 1.2.2 allows remote attackers to execute arbitrary SQL commands via the order parameter in the include files (1) user.inc.php, (2) customer.inc.php, and (3) project.inc.php. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
37 CVE-2006-1917 Exec Code Sql 2006-04-20 2017-10-18
7.5
User Remote Low Not required Partial Partial Partial
SQL injection vulnerability in member.php in Blackorpheus ClanMemberSkript 1.0 allows remote attackers to execute arbitrary SQL commands via the userID parameter.
38 CVE-2006-1915 Exec Code Sql 2006-04-20 2008-09-05
5.0
None Remote Low Not required Partial None None
SQL injection vulnerability in topics.php in DbbS 2.0-alpha and earlier allows remote attackers to execute arbitrary SQL commands via the fcategoryid parameter.
39 CVE-2006-1912 Sql XSS 2006-04-20 2018-10-18
5.8
None Remote Medium Not required Partial Partial None
MyBB (MyBulletinBoard) 1.1.0 does not set the constant KILL_GLOBAL variable in (1) global.php and (2) inc/init.php, which allows remote attackers to initialize arbitrary variables that are processed by an @extract command, which could then be leveraged to conduct cross-site scripting (XSS) or SQL injection attacks.
40 CVE-2006-1907 Sql 2006-04-20 2017-07-19
7.5
User Remote Low Not required Partial Partial Partial
Multiple SQL injection vulnerabilities in myEvent 1.x allow remote attackers to inject arbitrary SQL commands via the event_id parameter to (1) addevent.php or (2) del.php or (3) event_desc parameter to addevent.php. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
41 CVE-2006-1876 Sql 2006-04-20 2018-10-18
9.0
None Remote Low Single system Complete Complete Complete
Unspecified vulnerability in Oracle Database Server 9.2.0.7 and 10.1.0.4 has unknown impact and attack vectors in the Oracle Spatial component, aka Vuln# DB12. NOTE: details are unavailable from Oracle, but as of 20060421, they have not publicly disputed a claim by a reliable independent researcher that states that the problem is SQL injection in the (1) GEN_RID_RANGE_BY_AREA and (2) GEN_RID_RANGE functions in the MDSYS.SDO_PRIDX package.
42 CVE-2006-1875 Sql 2006-04-20 2018-10-18
10.0
Admin Remote Low Not required Complete Complete Complete
Unspecified vulnerability in Oracle Database Server 9.0.1.5, 9.2.0.7, and 10.1.0.5 has unknown impact and attack vectors in the Oracle Spatial component, aka Vuln# DB11. NOTE: Oracle has not disputed reliable researcher claims that this issue is SQL injection in MDSYS.SDO_LRS_TRIG_INS.
43 CVE-2006-1874 Sql 2006-04-20 2018-10-18
7.5
None Remote Low Not required Partial Partial Partial
Unspecified vulnerability in Oracle Database Server 8.1.7.4, 9.0.1.5, and 9.2.0.6 has unknown impact and attack vectors in the Oracle Spatial component, aka Vuln# DB09. NOTE: Oracle has not disputed reliable claims that this issue is SQL injection in MDSYS.PRVT_IDX using the (1) EXECUTE_INSERT, (2) EXECUTE_DELETE, (3) EXECUTE_UPDATE, (4) EXECUTE UPDATE, and (5) CRT_DUMMY functions.
44 CVE-2006-1871 89 Exec Code Sql 2006-04-20 2018-10-18
6.5
User Remote Low Single system Partial Partial Partial
SQL injection vulnerability in Oracle Database Server 9.2.0.7 and 10.1.0.5 allows remote attackers to execute arbitrary SQL commands via the DELETE_FROM_TABLE function in the DBMS_LOGMNR_SESSION (Log Miner) package, aka Vuln# DB06.
45 CVE-2006-1866 Sql 2006-04-20 2018-10-18
9.7
None Remote Low Not required Partial Complete Complete
Multiple unspecified vulnerabilities in Oracle Database Server 8.1.7.4, 9.0.1.5, 9.2.0.7, 10.1.0.5, and other versions have unknown impact and attack vectors in the (1) Advanced Replication component, as identified by Vuln# DB01, and (2) Oracle Spatial component, as identified by Vuln# DB10. NOTE: details are unavailable from Oracle, but as of 20060421, they have not publicly disputed a claim by a reliable independent researcher that states that DB01 is an unknown issue in the DBMS_REPUTIL package, and DB10 is SQL injection in the INSERT_CATALOG, UPDATE_CATALOG, and DELETE_CATALOG functions of the SDO_CATALOG package.
46 CVE-2006-1853 Exec Code Sql 2006-04-19 2017-07-19
6.5
User Remote Low Single system Partial Partial Partial
Multiple SQL injection vulnerabilities in ModernBill 4.3.2 and earlier allow remote attackers or administrators to execute arbitrary SQL commands via the (1) id parameter in (a) user.php, or (2) where and (3) order parameters to (b) admin.php.
47 CVE-2006-1852 Exec Code Sql 2006-04-19 2017-07-19
7.5
User Remote Low Not required Partial Partial Partial
SQL injection vulnerability in category.php in Article Publisher Pro 1.0.1 and earlier allows remote attackers to execute arbitrary SQL commands via the cname parameter.
48 CVE-2006-1849 Exec Code Sql 2006-04-19 2017-07-19
7.5
User Remote Low Not required Partial Partial Partial
Multiple SQL injection vulnerabilities in members_only/index.cgi in xFlow 5.46.11 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) position and (2) id parameter.
49 CVE-2006-1847 Exec Code Sql 2006-04-19 2017-07-19
7.5
User Remote Low Not required Partial Partial Partial
SQL injection vulnerability in the Your_Account module in PHP-Nuke 7.8 might allows remote attackers to execute arbitrary SQL commands via the user_id parameter in the Your_Home functionality. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
50 CVE-2006-1837 Exec Code Sql 2006-04-19 2017-10-18
7.5
User Remote Low Not required Partial Partial Partial
SQL injection vulnerability in archiv2.php in Fuju News 1.0 allows remote attackers to execute arbitrary SQL commands via the ID parameter.
Total number of vulnerabilities : 93   Page : 1 (This Page)2
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.