Security Vulnerabilities, CVEs, Published In January 2019 (Sql injection)
SQL Injection was found in S-CMS version V3.0 via the alipay/alipayapi.php O_id parameter.
Max CVSS
9.8
EPSS Score
0.15%
Published
2019-01-25
Updated
2019-01-25
An issue was discovered in phpMyAdmin before 4.8.5. A vulnerability was reported where a specially crafted username can be used to trigger a SQL injection attack through the designer feature.
Max CVSS
9.8
EPSS Score
0.16%
Published
2019-01-26
Updated
2019-01-28
PHPSHE 1.7 has SQL injection via the admin.php?mod=order state parameter.
Max CVSS
7.2
EPSS Score
0.09%
Published
2019-01-23
Updated
2020-08-24
PHPSHE 1.7 has SQL injection via the admin.php?mod=product&act=state product_id[] parameter.
Max CVSS
7.2
EPSS Score
0.09%
Published
2019-01-23
Updated
2020-08-24
phpwind 9.0.2.170426 UTF8 allows SQL Injection via the admin.php?m=backup&c=backup&a=doback tabledb[] parameter, related to the "--backup database" option.
Max CVSS
7.2
EPSS Score
0.07%
Published
2019-01-23
Updated
2019-01-25
Hotels_Server through 2018-11-05 has SQL Injection via the controller/fetchpwd.php username parameter.
Max CVSS
9.8
EPSS Score
0.15%
Published
2019-01-20
Updated
2019-01-23
Cleanto 5.0 has SQL Injection via the assets/lib/export_ajax.php id parameter.
Max CVSS
9.8
EPSS Score
0.15%
Published
2019-01-15
Updated
2019-01-18
Cleanto 5.0 has SQL Injection via the assets/lib/service_method_ajax.php service_id parameter.
Max CVSS
9.8
EPSS Score
0.15%
Published
2019-01-15
Updated
2019-01-18
An issue was discovered in idreamsoft iCMS V7.0.13. There is SQL Injection via the app/article/article.admincp.php _data_id parameter.
Max CVSS
9.8
EPSS Score
0.21%
Published
2019-01-14
Updated
2019-01-16
An issue was discovered in XiaoCms 20141229. It allows admin/index.php?c=database table[] SQL injection. This can be used for PHP code execution via "INTO OUTFILE" with a .php filename.
Max CVSS
7.2
EPSS Score
0.10%
Published
2019-01-11
Updated
2019-01-23
Nelson Open Source ERP v6.3.1 allows SQL Injection via the db/utils/query/data.xml query parameter.
Max CVSS
9.8
EPSS Score
0.91%
Published
2019-01-10
Updated
2019-01-17
includes/db/class.reflines_db.inc in FrontAccounting 2.4.6 contains a SQL Injection vulnerability in the reference field that can allow the attacker to grab the entire database of the application via the void_transaction.php filterType parameter.
Max CVSS
9.8
EPSS Score
0.15%
Published
2019-01-08
Updated
2019-01-30
EARCLINK ESPCMS-P8 has SQL injection in the install_pack/index.php?ac=Member&at=verifyAccount verify_key parameter. install_pack/espcms_public/espcms_db.php may allow retrieving sensitive information from the ESPCMS database.
Max CVSS
7.5
EPSS Score
0.16%
Published
2019-01-07
Updated
2019-02-14
An issue was discovered in Waimai Super Cms 20150505. web/Lib/Action/ProductAction.class.php allows blind SQL Injection via the id[0] parameter to the /product URI.
Max CVSS
9.8
EPSS Score
0.14%
Published
2019-01-02
Updated
2019-02-14
inxedu through 2018-12-24 has a SQL Injection vulnerability that can lead to information disclosure via the deleteFaveorite/ PATH_INFO. The vulnerable code location is com.inxedu.os.edu.controller.user.UserController#deleteFavorite (aka deleteFavorite in com/inxedu/os/edu/controller/user/UserController.java), where courseFavoritesService.deleteCourseFavoritesById is mishandled during use of MyBatis. NOTE: UserController.java has a spelling variation in an annotation: a @RequestMapping("/deleteFaveorite/{ids}") line followed by a "public ModelAndView deleteFavorite" line.
Max CVSS
9.8
EPSS Score
0.15%
Published
2019-01-02
Updated
2019-02-14
Simply-Blog through 2019-01-01 has SQL Injection via the admin/deleteCategories.php delete parameter.
Max CVSS
7.5
EPSS Score
0.08%
Published
2019-01-01
Updated
2019-01-16
A SQL injection vulnerability in NeDi before 1.7Cp3 allows any user to execute arbitrary SQL read commands via the query.php component.
Max CVSS
7.5
EPSS Score
0.20%
Published
2019-01-17
Updated
2019-01-22
In Tiki before 17.2, the user task component is vulnerable to a SQL Injection via the tiki-user_tasks.php show_history parameter.
Max CVSS
8.8
EPSS Score
0.09%
Published
2019-01-15
Updated
2019-01-18
CubeCart before 6.1.13 has SQL Injection via the validate[] parameter of the "I forgot my Password!" feature.
Max CVSS
9.8
EPSS Score
0.21%
Published
2019-01-15
Updated
2019-01-23
The DB abstraction layer of OXID eSales 4.10.6 is vulnerable to SQL injection via the oxid or synchoxid parameter to the oxConfig::getRequestParameter() method in core/oxconfig.php.
Max CVSS
9.8
EPSS Score
0.14%
Published
2019-01-15
Updated
2019-01-23
Shopware before 5.4.3 allows SQL Injection by remote authenticated users, aka SW-21404.
Max CVSS
8.8
EPSS Score
0.10%
Published
2019-01-15
Updated
2019-01-18
SQL injection vulnerability in user/card.php in Dolibarr version 8.0.2 allows remote authenticated users to execute arbitrary SQL commands via the employee parameter.
Max CVSS
8.8
EPSS Score
0.12%
Published
2019-01-03
Updated
2022-11-17
An error-based SQL injection vulnerability in product/card.php in Dolibarr version 8.0.2 allows remote authenticated users to execute arbitrary SQL commands via the desiredstock parameter.
Max CVSS
8.8
EPSS Score
0.11%
Published
2019-01-03
Updated
2022-11-17
Multiple SQL injection vulnerabilities in Plikli CMS 4.0.0 allow remote attackers to execute arbitrary SQL commands via the (1) id parameter to join_group.php or (2) comment_id parameter to story.php.
Max CVSS
9.8
EPSS Score
0.18%
Published
2019-01-03
Updated
2019-01-14
In CIMTechniques CIMScan 6.x through 6.2, the SOAP WSDL parser allows attackers to execute SQL code.
Max CVSS
10.0
EPSS Score
0.26%
Published
2019-01-10
Updated
2020-01-16