CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In 2014(SQL Injection)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
201 CVE-2014-1636 89 Exec Code Sql 2014-01-22 2018-10-30
7.5
None Remote Low Not required Partial Partial Partial
Multiple SQL injection vulnerabilities in Command School Student Management System 1.06.01 allow remote attackers to execute arbitrary SQL commands via the id parameter in an edit action to (1) admin_school_names.php, (2) admin_subjects.php, (3) admin_grades.php, (4) admin_terms.php, (5) admin_school_years.php, (6) admin_sgrades.php, (7) admin_media_codes_1.php, (8) admin_infraction_codes.php, (9) admin_generations.php, (10) admin_relations.php, (11) admin_titles.php, or (12) health_allergies.php in sw/.
202 CVE-2014-1619 89 Exec Code Sql 2014-01-21 2017-08-28
7.5
None Remote Low Not required Partial Partial Partial
Multiple SQL injection vulnerabilities in Cubic CMS 5.1.1, 5.1.2, and 5.2 allow remote attackers to execute arbitrary SQL commands via the (1) resource_id or (2) version_id parameter to recursos/agent.php or (3) login or (4) pass parameter to login.usuario.
203 CVE-2014-1618 89 Exec Code Sql 2014-01-21 2017-08-28
7.5
None Remote Low Not required Partial Partial Partial
Multiple SQL injection vulnerabilities in UAEPD Shopping Cart Script allow remote attackers to execute arbitrary SQL commands via the (1) cat_id or (2) p_id parameter to products.php or id parameter to (3) page.php or (4) news.php.
204 CVE-2014-1609 89 Exec Code Sql 2014-03-20 2017-01-06
7.5
None Remote Low Not required Partial Partial Partial
Multiple SQL injection vulnerabilities in MantisBT before 1.2.16 allow remote attackers to execute arbitrary SQL commands via unspecified parameters to the (1) mc_project_get_attachments function in api/soap/mc_project_api.php; the (2) news_get_limited_rows function in core/news_api.php; the (3) summary_print_by_enum, (4) summary_print_by_age, (5) summary_print_by_developer, (6) summary_print_by_reporter, or (7) summary_print_by_category function in core/summary_api.php; the (8) create_bug_enum_summary or (9) enum_bug_group function in plugins/MantisGraph/core/graph_api.php; (10) bug_graph_bycategory.php or (11) bug_graph_bystatus.php in plugins/MantisGraph/pages/; or (12) proj_doc_page.php, related to use of the db_query function, a different vulnerability than CVE-2014-1608.
205 CVE-2014-1608 89 Exec Code Sql 2014-03-18 2017-01-06
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in the mci_file_get function in api/soap/mc_file_api.php in MantisBT before 1.2.16 allows remote attackers to execute arbitrary SQL commands via a crafted envelope tag in a mc_issue_attachment_get SOAP request.
206 CVE-2014-1597 89 Exec Code Sql 2014-02-27 2017-08-28
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in the CMDB web application in synetics i-doit pro before 1.2.5 and i-doit open allows remote attackers to execute arbitrary SQL commands via the objID parameter to the default URI.
207 CVE-2014-1471 89 Exec Code Sql 2014-02-04 2016-06-01
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in the StateGetStatesByType function in Kernel/System/State.pm in Open Ticket Request System (OTRS) 3.1.x before 3.1.19, 3.2.x before 3.2.14, and 3.3.x before 3.3.4 allows remote attackers to execute arbitrary SQL commands via vectors related to a ticket search URL.
208 CVE-2014-1466 89 Exec Code Sql 2014-01-15 2017-08-28
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in CSP MySQL User Manager 2.3 allows remote attackers to execute arbitrary SQL commands via the login field of the login page.
209 CVE-2014-1459 89 1 Exec Code Sql CSRF 2014-02-11 2018-10-09
6.5
None Remote Low Single system Partial Partial Partial
SQL injection vulnerability in dg-admin/index.php in doorGets CMS 5.2 and earlier allows remote authenticated administrators to execute arbitrary SQL commands via the _position_down_id parameter. NOTE: this can be leveraged using CSRF to allow remote attackers to execute arbitrary SQL commands.
210 CVE-2014-1455 89 Exec Code Sql 2014-04-10 2018-10-09
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in the password reset functionality in Pearson eSIS Enterprise Student Information System, possibly 3.3.0.13 and earlier, allows remote attackers to execute arbitrary SQL commands via the new password.
211 CVE-2014-1401 89 1 Exec Code Sql 2014-02-11 2018-10-09
6.5
None Remote Low Single system Partial Partial Partial
Multiple SQL injection vulnerabilities in AuraCMS 2.3 and earlier allow remote authenticated users to execute arbitrary SQL commands via the (1) search parameter to mod/content/content.php or (2) CLIENT_IP, (3) X_FORWARDED_FOR, (4) X_FORWARDED, (5) FORWARDED_FOR, or (6) FORWARDED HTTP header to index.php.
212 CVE-2014-1206 89 1 Exec Code Sql 2014-01-15 2018-10-09
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in the password reset page in Open Web Analytics (OWA) before 1.5.5 allows remote attackers to execute arbitrary SQL commands via the owa_email_address parameter in a base.passwordResetRequest action to index.php.
213 CVE-2014-1204 89 1 Exec Code Sql 2014-01-31 2017-08-28
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in Tableau Server 8.0.x before 8.0.7 and 8.1.x before 8.1.2 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors. NOTE: this can be exploited by unauthenticated remote attackers if the guest user is enabled.
214 CVE-2014-0966 89 Exec Code Sql 2014-08-17 2017-08-28
6.5
None Remote Low Single system Partial Partial Partial
SQL injection vulnerability in the GDS component in IBM InfoSphere Master Data Management - Collaborative Edition 10.x and 11.x before 11.0-FP5 and InfoSphere Master Data Management Server for Product Information Management 9.x through 11.x before 11.3-IF2 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors.
215 CVE-2014-0821 89 Exec Code Sql 2014-02-26 2015-08-13
6.5
None Remote Low Single system Partial Partial Partial
SQL injection vulnerability in the download feature in Cybozu Garoon 2.x through 2.5.4 and 3.x through 3.7 SP3 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors, a different vulnerability than CVE-2013-6930 and CVE-2013-6931.
216 CVE-2014-0794 79 1 Exec Code Sql XSS 2014-01-26 2018-10-09
4.3
None Remote Medium Not required None Partial None
SQL injection vulnerability in the JV Comment (com_jvcomment) component before 3.0.3 for Joomla! allows remote authenticated users to execute arbitrary SQL commands via the id parameter in a comment.like action to index.php.
217 CVE-2014-0763 89 Exec Code Sql 2014-04-12 2015-07-24
7.5
None Remote Low Not required Partial Partial Partial
Multiple SQL injection vulnerabilities in DBVisitor.dll in Advantech WebAccess before 7.2 allow remote attackers to execute arbitrary SQL commands via SOAP requests to unspecified functions.
218 CVE-2014-0734 89 Exec Code Sql 2014-02-20 2015-09-16
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in the Certificate Authority Proxy Function (CAPF) implementation in Cisco Unified Communications Manager (Unified CM) 10.0(1) and earlier allows remote attackers to execute arbitrary SQL commands via a crafted URL, aka Bug ID CSCum46483.
219 CVE-2014-0729 89 Exec Code Sql 2014-02-13 2015-08-05
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in the Enterprise Mobility Application (EMApp) interface in Cisco Unified Communications Manager (UCM) allows remote attackers to execute arbitrary SQL commands via a crafted URL, aka Bug ID CSCum05302.
220 CVE-2014-0728 89 Exec Code Sql 2014-02-13 2015-08-05
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in the Java database interface in Cisco Unified Communications Manager (UCM) 10.0(1) and earlier allows remote attackers to execute arbitrary SQL commands via a crafted URL, aka Bug ID CSCum05313.
221 CVE-2014-0727 89 Exec Code Sql 2014-02-13 2015-09-16
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in the CallManager Interactive Voice Response (CMIVR) interface in Cisco Unified Communications Manager (UCM) allows remote attackers to execute arbitrary SQL commands via a crafted URL, aka Bug ID CSCum05318.
222 CVE-2014-0726 89 Exec Code Sql 2014-02-13 2015-09-16
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in the IP Manager Assistant (IPMA) interface in Cisco Unified Communications Manager (UCM) 10.0(1) and earlier allows remote attackers to execute arbitrary SQL commands via a crafted URL, aka Bug ID CSCum05326.
223 CVE-2014-0137 89 Exec Code Sql 2014-05-14 2014-05-15
6.5
None Remote Low Single system Partial Partial Partial
SQL injection vulnerability in the saved_report_delete action in the ReportController in Red Hat CloudForms Management Engine (CFME) before 5.2.3.2 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors, related to MiqReportResult.exists.
224 CVE-2014-0080 89 Exec Code Sql 2014-02-20 2019-08-08
6.8
None Remote Medium Not required Partial Partial Partial
SQL injection vulnerability in activerecord/lib/active_record/connection_adapters/postgresql/cast.rb in Active Record in Ruby on Rails 4.0.x before 4.0.3, and 4.1.0.beta1, when PostgreSQL is used, allows remote attackers to execute "add data" SQL commands via vectors involving \ (backslash) characters that are not properly handled in operations on array columns.
225 CVE-2013-7406 89 Exec Code Sql 2014-10-21 2017-09-07
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in the MRBS module for Drupal allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
226 CVE-2013-7375 89 Exec Code Sql 2014-05-05 2016-12-30
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in includes/classes/Authenticate.class.php in PHP-Fusion 7.02.01 through 7.02.05 allows remote attackers to execute arbitrary SQL commands via the user ID in a user cookie, a different vulnerability than CVE-2013-1803.
227 CVE-2013-7369 89 Exec Code Sql 2014-04-18 2014-04-21
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in an unspecified DLL in the FSDBCom ActiveX control in F-Secure Anti-Virus for Microsoft Exchange Server before HF02, Anti-Virus for Windows Servers 9.00 before HF09, Anti-Virus for Citrix Servers 9.00 before HF09, and F-Secure Email and Server Security and F-Secure Server Security 9.20 before HF01 allows remote attackers to execute arbitrary SQL commands via unknown vectors, related to GetCommand.
228 CVE-2013-7355 89 Exec Code Sql 2014-04-10 2014-04-11
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in SAP BI Universal Data Integration allows remote attackers to execute arbitrary SQL commands via unspecified vectors, related to the J2EE schema.
229 CVE-2013-7352 352 Sql CSRF 2014-04-02 2014-04-03
6.8
None Remote Medium Not required Partial Partial Partial
Cross-site request forgery (CSRF) vulnerability in blogs/admin.php in b2evolution before 4.1.7 allows remote attackers to hijack the authentication of administrators for requests that conduct SQL injection attacks via the show_statuses[] parameter, related to CVE-2013-2945.
230 CVE-2013-7349 89 1 Exec Code Sql 2014-03-31 2016-12-30
7.5
None Remote Low Not required Partial Partial Partial
Multiple SQL injection vulnerabilities in Gnew 2013.1 allow remote attackers to execute arbitrary SQL commands via the (1) news_id parameter to news/send.php, (2) thread_id parameter to posts/edit.php, or (3) user_email parameter to users/password.php or (4) users/register.php. NOTE: these issues were SPLIT from CVE-2013-5640 due to differences in researchers and disclosure dates.
231 CVE-2013-7346 352 Sql CSRF 2014-03-27 2014-03-27
6.8
None Remote Medium Not required Partial Partial Partial
Cross-site request forgery (CSRF) vulnerability in Symphony CMS before 2.3.2 allows remote attackers to hijack the authentication of administrators for requests that conduct SQL injection attacks via the sort parameter to system/authors/, related to CVE-2013-2559.
232 CVE-2013-7334 352 Sql CSRF 2014-03-11 2014-03-11
6.8
None Remote Medium Not required Partial Partial Partial
Cross-site request forgery (CSRF) vulnerability in ImageCMS before 4.2 allows remote attackers to hijack the authentication of administrators for requests that conduct SQL injection attacks via the q parameter, related to CVE-2012-6290.
233 CVE-2013-7278 89 Exec Code Sql 2014-01-08 2017-08-28
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in Naxtech CMS Afroditi 1.0 allows remote attackers to execute arbitrary SQL commands via the id parameter to default.asp.
234 CVE-2013-7262 89 Exec Code Sql 2014-01-05 2015-10-08
6.8
None Remote Medium Not required Partial Partial Partial
SQL injection vulnerability in the msPostGISLayerSetTimeFilter function in mappostgis.c in MapServer before 6.4.1, when a WMS-Time service is used, allows remote attackers to execute arbitrary SQL commands via a crafted string in a PostGIS TIME filter.
235 CVE-2013-7225 89 Exec Code Sql 2014-01-02 2014-01-03
6.5
None Remote Low Single system Partial Partial Partial
Multiple SQL injection vulnerabilities in app/controllers/home_controller.rb in Fat Free CRM before 0.12.1 allow remote authenticated users to execute arbitrary SQL commands via (1) the homepage timeline feature or (2) the activity feature.
236 CVE-2013-7219 89 Exec Code Sql 2014-01-21 2018-10-09
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in vote.php in the 2Glux Sexy Polling (com_sexypolling) component before 1.0.9 for Joomla! allows remote attackers to execute arbitrary SQL commands via the answer_id[] parameter.
237 CVE-2013-7175 89 Exec Code Sql 2014-01-23 2016-12-30
6.5
None Remote Low Single system Partial Partial Partial
Multiple SQL injection vulnerabilities in Avanset Visual CertExam Manager 3.3 and earlier allow remote authenticated users to execute arbitrary SQL commands via the (1) Title, (2) File name, or (3) Candidate Name field.
238 CVE-2013-7139 89 Exec Code Sql 2014-01-09 2014-01-10
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in download.php in Horizon Quick Content Management System (QCMS) 4.0 and earlier allows remote to execute arbitrary SQL commands via the category parameter.
239 CVE-2013-6931 89 Exec Code Sql 2014-01-29 2014-02-21
6.5
None Remote Low Single system Partial Partial Partial
SQL injection vulnerability in the API in Cybozu Garoon 3.7.x before 3.7.3 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors, a different vulnerability than CVE-2013-6929.
240 CVE-2013-6930 89 Exec Code Sql 2014-01-29 2014-02-21
6.5
None Remote Low Single system Partial Partial Partial
SQL injection vulnerability in the page-navigation implementation in Cybozu Garoon 2.0.0 through 2.0.6, 2.1.0 through 2.1.3, 2.5.0 through 2.5.4, 3.0.0 through 3.0.3, 3.5.0 through 3.5.5, and 3.7.x before 3.7.3 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors, a different vulnerability than CVE-2013-6929.
241 CVE-2013-6872 89 1 Exec Code Sql 2014-01-21 2015-07-28
6.5
None Remote Low Single system Partial Partial Partial
SQL injection vulnerability in managetimetracker.php in Collabtive before 1.2 allows remote authenticated users to execute arbitrary SQL commands via the id parameter in a projectpdf action.
242 CVE-2013-6331 89 Exec Code Sql 2014-03-05 2017-08-28
6.5
None Remote Low Single system Partial Partial Partial
SQL injection vulnerability in IBM Algo One, as used in MetaData Management Tools in UDS 4.7.0 through 5.0.0, ACSWeb in Algo Security Access Control Management 4.7.0 through 4.9.0, and ACSWeb in AlgoWebApps 5.0.0, allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors, a different vulnerability than CVE-2013-6302.
243 CVE-2013-6321 89 Exec Code Sql 2014-01-10 2015-07-28
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in IBM Atlas eDiscovery Process Management 6.0.1.5 and earlier and 6.0.2, Disposal and Governance Management for IT 6.0.1.5 and earlier and 6.0.2, and Global Retention Policy and Schedule Management 6.0.1.5 and earlier and 6.0.2 in IBM Atlas Suite (aka Atlas Policy Suite) allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
244 CVE-2013-6311 89 Exec Code Sql 2014-06-27 2017-08-28
6.5
None Remote Low Single system Partial Partial Partial
SQL injection vulnerability in IBM Marketing Platform 9.1 before FP2 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors.
245 CVE-2013-6302 89 Exec Code Sql 2014-03-05 2017-08-28
6.5
None Remote Low Single system Partial Partial Partial
SQL injection vulnerability in IBM Algo One, as used in MetaData Management Tools in UDS 4.7.0 through 5.0.0, ACSWeb in Algo Security Access Control Management 4.7.0 through 4.9.0, and ACSWeb in AlgoWebApps 5.0.0, allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors, a different vulnerability than CVE-2013-6331.
246 CVE-2013-5640 89 1 Exec Code Sql 2014-03-31 2016-12-30
7.5
None Remote Low Not required Partial Partial Partial
Multiple SQL injection vulnerabilities in Gnew 2013.1 allow remote attackers to execute arbitrary SQL commands via the (1) answer_id or (2) question_id parameter to polls/vote.php, (3) story_id parameter to comments/add.php or (4) comments/edit.php, or (5) thread_id parameter to posts/add.php. NOTE: this issue was SPLIT due to differences in researchers and disclosure dates. CVE-2013-7349 already covers the news_id parameter to news/send.php, user_email parameter to users/register.php, and thread_id to posts/edit.php vectors.
247 CVE-2013-5117 89 1 Exec Code Sql 2014-03-12 2014-03-13
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in the RSS page (DNNArticleRSS.aspx) in the ZLDNN DNNArticle module before 10.1 for DotNetNuke allows remote attackers to execute arbitrary SQL commands via the categoryid parameter.
248 CVE-2013-5015 89 2 Exec Code Sql 2014-02-14 2015-07-30
6.5
None Remote Low Single system Partial Partial Partial
SQL injection vulnerability in the management console in Symantec Endpoint Protection Manager (SEPM) 11.0 before 11.0.7405.1424 and 12.1 before 12.1.4023.4080, and Symantec Protection Center Small Business Edition 12.x before 12.1.4023.4080, allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors.
249 CVE-2013-5012 89 Exec Code Sql 2014-02-10 2014-02-11
6.5
None Remote Low Single system Partial Partial Partial
Multiple SQL injection vulnerabilities in the management console on the Symantec Web Gateway (SWG) appliance before 5.2 allow remote authenticated users to execute arbitrary SQL commands via unspecified vectors.
250 CVE-2013-4887 89 Exec Code Sql 2014-01-29 2017-08-28
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in index.php in Digital Signage Xibo 1.4.2 allows remote attackers to execute arbitrary SQL commands via the displayid parameter.
Total number of vulnerabilities : 305   Page : 1 2 3 4 5 (This Page)6 7
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.