| # |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
|
1 |
CVE-2019-1010259 |
89 |
|
Sql |
2019-07-18 |
2019-08-13 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
SaltStack Salt 2018.3, 2019.2 is affected by: SQL Injection. The impact is: An attacker could escalate privileges on MySQL server deployed by cloud provider. It leads to RCE. The component is: The mysql.user_chpass function from the MySQL module for Salt. The attack vector is: specially crafted password string. The fixed version is: 2018.3.4. |
|
2 |
CVE-2019-1010248 |
89 |
|
Sql |
2019-07-18 |
2019-07-23 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Synetics GmbH I-doit 1.12 and earlier is affected by: SQL Injection. The impact is: Unauthenticated mysql database access. The component is: Web login form. The attack vector is: An attacker can exploit the vulnerability by sending a malicious HTTP POST request. The fixed version is: 1.12.1. |
|
3 |
CVE-2019-1010201 |
89 |
|
Sql |
2019-07-23 |
2019-07-24 |
4.0 |
None |
Remote |
Low |
Single system |
Partial |
None |
None |
|
Jeesite 1.2.7 is affected by: SQL Injection. The impact is: sensitive information disclosure. The component is: updateProcInsIdByBusinessId() function in src/main/java/com.thinkgem.jeesite/modules/act/ActDao.java has SQL Injection vulnerability. The attack vector is: network connectivity,authenticated. The fixed version is: 4.0 and later. |
|
4 |
CVE-2019-1010191 |
89 |
|
Sql |
2019-07-24 |
2019-07-29 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
marginalia < 1.6 is affected by: SQL Injection. The impact is: The impact is a injection of any SQL queries when a user controller argument is added as a component. The component is: Affects users that add a component that is user controller, for instance a parameter or a header. The attack vector is: Hacker inputs a SQL to a vulnerable vector(header, http parameter, etc). The fixed version is: 1.6. |
|
5 |
CVE-2019-1010153 |
89 |
|
Sql |
2019-07-23 |
2019-07-24 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
zzcms 8.3 and earlier is affected by: SQL Injection. The impact is: sql inject. The component is: zs/subzs.php. |
|
6 |
CVE-2019-1010148 |
89 |
|
Exec Code Sql |
2019-07-23 |
2019-07-24 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
zzcms version 8.3 and earlier is affected by: SQL Injection. The impact is: zzcms File Delete to Code Execution. |
|
7 |
CVE-2019-1010104 |
89 |
|
Sql |
2019-07-18 |
2019-07-23 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
TechyTalk Quick Chat WordPress Plugin All up to the latest is affected by: SQL Injection. The impact is: Access to the database. The component is: like_escape is used in Quick-chat.php line 399. The attack vector is: Crafted ajax request. |
|
8 |
CVE-2019-1010034 |
89 |
|
Sql |
2019-07-15 |
2019-08-21 |
4.0 |
None |
Remote |
Low |
Single system |
Partial |
None |
None |
|
Deepwoods Software WebLibrarian 3.5.2 and earlier is affected by: SQL Injection. The impact is: Exposing the entire database. The component is: Function "AllBarCodes" (defined at database_code.php line 1018) is vulnerable to a boolean-based blind sql injection. This function call can be triggered by any user logged-in with at least Volunteer role or manage_circulation capabilities. PoC : /wordpress/wp-admin/admin.php?page=weblib-circulation-desk&orderby=title&order=DESC. |
|
9 |
CVE-2019-17429 |
89 |
|
Sql |
2019-10-10 |
2019-10-11 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Adhouma CMS through 2019-10-09 has SQL Injection via the post.php p_id parameter. |
|
10 |
CVE-2019-17419 |
89 |
|
Sql |
2019-10-09 |
2019-10-10 |
6.5 |
None |
Remote |
Low |
Single system |
Partial |
Partial |
Partial |
|
An issue was discovered in MetInfo 7.0. There is SQL injection via the admin/?n=user&c=admin_user&a=doGetUserInfo id parameter. |
|
11 |
CVE-2019-17418 |
89 |
|
Sql |
2019-10-09 |
2019-10-10 |
6.5 |
None |
Remote |
Low |
Single system |
Partial |
Partial |
Partial |
|
An issue was discovered in MetInfo 7.0. There is SQL injection via the admin/?n=language&c=language_general&a=doSearchParameter appno parameter, a different issue than CVE-2019-16997. |
|
12 |
CVE-2019-17319 |
89 |
|
Sql |
2019-10-07 |
2019-10-09 |
6.5 |
None |
Remote |
Low |
Single system |
Partial |
Partial |
Partial |
|
SugarCRM before 8.0.4 and 9.x before 9.0.2 allows SQL injection in the Emails module by a Regular user. |
|
13 |
CVE-2019-17318 |
89 |
|
Sql |
2019-10-07 |
2019-10-09 |
6.5 |
None |
Remote |
Low |
Single system |
Partial |
Partial |
Partial |
|
SugarCRM before 8.0.4 and 9.x before 9.0.2 allows SQL injection in the pmse_Inbox module by a Regular user. |
|
14 |
CVE-2019-17298 |
89 |
|
Sql |
2019-10-07 |
2019-10-09 |
6.5 |
None |
Remote |
Low |
Single system |
Partial |
Partial |
Partial |
|
SugarCRM before 8.0.4 and 9.x before 9.0.2 allows SQL injection in the Administration module by a Developer user. |
|
15 |
CVE-2019-17297 |
89 |
|
Sql |
2019-10-07 |
2019-10-09 |
6.5 |
None |
Remote |
Low |
Single system |
Partial |
Partial |
Partial |
|
SugarCRM before 8.0.4 and 9.x before 9.0.2 allows SQL injection in the Quotes module by a Regular user. |
|
16 |
CVE-2019-17296 |
89 |
|
Sql |
2019-10-07 |
2019-10-09 |
6.5 |
None |
Remote |
Low |
Single system |
Partial |
Partial |
Partial |
|
SugarCRM before 8.0.4 and 9.x before 9.0.2 allows SQL injection in the Contacts module by a Regular user. |
|
17 |
CVE-2019-17295 |
89 |
|
Sql |
2019-10-07 |
2019-10-09 |
6.5 |
None |
Remote |
Low |
Single system |
Partial |
Partial |
Partial |
|
SugarCRM before 8.0.4 and 9.x before 9.0.2 allows SQL injection in the history function by a Regular user. |
|
18 |
CVE-2019-17294 |
89 |
|
Sql |
2019-10-07 |
2019-10-09 |
6.5 |
None |
Remote |
Low |
Single system |
Partial |
Partial |
Partial |
|
SugarCRM before 8.0.4 and 9.x before 9.0.2 allows SQL injection in the export function by a Regular user. |
|
19 |
CVE-2019-17293 |
89 |
|
Sql |
2019-10-07 |
2019-10-10 |
6.5 |
None |
Remote |
Low |
Single system |
Partial |
Partial |
Partial |
|
SugarCRM before 8.0.4 and 9.x before 9.0.2 allows SQL injection in the pmse_Project module by a Regular user. |
|
20 |
CVE-2019-17292 |
89 |
|
Sql |
2019-10-07 |
2019-10-10 |
6.5 |
None |
Remote |
Low |
Single system |
Partial |
Partial |
Partial |
|
SugarCRM before 8.0.4 and 9.x before 9.0.2 allows SQL injection in the pmse_Inbox module by an Admin user. |
|
21 |
CVE-2019-17271 |
89 |
|
Sql |
2019-10-08 |
2019-10-09 |
4.0 |
None |
Remote |
Low |
Single system |
Partial |
None |
None |
|
vBulletin 5.5.4 allows SQL Injection via the ajax/api/hook/getHookList or ajax/api/widget/getWidgetList where parameter. |
|
22 |
CVE-2019-17197 |
89 |
|
Sql |
2019-10-05 |
2019-10-08 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
OpenEMR through 5.0.2 has SQL Injection in the Lifestyle demographic filter criteria in library/clinical_rules.php that affects library/patient.inc. |
|
23 |
CVE-2019-17128 |
89 |
|
Sql |
2019-10-09 |
2019-10-11 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Netreo OmniCenter through 12.1.1 allows unauthenticated SQL Injection (Boolean Based Blind) in the redirect parameters and parameter name of the login page through a GET request. The injection allows an attacker to read sensitive information from the database used by the application. |
|
24 |
CVE-2019-17072 |
89 |
|
Sql |
2019-10-10 |
2019-10-10 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
The new-contact-form-widget (aka Contact Form Widget - Contact Query, Form Maker) plugin 1.0.9 for WordPress has SQL Injection via all-query-page.php. |
|
25 |
CVE-2019-17049 |
89 |
|
Sql |
2019-09-30 |
2019-10-04 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
NETGEAR SRX5308 4.3.5-3 devices allow SQL Injection, as exploited in the wild in September 2019 to add a new user account. |
|
26 |
CVE-2019-16999 |
89 |
|
Sql |
2019-09-30 |
2019-10-02 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
CloudBoot through 2019-03-08 allows SQL Injection via a crafted Status field in JSON data to the api/osinstall/v1/device/getNumByStatus URI. |
|
27 |
CVE-2019-16997 |
89 |
|
Sql |
2019-09-30 |
2019-10-04 |
6.5 |
None |
Remote |
Low |
Single system |
Partial |
Partial |
Partial |
|
In Metinfo 7.0.0beta, a SQL Injection was discovered in app/system/language/admin/language_general.class.php via the admin/?n=language&c=language_general&a=doExportPack appno parameter. |
|
28 |
CVE-2019-16996 |
89 |
|
Sql |
2019-09-30 |
2019-10-04 |
6.5 |
None |
Remote |
Low |
Single system |
Partial |
Partial |
Partial |
|
In Metinfo 7.0.0beta, a SQL Injection was discovered in app/system/product/admin/product_admin.class.php via the admin/?n=product&c=product_admin&a=dopara&app_type=shop id parameter. |
|
29 |
CVE-2019-16894 |
89 |
|
Sql |
2019-09-26 |
2019-09-27 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
download.php in inoERP 4.15 allows SQL injection through insecure deserialization. |
|
30 |
CVE-2019-16745 |
89 |
|
Sql |
2019-09-30 |
2019-10-03 |
6.5 |
None |
Remote |
Low |
Single system |
Partial |
Partial |
Partial |
|
eBrigade before 5.0 has evenement_choice.php chxCal SQL Injection. |
|
31 |
CVE-2019-16744 |
89 |
|
Sql |
2019-09-30 |
2019-10-03 |
6.5 |
None |
Remote |
Low |
Single system |
Partial |
Partial |
Partial |
|
eBrigade before 5.0 has evenements.php cid SQL Injection. |
|
32 |
CVE-2019-16743 |
89 |
|
Sql |
2019-09-30 |
2019-10-02 |
6.5 |
None |
Remote |
Low |
Single system |
Partial |
Partial |
Partial |
|
eBrigade before 5.0 has evenement_ical.php evenement SQL Injection. |
|
33 |
CVE-2019-16696 |
89 |
|
Sql |
2019-09-22 |
2019-09-23 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
phpIPAM 1.4 allows SQL injection via the app/admin/custom-fields/edit.php table parameter when action=add is used. |
|
34 |
CVE-2019-16695 |
89 |
|
Sql |
2019-09-22 |
2019-09-23 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
phpIPAM 1.4 allows SQL injection via the app/admin/custom-fields/filter.php table parameter when action=add is used. |
|
35 |
CVE-2019-16694 |
89 |
|
Sql |
2019-09-22 |
2019-09-23 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
phpIPAM 1.4 allows SQL injection via the app/admin/custom-fields/edit-result.php table parameter when action=add is used. |
|
36 |
CVE-2019-16693 |
89 |
|
Sql |
2019-09-22 |
2019-09-23 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
phpIPAM 1.4 allows SQL injection via the app/admin/custom-fields/order.php table parameter when action=add is used. |
|
37 |
CVE-2019-16692 |
89 |
|
Sql |
2019-09-22 |
2019-10-01 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
phpIPAM 1.4 allows SQL injection via the app/admin/custom-fields/filter-result.php table parameter when action=add is used. |
|
38 |
CVE-2019-16644 |
89 |
|
Sql |
2019-09-20 |
2019-09-20 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
App\Home\Controller\ZhuantiController.class.php in TuziCMS 2.0.6 has SQL injection via the index.php/Zhuanti/group?id= substring. |
|
39 |
CVE-2019-16642 |
89 |
|
Sql |
2019-09-20 |
2019-09-20 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
App\Mobile\Controller\ZhuantiController.class.php in TuziCMS 2.0.6 has SQL injection via the index.php/Mobile/Zhuanti/group?id= substring. |
|
40 |
CVE-2019-16383 |
89 |
|
Sql |
2019-09-24 |
2019-09-25 |
6.4 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
None |
|
MOVEit.DMZ.WebApi.dll in Progress MOVEit Transfer 2018 SP2 before 10.2.4, 2019 before 11.0.2, and 2019.1 before 11.1.1 allows an unauthenticated attacker to gain unauthorized access to the database. Depending on the database engine being used (MySQL, Microsoft SQL Server, or Azure SQL), an attacker may be able to infer information about the structure and contents of the database, or may be able to alter the database via the REST API, aka SQL Injection. |
|
41 |
CVE-2019-16309 |
89 |
|
Sql |
2019-09-14 |
2019-09-16 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
FlameCMS 3.3.5 has SQL injection in account/login.php via accountName. |
|
42 |
CVE-2019-16264 |
89 |
|
Sql |
2019-09-16 |
2019-09-17 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
In Escuela de Gestion Publica Plurinacional (EGPP) Sistema Integrado de Gestion Academica (GESAC) v1, the username parameter of the authentication form is vulnerable to SQL injection, allowing attackers to access the database. |
|
43 |
CVE-2019-16194 |
89 |
|
Sql |
2019-09-25 |
2019-09-25 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
SQL injection vulnerabilities in Centreon through 19.04 allow attacks via the svc_id parameter in include/monitoring/status/Services/xml/makeXMLForOneService.php. |
|
44 |
CVE-2019-16125 |
89 |
|
Sql |
2019-09-08 |
2019-09-09 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
In Jobberbase 2.0, the parameter category is not sanitized in public/page_subscribe.php, leading to /subscribe SQL injection. |
|
45 |
CVE-2019-16119 |
89 |
|
Sql |
2019-09-08 |
2019-09-09 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
SQL injection in the photo-gallery (10Web Photo Gallery) plugin before 1.5.35 for WordPress exists via the admin/controllers/Albumsgalleries.php album_id parameter. |
|
46 |
CVE-2019-15872 |
89 |
|
Sql |
2019-09-03 |
2019-09-05 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
The LoginPress plugin before 1.1.4 for WordPress has SQL injection via an import of settings. |
|
47 |
CVE-2019-15659 |
89 |
|
Sql |
2019-08-27 |
2019-08-28 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
The pie-register plugin before 3.1.2 for WordPress has SQL injection, a different issue than CVE-2018-10969. |
|
48 |
CVE-2019-15658 |
89 |
|
Sql |
2019-08-26 |
2019-08-30 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
connect-pg-simple before 6.0.1 allows SQL injection if tableName or schemaName is untrusted data. |
|
49 |
CVE-2019-15646 |
89 |
|
Sql |
2019-08-27 |
2019-08-28 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
The rsvpmaker plugin before 6.2 for WordPress has SQL injection. |
|
50 |
CVE-2019-15574 |
89 |
|
Sql |
2019-08-26 |
2019-09-03 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Gesior-AAC before 2019-05-01 allows serviceID SQL injection in accountmanagement.php. |
