CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Related To CWE-89

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2019-6497 89 Sql 2019-01-20 2019-01-23
7.5
None Remote Low Not required Partial Partial Partial
Hotels_Server through 2018-11-05 has SQL Injection via the controller/fetchpwd.php username parameter.
2 CVE-2019-6296 89 Sql 2019-01-15 2019-01-18
7.5
None Remote Low Not required Partial Partial Partial
Cleanto 5.0 has SQL Injection via the assets/lib/export_ajax.php id parameter.
3 CVE-2019-6295 89 Sql 2019-01-15 2019-01-18
7.5
None Remote Low Not required Partial Partial Partial
Cleanto 5.0 has SQL Injection via the assets/lib/service_method_ajax.php service_id parameter.
4 CVE-2019-6259 89 Sql 2019-01-14 2019-01-16
7.5
None Remote Low Not required Partial Partial Partial
An issue was discovered in idreamsoft iCMS V7.0.13. There is SQL Injection via the app/article/article.admincp.php _data_id parameter.
5 CVE-2019-6127 89 Exec Code Sql 2019-01-11 2019-01-23
6.5
None Remote Low Single system Partial Partial Partial
An issue was discovered in XiaoCms 20141229. It allows admin/index.php?c=database table[] SQL injection. This can be used for PHP code execution via "INTO OUTFILE" with a .php filename.
6 CVE-2019-5893 89 Sql 2019-01-10 2019-01-17
7.5
None Remote Low Not required Partial Partial Partial
Nelson Open Source ERP v6.3.1 allows SQL Injection via the db/utils/query/data.xml query parameter.
7 CVE-2019-3494 89 Sql 2019-01-01 2019-01-16
6.4
None Remote Low Not required None Partial Partial
Simply-Blog through 2019-01-01 has SQL Injection via the admin/deleteCategories.php delete parameter.
8 CVE-2018-1002000 89 Sql 2018-12-03 2018-12-27
6.5
None Remote Low Single system Partial Partial Partial
There is blind SQL injection in WordPress Arigato Autoresponder and Newsletter v2.5.1.8 These vulnerabilities require administrative privileges to exploit. There is an exploitable blind SQL injection vulnerability via the del_ids variable by POST request.
9 CVE-2018-1000871 89 Sql 2018-12-20 2019-01-07
7.5
None Remote Low Not required Partial Partial Partial
HotelDruid HotelDruid 2.3.0 version 2.3.0 and earlier contains a SQL Injection vulnerability in "id_utente_mod" parameter in gestione_utenti.php file that can result in An attacker can dump all the database records of backend webserver. This attack appear to be exploitable via the attack can be done by anyone via specially crafted sql query passed to the "id_utente_mod=1" parameter.
10 CVE-2018-1000869 89 Sql 2018-12-20 2019-01-08
7.5
None Remote Low Not required Partial Partial Partial
phpIPAM version 1.3.2 contains a CWE-89 vulnerability in /app/admin/nat/item-add-submit.php that can result in SQL Injection.. This attack appear to be exploitable via Rough user, exploiting the vulnerability to access information he/she does not have access to.. This vulnerability appears to have been fixed in 1.4.
11 CVE-2018-1000867 89 Sql 2018-12-20 2019-01-07
6.5
None Remote Low Single system Partial Partial Partial
WeBid version up to current version 1.2.2 contains a SQL Injection vulnerability in All five yourauctions*.php scripts that can result in Database Read via Blind SQL Injection. This attack appear to be exploitable via HTTP Request. This vulnerability appears to have been fixed in after commit 256a5f9d3eafbc477dcf77c7682446cc4b449c7f.
12 CVE-2018-1000653 89 Sql 2018-08-20 2018-10-12
7.5
None Remote Low Not required Partial Partial Partial
zzcms version 8.3 and earlier contains a SQL Injection vulnerability in zt/top.php line 5 that can result in could be attacked by sql injection in zzcms in nginx. This attack appear to be exploitable via running zzcms in nginx.
13 CVE-2018-1000650 89 Sql 2018-08-20 2018-10-16
6.5
None Remote Low Single system Partial Partial Partial
LibreHealthIO lh-ehr version REL-2.0.0 contains a SQL Injection vulnerability in Show Groups Popup SQL query functions that can result in Ability to perform malicious database queries. This attack appear to be exploitable via User controlled parameters.
14 CVE-2018-1000631 89 Sql 2018-12-28 2019-01-11
7.5
None Remote Low Not required Partial Partial Partial
Battelle V2I Hub 3.0 is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements to the tmx/TmxCtl/src/lib/PluginStatus.cpp and TmxControl::user_info() function, which could allow the attacker to view, add, modify or delete information in the back-end database.
15 CVE-2018-1000630 89 Sql 2018-12-28 2019-01-11
6.5
None Remote Low Single system Partial Partial Partial
Battelle V2I Hub 2.5.1 is vulnerable to SQL injection. A remote authenticated attacker could send specially-crafted SQL statements to /api/PluginStatusActions.php and /status/pluginStatus.php using the jtSorting or id parameter, which could allow the attacker to view, add, modify or delete information in the back-end database.
16 CVE-2018-1000558 89 Sql 2018-06-26 2018-08-20
4.0
None Remote Low Single system Partial None None
OCS Inventory NG ocsreports 2.4 and ocsreports 2.3.1 version 2.4 and 2.3.1 contains a SQL Injection vulnerability in web search that can result in An authenticated attacker is able to gain full access to data stored within database. This attack appear to be exploitable via By sending crafted requests it is possible to gain database access. This vulnerability appears to have been fixed in 2.4.1.
17 CVE-2018-1000552 89 Sql 2018-06-26 2018-08-17
6.5
None Remote Low Single system Partial Partial Partial
Trovebox version <= 4.0.0-rc6 contains a SQL Injection vulnerability in album component that can result in SQL code injection. This attack appear to be exploitable via HTTP request. This vulnerability appears to have been fixed in after commit 742b8ed.
18 CVE-2018-1000131 89 Sql 2018-03-14 2018-04-13
7.5
None Remote Low Not required Partial Partial Partial
Pradeep Makone wordpress Support Plus Responsive Ticket System version 9.0.2 and earlier contains a SQL Injection vulnerability in the function to get tickets, the parameter email in cookie was injected that can result in filter the parameter. This attack appear to be exploitable via web site, without login. This vulnerability appears to have been fixed in 9.0.3 and later.
19 CVE-2018-1000044 89 Exec Code Sql 2018-02-09 2018-02-28
7.5
None Remote Low Not required Partial Partial Partial
Security Onion Solutions Squert version 1.1.1 through 1.6.7 contains a SQL Injection vulnerability in .inc/callback.php that can result in execution of SQL commands. This attack appear to be exploitable via Web request to .inc/callback.php with the payload in the sensors parameter, used in ec(). This vulnerability appears to have been fixed in 1.7.0.
20 CVE-2018-20730 89 Exec Code Sql 2019-01-16 2019-01-22
5.0
None Remote Low Not required Partial None None
A SQL injection vulnerability in NeDi before 1.7Cp3 allows any user to execute arbitrary SQL read commands via the query.php component.
21 CVE-2018-20719 89 Sql 2019-01-15 2019-01-18
6.5
None Remote Low Single system Partial Partial Partial
In Tiki before 17.2, the user task component is vulnerable to a SQL Injection via the tiki-user_tasks.php show_history parameter.
22 CVE-2018-20716 89 Sql 2019-01-15 2019-01-23
7.5
None Remote Low Not required Partial Partial Partial
CubeCart before 6.1.13 has SQL Injection via the validate[] parameter of the "I forgot my Password!" feature.
23 CVE-2018-20715 89 Sql 2019-01-15 2019-01-23
7.5
None Remote Low Not required Partial Partial Partial
The DB abstraction layer of OXID eSales 4.10.6 is vulnerable to SQL injection via the oxid or synchoxid parameter to the oxConfig::getRequestParameter() method in core/oxconfig.php.
24 CVE-2018-20713 89 Sql 2019-01-15 2019-01-18
6.5
None Remote Low Single system Partial Partial Partial
Shopware before 5.4.3 allows SQL Injection by remote authenticated users, aka SW-21404.
25 CVE-2018-20572 89 Sql 2018-12-28 2019-01-09
7.5
None Remote Low Not required Partial Partial Partial
WUZHI CMS 4.1.0 allows coreframe/app/coupon/admin/copyfrom.php SQL injection via the index.php?m=promote&f=index&v=search keywords parameter, a related issue to CVE-2018-15893.
26 CVE-2018-20569 89 Sql Bypass 2018-12-28 2019-01-10
7.5
None Remote Low Not required Partial Partial Partial
user/index.php in Ivan Cordoba Generic Content Management System (CMS) through 2018-04-28 allows SQL injection for authentication bypass.
27 CVE-2018-20508 89 Sql 2018-12-27 2019-01-08
7.5
None Remote Low Not required Partial Partial Partial
CrashFix 1.0.4 has SQL Injection via the User[status] parameter. This is related to actionIndex in UserController.php, and the protected\models\User.php search() function.
28 CVE-2018-20480 89 Sql 2018-12-25 2018-12-31
7.5
None Remote Low Not required Partial Partial Partial
An issue was discovered in S-CMS 1.0. It allows SQL Injection via the js/pic.php P_id parameter.
29 CVE-2018-20479 89 Sql 2018-12-25 2018-12-31
7.5
None Remote Low Not required Partial Partial Partial
An issue was discovered in S-CMS 1.0. It allows SQL Injection via the wap_index.php?type=newsinfo S_id parameter.
30 CVE-2018-20477 89 Sql 2018-12-25 2018-12-29
7.5
None Remote Low Not required Partial Partial Partial
An issue was discovered in S-CMS 3.0. It allows SQL Injection via the bank/callback1.php P_no field.
31 CVE-2018-20338 89 Sql 2018-12-21 2019-01-04
7.5
None Remote Low Not required Partial Partial Partial
Zoho ManageEngine OpManager 12.3 before build 123239 allows SQL injection in the Alarms section.
32 CVE-2018-20329 89 Sql 2018-12-21 2019-01-07
5.5
None Remote Low Single system Partial Partial None
Chamilo LMS version 1.11.8 contains a main/inc/lib/CoursesAndSessionsCatalog.class.php SQL injection, allowing users with access to the sessions catalogue (which may optionally be made public) to extract and/or modify database information.
33 CVE-2018-20173 89 Sql 2018-12-17 2019-01-04
7.5
None Remote Low Not required Partial Partial Partial
Zoho ManageEngine OpManager 12.3 before 123238 allows SQL injection via the getGraphData API.
34 CVE-2018-20061 89 Sql 2018-12-11 2019-01-02
5.0
None Remote Low Not required Partial None None
A SQL injection issue was discovered in ERPNext 10.x and 11.x through 11.0.3-beta.29. This attack is only available to a logged-in user; however, many ERPNext sites allow account creation via the web. No special privileges are needed to conduct the attack. By calling a JavaScript function that calls a server-side Python function with carefully chosen arguments, a SQL attack can be carried out which allows SQL queries to be constructed to return any columns from any tables in the database. This is related to /api/resource/Item?fields= URIs, frappe.get_list, and frappe.call.
35 CVE-2018-20018 89 Sql 2018-12-10 2018-12-29
5.0
None Remote Low Not required Partial None None
S-CMS V3.0 has SQL injection via the S_id parameter, as demonstrated by the /1/?type=productinfo&S_id=140 URI.
36 CVE-2018-19998 89 Exec Code Sql 2019-01-03 2019-01-11
6.5
None Remote Low Single system Partial Partial Partial
SQL injection vulnerability in user/card.php in Dolibarr version 8.0.2 allows remote authenticated users to execute arbitrary SQL commands via the employee parameter.
37 CVE-2018-19994 89 Exec Code Sql 2019-01-03 2019-01-09
6.5
None Remote Low Single system Partial Partial Partial
An error-based SQL injection vulnerability in product/card.php in Dolibarr version 8.0.2 allows remote authenticated users to execute arbitrary SQL commands via the desiredstock parameter.
38 CVE-2018-19925 89 Sql 2018-12-06 2019-01-11
7.5
None Remote Low Not required Partial Partial Partial
An issue was discovered in Sales & Company Management System (SCMS) through 2018-06-06. It has SQL injection via the member/member_order.php type parameter, related to the O_state parameter.
39 CVE-2018-19898 89 Sql 2018-12-05 2018-12-26
6.5
None Remote Low Single system Partial Partial Partial
ThinkCMF X2.2.2 has SQL Injection via the method edit_post in ArticleController.class.php and is exploitable by normal authenticated users via the post[id][1] parameter in an article edit_post action.
40 CVE-2018-19897 89 Sql 2018-12-05 2018-12-26
6.5
None Remote Low Single system Partial Partial Partial
ThinkCMF X2.2.2 has SQL Injection via the function _listorders() in AdminbaseController.class.php and is exploitable with the manager privilege via the listorders[key][1] parameter in a Link listorders action.
41 CVE-2018-19896 89 Sql 2018-12-05 2018-12-26
6.5
None Remote Low Single system Partial Partial Partial
ThinkCMF X2.2.2 has SQL Injection via the function delete() in SlideController.class.php and is exploitable with the manager privilege via the ids[] parameter in a slide action.
42 CVE-2018-19895 89 Sql 2018-12-05 2018-12-26
6.5
None Remote Low Single system Partial Partial Partial
ThinkCMF X2.2.2 has SQL Injection via the function edit_post() in NavController.class.php and is exploitable with the manager privilege via the parentid parameter in a nav action.
43 CVE-2018-19894 89 Sql 2018-12-05 2018-12-26
6.5
None Remote Low Single system Partial Partial Partial
ThinkCMF X2.2.2 has SQL Injection via the functions check() and delete() in CommentadminController.class.php and is exploitable with the manager privilege via the ids[] parameter in a commentadmin action.
44 CVE-2018-19893 89 Sql 2018-12-05 2018-12-26
7.5
None Remote Low Not required Partial Partial Partial
SearchController.php in PbootCMS 1.2.1 has SQL injection via the index.php/Search/index.html query string.
45 CVE-2018-19559 89 Sql 2018-11-26 2018-12-18
7.5
None Remote Low Not required Partial Partial Partial
CuppaCMS before 2018-11-12 has SQL Injection in administrator/classes/ajax/functions.php via the reference_id parameter.
46 CVE-2018-19558 89 Sql 2018-11-26 2018-12-19
7.5
None Remote Low Not required Partial Partial Partial
An issue was discovered in arcms through 2018-03-19. SQL injection exists via the json/newslist limit parameter because of ctl/main/Json.php, ctl/main/service/Data.php, and comp/Db/Mysql.php.
47 CVE-2018-19557 89 Sql 2018-11-26 2018-12-19
7.5
None Remote Low Not required Partial Partial Partial
An issue was discovered in arcms through 2018-03-19. No authentication is required for index/main, user/useradd, or img/images.
48 CVE-2018-19553 89 Sql 2018-11-26 2018-12-18
6.5
None Remote Low Single system Partial Partial Partial
Interspire Email Marketer through 6.1.6 has SQL Injection via an updateblock sortorder request to Dynamiccontenttags.php
49 CVE-2018-19552 89 Sql 2018-11-26 2018-12-18
6.5
None Remote Low Single system Partial Partial Partial
Interspire Email Marketer through 6.1.6 has SQL Injection via a deleteblock blockid[] request to Dynamiccontenttags.php.
50 CVE-2018-19551 89 Sql 2018-11-26 2018-12-18
6.5
None Remote Low Single system Partial Partial Partial
Interspire Email Marketer through 6.1.6 has SQL Injection via a checkduplicatetags tagname request to Dynamiccontenttags.php.
Total number of vulnerabilities : 5264   Page : 1 (This Page)2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.