CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities (SQL Injection)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2018-1999016 79 Sql XSS 2018-07-23 2018-09-19
4.3
None Remote Medium Not required None Partial None
Pydio version 8.2.0 and earlier contains a Cross Site Scripting (XSS) vulnerability in ./core/vendor/meenie/javascript-packer/example-inline.php line 48; ./core/vendor/dapphp/securimage/examples/test.mysql.static.php lines: 114,118 that can result in an unauthenticated remote attacker manipulating the web client via XSS code injection. This attack appear to be exploitable via the victim openning a specially crafted URL. This vulnerability appears to have been fixed in version 8.2.1.
2 CVE-2018-1002000 Sql 2018-12-03 2018-12-04
0.0
None ??? ??? ??? ??? ??? ???
There is blind SQL injection in WordPress Arigato Autoresponder and Newsletter v2.5.1.8 These vulnerabilities require administrative privileges to exploit. There is an exploitable blind SQL injection vulnerability via the del_ids variable by POST request.
3 CVE-2018-1000804 119 Exec Code Overflow Sql 2018-10-08 2018-12-04
10.0
None Remote Low Not required Complete Complete Complete
contiki-ng version 4 contains a Buffer Overflow vulnerability in AQL (Antelope Query Language) database engine that can result in Attacker can perform Remote Code Execution on device using Contiki-NG operating system. This attack appear to be exploitable via Attacker must be able to run malicious AQL code (e.g. via SQL-like Injection attack).
4 CVE-2018-1000653 89 Sql 2018-08-20 2018-10-12
7.5
None Remote Low Not required Partial Partial Partial
zzcms version 8.3 and earlier contains a SQL Injection vulnerability in zt/top.php line 5 that can result in could be attacked by sql injection in zzcms in nginx. This attack appear to be exploitable via running zzcms in nginx.
5 CVE-2018-1000650 89 Sql 2018-08-20 2018-10-16
6.5
None Remote Low Single system Partial Partial Partial
LibreHealthIO lh-ehr version REL-2.0.0 contains a SQL Injection vulnerability in Show Groups Popup SQL query functions that can result in Ability to perform malicious database queries. This attack appear to be exploitable via User controlled parameters.
6 CVE-2018-1000558 89 Sql 2018-06-26 2018-08-20
4.0
None Remote Low Single system Partial None None
OCS Inventory NG ocsreports 2.4 and ocsreports 2.3.1 version 2.4 and 2.3.1 contains a SQL Injection vulnerability in web search that can result in An authenticated attacker is able to gain full access to data stored within database. This attack appear to be exploitable via By sending crafted requests it is possible to gain database access. This vulnerability appears to have been fixed in 2.4.1.
7 CVE-2018-1000552 89 Sql 2018-06-26 2018-08-17
6.5
None Remote Low Single system Partial Partial Partial
Trovebox version <= 4.0.0-rc6 contains a SQL Injection vulnerability in album component that can result in SQL code injection. This attack appear to be exploitable via HTTP request. This vulnerability appears to have been fixed in after commit 742b8ed.
8 CVE-2018-1000131 89 Sql 2018-03-14 2018-04-13
7.5
None Remote Low Not required Partial Partial Partial
Pradeep Makone wordpress Support Plus Responsive Ticket System version 9.0.2 and earlier contains a SQL Injection vulnerability in the function to get tickets, the parameter email in cookie was injected that can result in filter the parameter. This attack appear to be exploitable via web site, without login. This vulnerability appears to have been fixed in 9.0.3 and later.
9 CVE-2018-1000044 89 Exec Code Sql 2018-02-09 2018-02-28
7.5
None Remote Low Not required Partial Partial Partial
Security Onion Solutions Squert version 1.1.1 through 1.6.7 contains a SQL Injection vulnerability in .inc/callback.php that can result in execution of SQL commands. This attack appear to be exploitable via Web request to .inc/callback.php with the payload in the sensors parameter, used in ec(). This vulnerability appears to have been fixed in 1.7.0.
10 CVE-2018-20173 Sql 2018-12-17 2018-12-17
0.0
None ??? ??? ??? ??? ??? ???
Zoho ManageEngine OpManager 12.3 before 123238 allows SQL injection via the getGraphData API.
11 CVE-2018-20061 Sql 2018-12-11 2018-12-11
0.0
None ??? ??? ??? ??? ??? ???
A SQL injection issue was discovered in ERPNext 10.x and 11.x through 11.0.3-beta.29. This attack is only available to a logged-in user; however, many ERPNext sites allow account creation via the web. No special privileges are needed to conduct the attack. By calling a JavaScript function that calls a server-side Python function with carefully chosen arguments, a SQL attack can be carried out which allows SQL queries to be constructed to return any columns from any tables in the database. This is related to /api/resource/Item?fields= URIs, frappe.get_list, and frappe.call.
12 CVE-2018-20018 Sql 2018-12-10 2018-12-10
0.0
None ??? ??? ??? ??? ??? ???
S-CMS V3.0 has SQL injection via the S_id parameter, as demonstrated by the /1/?type=productinfo&S_id=140 URI.
13 CVE-2018-19925 Sql 2018-12-06 2018-12-06
0.0
None ??? ??? ??? ??? ??? ???
An issue was discovered in Sales & Company Management System (SCMS) through 2018-06-06. It has SQL injection via the member/member_order.php type parameter, related to the O_state parameter.
14 CVE-2018-19898 Sql 2018-12-05 2018-12-05
0.0
None ??? ??? ??? ??? ??? ???
ThinkCMF X2.2.2 has SQL Injection via the method edit_post in ArticleController.class.php and is exploitable by normal authenticated users via the post[id][1] parameter in an article edit_post action.
15 CVE-2018-19897 Sql 2018-12-05 2018-12-05
0.0
None ??? ??? ??? ??? ??? ???
ThinkCMF X2.2.2 has SQL Injection via the function _listorders() in AdminbaseController.class.php and is exploitable with the manager privilege via the listorders[key][1] parameter in a Link listorders action.
16 CVE-2018-19896 Sql 2018-12-05 2018-12-05
0.0
None ??? ??? ??? ??? ??? ???
ThinkCMF X2.2.2 has SQL Injection via the function delete() in SlideController.class.php and is exploitable with the manager privilege via the ids[] parameter in a slide action.
17 CVE-2018-19895 Sql 2018-12-05 2018-12-05
0.0
None ??? ??? ??? ??? ??? ???
ThinkCMF X2.2.2 has SQL Injection via the function edit_post() in NavController.class.php and is exploitable with the manager privilege via the parentid parameter in a nav action.
18 CVE-2018-19894 Sql 2018-12-05 2018-12-05
0.0
None ??? ??? ??? ??? ??? ???
ThinkCMF X2.2.2 has SQL Injection via the functions check() and delete() in CommentadminController.class.php and is exploitable with the manager privilege via the ids[] parameter in a commentadmin action.
19 CVE-2018-19893 Sql 2018-12-05 2018-12-05
0.0
None ??? ??? ??? ??? ??? ???
SearchController.php in PbootCMS 1.2.1 has SQL injection via the index.php/Search/index.html query string.
20 CVE-2018-19559 Sql 2018-11-26 2018-11-26
0.0
None ??? ??? ??? ??? ??? ???
CuppaCMS before 2018-11-12 has SQL Injection in administrator/classes/ajax/functions.php via the reference_id parameter.
21 CVE-2018-19558 Sql 2018-11-26 2018-11-26
0.0
None ??? ??? ??? ??? ??? ???
An issue was discovered in arcms through 2018-03-19. SQL injection exists via the json/newslist limit parameter because of ctl/main/Json.php, ctl/main/service/Data.php, and comp/Db/Mysql.php.
22 CVE-2018-19553 Sql 2018-11-26 2018-11-26
0.0
None ??? ??? ??? ??? ??? ???
Interspire Email Marketer through 6.1.6 has SQL Injection via an updateblock sortorder request to Dynamiccontenttags.php
23 CVE-2018-19552 Sql 2018-11-26 2018-11-26
0.0
None ??? ??? ??? ??? ??? ???
Interspire Email Marketer through 6.1.6 has SQL Injection via a deleteblock blockid[] request to Dynamiccontenttags.php.
24 CVE-2018-19551 Sql 2018-11-26 2018-11-26
0.0
None ??? ??? ??? ??? ??? ???
Interspire Email Marketer through 6.1.6 has SQL Injection via a checkduplicatetags tagname request to Dynamiccontenttags.php.
25 CVE-2018-19549 Sql 2018-11-26 2018-11-26
0.0
None ??? ??? ??? ??? ??? ???
Interspire Email Marketer through 6.1.6 has SQL Injection via a tagids Delete action to Dynamiccontenttags.php.
26 CVE-2018-19468 Sql 2018-11-23 2018-11-23
0.0
None ??? ??? ??? ??? ??? ???
HuCart 5.7.4 has SQL injection in get_ip() in system/class/helper_class.php via the X-Forwarded-For HTTP header to the user/index.php?load=login&act=act_login URI.
27 CVE-2018-19436 Sql 2018-11-22 2018-11-22
0.0
None ??? ??? ??? ??? ??? ???
An issue was discovered in the Manufacturing component in webERP 4.15. CollectiveWorkOrderCost.php has Blind SQL Injection via the SearchParts parameter.
28 CVE-2018-19435 Sql 2018-11-22 2018-11-22
0.0
None ??? ??? ??? ??? ??? ???
An issue was discovered in the Sales component in webERP 4.15. SalesInquiry.php has SQL Injection via the SortBy parameter.
29 CVE-2018-19434 Sql 2018-11-22 2018-11-22
0.0
None ??? ??? ??? ??? ??? ???
An issue was discovered on the "Bank Account Matching - Receipts" screen of the General Ledger component in webERP 4.15. BankMatching.php has Blind SQL injection via the AmtClear_ parameter.
30 CVE-2018-19349 89 Sql 2018-11-17 2018-12-17
6.5
None Remote Low Single system Partial Partial Partial
In SeaCMS v6.64, there is SQL injection via the admin_makehtml.php topic parameter because of mishandling in include/mkhtml.func.php.
31 CVE-2018-19331 Sql 2018-11-17 2018-11-17
0.0
None ??? ??? ??? ??? ??? ???
An issue was discovered in S-CMS v1.5. There is a SQL injection vulnerability in search.php via the keyword parameter.
32 CVE-2018-19312 89 Sql 2018-11-16 2018-12-17
6.5
None Remote Low Single system Partial Partial Partial
Centreon 3.4.x allows SQL Injection via the searchVM parameter to the main.php?p=20408 URI.
33 CVE-2018-19281 89 Sql 2018-11-14 2018-12-17
7.5
None Remote Low Not required Partial Partial Partial
Centreon 3.4.x allows SNMP trap SQL Injection.
34 CVE-2018-19271 Sql 2018-11-14 2018-11-14
0.0
None ??? ??? ??? ??? ??? ???
Centreon 3.4.x allows SQL Injection via the main.php searchH parameter.
35 CVE-2018-19221 89 Sql 2018-11-12 2018-12-11
7.5
None Remote Low Not required Partial Partial Partial
An issue was discovered in LAOBANCMS 2.0. It allows SQL Injection via the admin/login.php guanliyuan parameter.
36 CVE-2018-19061 89 Sql 2018-11-07 2018-12-10
7.5
None Remote Low Not required Partial Partial Partial
DedeCMS 5.7 SP2 has SQL Injection via the dede\co_do.php ids parameter.
37 CVE-2018-18982 Exec Code Sql 2018-11-27 2018-11-27
0.0
None ??? ??? ??? ??? ??? ???
NUUO CMS All versions 3.3 and prior the web server application allows injection of arbitrary SQL characters, which can be used to inject SQL into an executing statement and allow arbitrary code execution.
38 CVE-2018-18963 89 Sql 2018-11-06 2018-12-13
7.5
None Remote Low Not required Partial Partial Partial
Busca.aspx.cs in Degrau Publicidade e Internet Plataforma de E-commerce allows SQL Injection via the busca/ URI.
39 CVE-2018-18949 89 Sql 2018-11-05 2018-12-10
7.5
None Remote Low Not required Partial Partial Partial
Zoho ManageEngine OpManager 12.3 before 123222 has SQL Injection via Mail Server settings.
40 CVE-2018-18923 Sql 2018-12-13 2018-12-14
0.0
None ??? ??? ??? ??? ??? ???
AbiSoft Ticketly 1.0 is affected by multiple SQL Injection vulnerabilities through the parameters name, category_id and description in action/addproject.php; kind_id, priority_id, project_id, status_id and title in action/addticket.php; and kind_id and status_id in reports.php.
41 CVE-2018-18887 89 Sql 2018-10-31 2018-12-07
7.5
None Remote Low Not required Partial Partial Partial
S-CMS PHP 1.0 has SQL injection in member/member_news.php via the type parameter (aka the $N_type field).
42 CVE-2018-18832 89 Sql 2018-10-30 2018-12-06
7.5
None Remote Low Not required Partial Partial Partial
admin/check.asp in DKCMS 9.4 allows SQL Injection via an ASPSESSIONID cookie to admin/admin.asp.
43 CVE-2018-18822 Sql 2018-10-30 2018-10-30
0.0
None ??? ??? ??? ??? ??? ???
Grapixel New Media v2.0 allows SQL Injection via the pages.aspx pageref parameter.
44 CVE-2018-18806 89 Sql 2018-11-16 2018-12-17
7.5
None Remote Low Not required Partial Partial Partial
School Equipment Monitoring System 1.0 allows SQL injection via the login screen, related to include/user.vb.
45 CVE-2018-18805 89 Sql 2018-11-16 2018-12-17
7.5
None Remote Low Not required Partial Partial Partial
PointOfSales 1.0 allows SQL injection via the login screen, related to LoginForm1.vb.
46 CVE-2018-18804 89 Sql 2018-11-16 2018-12-17
7.5
None Remote Low Not required Partial Partial Partial
Bakeshop Inventory System 1.0 has SQL injection via the login screen, related to include/publicfunction.vb.
47 CVE-2018-18803 89 Sql 2018-11-16 2018-12-17
7.5
None Remote Low Not required Partial Partial Partial
Curriculum Evaluation System 1.0 allows SQL Injection via the login screen, related to frmCourse.vb and includes/user.vb.
48 CVE-2018-18801 Sql 2018-11-16 2018-11-16
0.0
None ??? ??? ??? ??? ??? ???
The BSEN Ordering software 1.0 has SQL Injection via student/index.php?view=view&id=[SQL] or index.php?q=single-item&id=[SQL].
49 CVE-2018-18796 Sql 2018-11-16 2018-11-16
0.0
None ??? ??? ??? ??? ??? ???
Library Management System 1.0 has SQL Injection via the "Search for Books" screen.
50 CVE-2018-18795 Sql 2018-11-16 2018-11-16
0.0
None ??? ??? ??? ??? ??? ???
School Event Management System 1.0 has SQL Injection via the student/index.php or event/index.php id parameter.
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.