| # |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
|
1 |
CVE-2017-1002028 |
89 |
|
Sql |
2017-09-14 |
2017-09-20 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Vulnerability in wordpress plugin wordpress-gallery-transformation v1.0, SQL injection is in ./wordpress-gallery-transformation/gallery.php via $jpic parameter being unsanitized before being passed into an SQL query. |
|
2 |
CVE-2017-1002027 |
89 |
|
Sql |
2017-09-14 |
2017-09-20 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Vulnerability in wordpress plugin rk-responsive-contact-form v1.0, The variable $delid isn't sanitized before being passed into an SQL query in file ./rk-responsive-contact-form/include/rk_user_list.php. |
|
3 |
CVE-2017-1002026 |
89 |
|
Sql |
2017-09-14 |
2017-09-20 |
6.5 |
None |
Remote |
Low |
Single system |
Partial |
Partial |
Partial |
|
Vulnerability in wordpress plugin Event Expresso Free v3.1.37.11.L, The function edit_event_category does not sanitize user-supplied input via the $id parameter before passing it into an SQL statement. |
|
4 |
CVE-2017-1002025 |
89 |
|
Sql |
2017-09-14 |
2017-09-21 |
6.5 |
None |
Remote |
Low |
Single system |
Partial |
Partial |
Partial |
|
Vulnerability in wordpress plugin add-edit-delete-listing-for-member-module v1.0, The plugin author does not sanitize user supplied input via $act before passing it into an SQL statement. |
|
5 |
CVE-2017-1002023 |
89 |
|
Sql |
2017-09-14 |
2017-09-21 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Vulnerability in wordpress plugin Easy Team Manager v1.3.2, The code does not sanitize id before making it part of an SQL statement in file ./easy-team-manager/inc/easy_team_manager_desc_edit.php |
|
6 |
CVE-2017-1002022 |
89 |
|
Sql |
2017-09-14 |
2017-09-18 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Vulnerability in wordpress plugin surveys v1.01.8, The code in questions.php does not sanitize the survey variable before placing it inside of an SQL query. |
|
7 |
CVE-2017-1002021 |
89 |
|
Sql |
2017-09-14 |
2017-09-18 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Vulnerability in wordpress plugin surveys v1.01.8, The code in individual_responses.php does not sanitize the survey_id variable before placing it inside of an SQL query. |
|
8 |
CVE-2017-1002020 |
89 |
|
Sql |
2017-09-14 |
2017-09-19 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Vulnerability in wordpress plugin surveys v1.01.8, The code in survey_form.php does not sanitize the action variable before placing it inside of an SQL query. |
|
9 |
CVE-2017-1002019 |
89 |
|
Sql |
2017-09-14 |
2017-09-18 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Vulnerability in wordpress plugin eventr v1.02.2, The edit.php form and event_form.php code do not sanitize input, this allows for blind SQL injection via the event parameter. |
|
10 |
CVE-2017-1002018 |
89 |
|
Sql |
2017-09-14 |
2017-09-18 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Vulnerability in wordpress plugin eventr v1.02.2, The edit.php form and attendees.php code do not sanitize input, this allows for blind SQL injection via the event parameter. |
|
11 |
CVE-2017-1002015 |
89 |
|
Sql |
2017-09-14 |
2017-09-20 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Vulnerability in wordpress plugin image-gallery-with-slideshow v1.5.2, Blind SQL Injection in image-gallery-with-slideshow/admin_setting.php via selectMulGallery parameter. |
|
12 |
CVE-2017-1002014 |
89 |
|
Sql |
2017-09-14 |
2017-09-20 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Vulnerability in wordpress plugin image-gallery-with-slideshow v1.5.2, Blind SQL Injection in image-gallery-with-slideshow/admin_setting.php via gallery_name parameter. |
|
13 |
CVE-2017-1002013 |
89 |
|
Sql |
2017-09-14 |
2017-09-20 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Vulnerability in wordpress plugin image-gallery-with-slideshow v1.5.2, Blind SQL Injection via imgid parameter in image-gallery-with-slideshow/admin_setting.php. |
|
14 |
CVE-2017-1002010 |
89 |
|
Sql |
2017-09-14 |
2017-09-21 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Vulnerability in wordpress plugin Membership Simplified v1.58, The code in membership-simplified-for-oap-members-only/updateDB.php is vulnerable to blind SQL injection because it doesn't sanitize user input via recordId in the delete_media function. |
|
15 |
CVE-2017-1002009 |
89 |
|
Sql |
2017-09-14 |
2017-09-21 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Vulnerability in wordpress plugin Membership Simplified v1.58, The code in membership-simplified-for-oap-members-only/updateDB.php is vulnerable to blind SQL injection because it doesn't sanitize user input via recordId in the delete function. |
|
16 |
CVE-2017-1000129 |
89 |
|
Sql |
2017-11-17 |
2017-11-29 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Serendipity 2.0.3 is vulnerable to a SQL injection in the blog component resulting in information disclosure |
|
17 |
CVE-2017-1000120 |
89 |
|
Exec Code Sql |
2017-10-04 |
2017-10-13 |
6.5 |
None |
Remote |
Low |
Single system |
Partial |
Partial |
Partial |
|
[ERPNext][Frappe Version <= 7.1.27] SQL injection vulnerability in frappe.share.get_users allows remote authenticated users to execute arbitrary SQL commands via the fields parameter. |
|
18 |
CVE-2017-1000067 |
89 |
|
Sql |
2017-07-17 |
2017-07-21 |
6.5 |
None |
Remote |
Low |
Single system |
Partial |
Partial |
Partial |
|
MODX Revolution version 2.x - 2.5.6 is vulnerable to blind SQL injection caused by improper sanitization by the escape method resulting in authenticated user accessing database and possibly escalating privileges. |
|
19 |
CVE-2017-1000060 |
89 |
|
Sql |
2017-07-17 |
2017-07-19 |
10.0 |
None |
Remote |
Low |
Not required |
Complete |
Complete |
Complete |
|
EyesOfNetwork (EON) 5.1 Unauthenticated SQL Injection in eonweb leading to remote root |
|
20 |
CVE-2017-1000031 |
89 |
|
Exec Code Sql |
2017-07-17 |
2017-07-19 |
6.5 |
None |
Remote |
Low |
Single system |
Partial |
Partial |
Partial |
|
SQL injection vulnerability in graph_templates_inputs.php in Cacti 0.8.8b allows remote attackers to execute arbitrary SQL commands via the graph_template_input_id and graph_template_id parameters. |
|
21 |
CVE-2017-1000004 |
89 |
|
Exec Code Sql |
2017-07-17 |
2017-08-04 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
ATutor version 2.2.1 and earlier are vulnerable to a SQL injection in the Assignment Dropbox, BasicLTI, Blog Post, Blog, Group Course Email, Course Alumni, Course Enrolment, Group Membership, Course unenrolment, Course Enrolment List Search, Glossary, Social Group Member Search, Social Friend Search, Social Group Search, File Comment, Gradebook Test Title, User Group Membership, Inbox/Sent Items, Sent Messages, Links, Photo Album, Poll, Social Application, Social Profile, Test, Content Menu, Auto-Login, and Gradebook components resulting in information disclosure, database modification, or potential code execution. |
|
22 |
CVE-2017-17983 |
89 |
|
Sql |
2017-12-29 |
2018-01-09 |
6.5 |
None |
Remote |
Low |
Single system |
Partial |
Partial |
Partial |
|
PHP Scripts Mall Muslim Matrimonial Script has SQL injection via the view-profile.php mem_id parameter. |
|
23 |
CVE-2017-17959 |
89 |
|
Sql |
2017-12-28 |
2018-04-13 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
PHP Scripts Mall PHP Multivendor Ecommerce has SQL Injection via the seller-view.php usid parameter. |
|
24 |
CVE-2017-17957 |
89 |
|
Sql |
2017-12-28 |
2018-04-13 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
PHP Scripts Mall PHP Multivendor Ecommerce has SQL Injection via the my_wishlist.php fid parameter. |
|
25 |
CVE-2017-17951 |
89 |
|
Sql |
2017-12-28 |
2018-04-13 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
PHP Scripts Mall PHP Multivendor Ecommerce has SQL Injection via the shopping-cart.php cusid parameter. |
|
26 |
CVE-2017-17950 |
89 |
|
Sql |
2017-12-28 |
2018-04-13 |
6.5 |
None |
Remote |
Low |
Single system |
Partial |
Partial |
Partial |
|
Cells Blog 3.5 has SQL Injection via the pub_readpost.php ptid parameter. |
|
27 |
CVE-2017-17941 |
89 |
|
Sql |
2017-12-28 |
2018-01-09 |
6.5 |
None |
Remote |
Low |
Single system |
Partial |
Partial |
Partial |
|
PHP Scripts Mall Single Theater Booking has SQL Injection via the admin/movieview.php movieid parameter. |
|
28 |
CVE-2017-17931 |
89 |
|
Sql |
2017-12-27 |
2018-01-10 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
PHP Scripts Mall Resume Clone Script has SQL Injection via the forget.php username parameter. |
|
29 |
CVE-2017-17928 |
89 |
|
Sql |
2017-12-27 |
2018-01-10 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
PHP Scripts Mall Professional Service Script has SQL injection via the admin/review.php id parameter. |
|
30 |
CVE-2017-17920 |
89 |
|
Exec Code Sql |
2017-12-29 |
2018-01-10 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
** DISPUTED ** SQL injection vulnerability in the 'reorder' method in Ruby on Rails 5.1.4 and earlier allows remote attackers to execute arbitrary SQL commands via the 'name' parameter. NOTE: The vendor disputes this issue because the documentation states that this method is not intended for use with untrusted input. |
|
31 |
CVE-2017-17919 |
89 |
|
Exec Code Sql |
2017-12-29 |
2018-01-10 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
** DISPUTED ** SQL injection vulnerability in the 'order' method in Ruby on Rails 5.1.4 and earlier allows remote attackers to execute arbitrary SQL commands via the 'id desc' parameter. NOTE: The vendor disputes this issue because the documentation states that this method is not intended for use with untrusted input. |
|
32 |
CVE-2017-17917 |
89 |
|
Exec Code Sql |
2017-12-29 |
2018-01-10 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
** DISPUTED ** SQL injection vulnerability in the 'where' method in Ruby on Rails 5.1.4 and earlier allows remote attackers to execute arbitrary SQL commands via the 'id' parameter. NOTE: The vendor disputes this issue because the documentation states that this method is not intended for use with untrusted input. |
|
33 |
CVE-2017-17916 |
89 |
|
Exec Code Sql |
2017-12-29 |
2018-01-10 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
** DISPUTED ** SQL injection vulnerability in the 'find_by' method in Ruby on Rails 5.1.4 and earlier allows remote attackers to execute arbitrary SQL commands via the 'name' parameter. NOTE: The vendor disputes this issue because the documentation states that this method is not intended for use with untrusted input. |
|
34 |
CVE-2017-17906 |
89 |
|
Sql |
2017-12-27 |
2018-01-09 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
PHP Scripts Mall Car Rental Script has SQL Injection via the admin/carlistedit.php carid parameter. |
|
35 |
CVE-2017-17900 |
89 |
|
Exec Code Sql |
2017-12-27 |
2018-01-09 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
SQL injection vulnerability in fourn/index.php in Dolibarr ERP/CRM version 6.0.4 allows remote attackers to execute arbitrary SQL commands via the socid parameter. |
|
36 |
CVE-2017-17899 |
89 |
|
Exec Code Sql |
2017-12-27 |
2018-01-09 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
SQL injection vulnerability in adherents/subscription/info.php in Dolibarr ERP/CRM version 6.0.4 allows remote attackers to execute arbitrary SQL commands via the rowid parameter. |
|
37 |
CVE-2017-17897 |
89 |
|
Exec Code Sql |
2017-12-27 |
2018-01-09 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
SQL injection vulnerability in comm/multiprix.php in Dolibarr ERP/CRM version 6.0.4 allows remote attackers to execute arbitrary SQL commands via the id parameter. |
|
38 |
CVE-2017-17895 |
89 |
|
Sql |
2017-12-27 |
2018-01-09 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Readymade Job Site Script has SQL Injection via the location_name array parameter to the /job URI. |
|
39 |
CVE-2017-17892 |
89 |
|
Sql |
2017-12-27 |
2018-01-09 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Readymade Video Sharing Script has SQL Injection via the viewsubs.php chnlid parameter or the search_video.php search parameter. |
|
40 |
CVE-2017-17875 |
89 |
|
Sql |
2017-12-27 |
2018-01-17 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
The JEXTN FAQ Pro extension 4.0.0 for Joomla! has SQL Injection via the id parameter in a view=category action. |
|
41 |
CVE-2017-17873 |
89 |
|
Sql |
2017-12-27 |
2018-01-09 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Vanguard Marketplace Digital Products PHP 1.4 has SQL Injection via the PATH_INFO to the /p URI. |
|
42 |
CVE-2017-17872 |
89 |
|
Sql |
2017-12-27 |
2018-01-17 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
The JEXTN Video Gallery extension 3.0.5 for Joomla! has SQL Injection via the id parameter in a view=category action. |
|
43 |
CVE-2017-17871 |
89 |
|
Sql |
2017-12-27 |
2018-01-17 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
The "JEXTN Question And Answer" extension 3.1.0 for Joomla! has SQL Injection via the an parameter in a view=tags action, or the ques-srch parameter. |
|
44 |
CVE-2017-17870 |
89 |
|
Sql |
2017-12-27 |
2018-01-11 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
The JBuildozer extension 1.4.1 for Joomla! has SQL Injection via the appid parameter in an entriessearch action. |
|
45 |
CVE-2017-17829 |
89 |
|
Sql |
2017-12-21 |
2018-01-03 |
6.5 |
None |
Remote |
Low |
Single system |
Partial |
Partial |
Partial |
|
Bus Booking Script has SQL Injection via the admin/view_seatseller.php sp_id parameter or the admin/view_member.php memid parameter. |
|
46 |
CVE-2017-17824 |
89 |
|
Sql |
2017-12-20 |
2018-01-03 |
4.0 |
None |
Remote |
Low |
Single system |
Partial |
None |
None |
|
The Batch Manager component of Piwigo 2.9.2 is vulnerable to SQL Injection via the admin/batch_manager_unit.php element_ids parameter in unit mode. An attacker can exploit this to gain access to the data in a connected MySQL database. |
|
47 |
CVE-2017-17823 |
89 |
|
Sql |
2017-12-20 |
2018-01-03 |
4.0 |
None |
Remote |
Low |
Single system |
Partial |
None |
None |
|
The Configuration component of Piwigo 2.9.2 is vulnerable to SQL Injection via the admin/configuration.php order_by array parameter. An attacker can exploit this to gain access to the data in a connected MySQL database. |
|
48 |
CVE-2017-17822 |
89 |
|
Sql |
2017-12-20 |
2018-01-03 |
4.0 |
None |
Remote |
Low |
Single system |
Partial |
None |
None |
|
The List Users API of Piwigo 2.9.2 is vulnerable to SQL Injection via the /admin/user_list_backend.php sSortDir_0 parameter. An attacker can exploit this to gain access to the data in a connected MySQL database. |
|
49 |
CVE-2017-17781 |
89 |
|
Sql |
2017-12-20 |
2018-01-12 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
In Horde Groupware through 5.2.22, SQL Injection exists via the group parameter to /services/prefs.php or the homePostalCode parameter to /turba/search.php. |
|
50 |
CVE-2017-17779 |
89 |
|
Sql |
2017-12-19 |
2018-01-03 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Paid To Read Script 2.0.5 has SQL injection via the referrals.php id parameter. |
