| # |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
|
1 |
CVE-2019-1010259 |
89 |
|
Sql |
2019-07-18 |
2019-08-13 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
SaltStack Salt 2018.3, 2019.2 is affected by: SQL Injection. The impact is: An attacker could escalate privileges on MySQL server deployed by cloud provider. It leads to RCE. The component is: The mysql.user_chpass function from the MySQL module for Salt. The attack vector is: specially crafted password string. The fixed version is: 2018.3.4. |
|
2 |
CVE-2019-1010248 |
89 |
|
Sql |
2019-07-18 |
2019-07-23 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Synetics GmbH I-doit 1.12 and earlier is affected by: SQL Injection. The impact is: Unauthenticated mysql database access. The component is: Web login form. The attack vector is: An attacker can exploit the vulnerability by sending a malicious HTTP POST request. The fixed version is: 1.12.1. |
|
3 |
CVE-2019-1010201 |
89 |
|
Sql |
2019-07-23 |
2019-07-24 |
4.0 |
None |
Remote |
Low |
??? |
Partial |
None |
None |
|
Jeesite 1.2.7 is affected by: SQL Injection. The impact is: sensitive information disclosure. The component is: updateProcInsIdByBusinessId() function in src/main/java/com.thinkgem.jeesite/modules/act/ActDao.java has SQL Injection vulnerability. The attack vector is: network connectivity,authenticated. The fixed version is: 4.0 and later. |
|
4 |
CVE-2019-1010191 |
89 |
|
Sql |
2019-07-24 |
2019-07-29 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
marginalia < 1.6 is affected by: SQL Injection. The impact is: The impact is a injection of any SQL queries when a user controller argument is added as a component. The component is: Affects users that add a component that is user controller, for instance a parameter or a header. The attack vector is: Hacker inputs a SQL to a vulnerable vector(header, http parameter, etc). The fixed version is: 1.6. |
|
5 |
CVE-2019-1010153 |
89 |
|
Sql |
2019-07-23 |
2019-07-24 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
zzcms 8.3 and earlier is affected by: SQL Injection. The impact is: sql inject. The component is: zs/subzs.php. |
|
6 |
CVE-2019-1010148 |
89 |
|
Exec Code Sql |
2019-07-23 |
2019-07-24 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
zzcms version 8.3 and earlier is affected by: SQL Injection. The impact is: zzcms File Delete to Code Execution. |
|
7 |
CVE-2019-1010104 |
89 |
|
Sql |
2019-07-18 |
2019-07-23 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
TechyTalk Quick Chat WordPress Plugin All up to the latest is affected by: SQL Injection. The impact is: Access to the database. The component is: like_escape is used in Quick-chat.php line 399. The attack vector is: Crafted ajax request. |
|
8 |
CVE-2019-1010034 |
89 |
|
Sql |
2019-07-15 |
2019-08-21 |
4.0 |
None |
Remote |
Low |
??? |
Partial |
None |
None |
|
Deepwoods Software WebLibrarian 3.5.2 and earlier is affected by: SQL Injection. The impact is: Exposing the entire database. The component is: Function "AllBarCodes" (defined at database_code.php line 1018) is vulnerable to a boolean-based blind sql injection. This function call can be triggered by any user logged-in with at least Volunteer role or manage_circulation capabilities. PoC : /wordpress/wp-admin/admin.php?page=weblib-circulation-desk&orderby=title&order=DESC. |
|
9 |
CVE-2019-1000023 |
89 |
|
Exec Code Sql |
2019-02-04 |
2019-02-06 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
OPT/NET BV OPTOSS Next Gen Network Management System (NG-NetMS) version v3.6-2 and earlier versions contains a SQL Injection vulnerability in Identified vulnerable parameters: id, id_access_type and id_attr_access that can result in a malicious attacker can include own SQL commands which database will execute. This attack appears to be exploitable via network connectivity. |
|
10 |
CVE-2019-19850 |
89 |
|
Sql |
2019-12-17 |
2019-12-20 |
6.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
Partial |
|
An issue was discovered in TYPO3 before 8.7.30, 9.x before 9.5.12, and 10.x before 10.2.2. Because escaping of user-submitted content is mishandled, the class QueryGenerator is vulnerable to SQL injection. Exploitation requires having the system extension ext:lowlevel installed, and a valid backend user who has administrator privileges. |
|
11 |
CVE-2019-19846 |
89 |
|
Sql |
2019-12-18 |
2019-12-18 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
In Joomla! before 3.9.14, the lack of validation of configuration parameters used in SQL queries caused various SQL injection vectors. |
|
12 |
CVE-2019-19740 |
89 |
|
Sql |
2019-12-12 |
2023-01-28 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Octeth Oempro 4.7 and 4.8 allow SQL injection. The parameter CampaignID in Campaign.Get is vulnerable. |
|
13 |
CVE-2019-19734 |
89 |
|
Sql |
2019-12-30 |
2020-01-07 |
6.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
Partial |
|
_account_move_file_in_folder.ajax.php in MFScripts YetiShare 3.5.2 directly inserts values from the fileIds parameter into a SQL string. This allows an attacker to inject their own SQL and manipulate the query, typically extracting data from the database, aka SQL Injection. |
|
14 |
CVE-2019-19732 |
89 |
|
Sql |
2019-12-30 |
2020-01-08 |
6.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
Partial |
|
translation_manage_text.ajax.php and various *_manage.ajax.php in MFScripts YetiShare 3.5.2 through 4.5.3 directly insert values from the aSortDir_0 and/or sSortDir_0 parameter into a SQL string. This allows an attacker to inject their own SQL and manipulate the query, typically extracting data from the database, aka SQL Injection. |
|
15 |
CVE-2019-19650 |
89 |
|
Sql |
2019-12-11 |
2023-01-30 |
6.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
Partial |
|
Zoho ManageEngine Applications Manager before 13640 allows a remote authenticated SQL injection via the Agent servlet agentid parameter to the Agent.java process function. |
|
16 |
CVE-2019-19649 |
89 |
|
Sql |
2019-12-11 |
2023-02-02 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Zoho ManageEngine Applications Manager before 13620 allows a remote unauthenticated SQL injection via the SyncEventServlet eventid parameter to the SyncEventServlet.java doGet function. |
|
17 |
CVE-2019-19250 |
89 |
|
Sql |
2019-11-25 |
2019-12-04 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
OpenTrade before 2019-11-23 allows SQL injection, related to server/modules/api/v1.js and server/utils.js. |
|
18 |
CVE-2019-19245 |
89 |
|
Sql |
2019-12-02 |
2019-12-11 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
NAPC Xinet Elegant 6 Asset Library 6.1.655 allows Pre-Authentication SQL Injection via the /elegant6/login LoginForm[username] field when double quotes are used. |
|
19 |
CVE-2019-19207 |
89 |
|
Sql |
2019-11-21 |
2019-11-26 |
6.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
Partial |
|
rConfig 3.9.2 allows devices.php?searchColumn= SQL injection. |
|
20 |
CVE-2019-19113 |
89 |
|
Sql |
2019-11-18 |
2019-12-03 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
main/resources/mapper/NewBeeMallGoodsMapper.xml in newbee-mall (aka New Bee) before 2019-10-23 allows search?goodsCategoryId=&keyword= SQL Injection. |
|
21 |
CVE-2019-19016 |
89 |
|
Sql |
2019-12-02 |
2019-12-04 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
An issue was discovered in TitanHQ WebTitan before 5.18. Some functions, such as /history-x.php, of the administration interface are vulnerable to SQL Injection through the results parameter. This could be used by an attacker to extract sensitive information from the appliance database. |
|
22 |
CVE-2019-18890 |
89 |
|
Sql |
2019-11-21 |
2019-11-26 |
4.0 |
None |
Remote |
Low |
??? |
Partial |
None |
None |
|
A SQL injection vulnerability in Redmine through 3.2.9 and 3.3.x before 3.3.10 allows Redmine users to access protected information via a crafted object query. |
|
23 |
CVE-2019-18784 |
89 |
|
Sql |
2019-11-06 |
2019-11-06 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
SuiteCRM 7.10.x versions prior to 7.10.21 and 7.11.x versions prior to 7.11.9 allow SQL Injection. |
|
24 |
CVE-2019-18663 |
89 |
|
Exec Code Sql |
2019-11-04 |
2019-11-05 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
A SQL injection vulnerability in a /login/forgot1 POST request in ARP-GUARD 4.0.0-5 allows unauthenticated remote attackers to execute arbitrary SQL commands via the user_id parameter. |
|
25 |
CVE-2019-18662 |
89 |
|
Sql |
2019-11-02 |
2019-12-04 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
An issue was discovered in YouPHPTube through 7.7. User input passed through the live_stream_code POST parameter to /plugin/LiveChat/getChat.json.php is not properly sanitized (in getFromChat in plugin/LiveChat/Objects/LiveChatObj.php) before being used to construct a SQL query. This can be exploited by malicious users to, e.g., read sensitive data from the database through in-band SQL Injection attacks. Successful exploitation of this vulnerability requires the Live Chat plugin to be enabled. |
|
26 |
CVE-2019-18646 |
89 |
|
Sql |
2019-11-14 |
2019-11-14 |
6.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
Partial |
|
The Untangle NG firewall 14.2.0 is vulnerable to authenticated inline-query SQL injection within the timeDataDynamicColumn parameter when logged in as an admin user. |
|
27 |
CVE-2019-18622 |
89 |
|
Sql |
2019-11-22 |
2020-01-14 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
An issue was discovered in phpMyAdmin before 4.9.2. A crafted database/table name can be used to trigger a SQL injection attack through the designer feature. |
|
28 |
CVE-2019-18464 |
89 |
|
Sql |
2019-10-31 |
2019-11-06 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
In Progress MOVEit Transfer 10.2 before 10.2.6 (2018.3), 11.0 before 11.0.4 (2019.0.4), and 11.1 before 11.1.3 (2019.1.3), multiple SQL Injection vulnerabilities have been found in the REST API that could allow an unauthenticated attacker to gain unauthorized access to the database. Depending on the database engine being used (MySQL, Microsoft SQL Server, or Azure SQL), an attacker may be able to infer information about the structure and contents of the database or may be able to alter the database. |
|
29 |
CVE-2019-18413 |
79 |
|
Sql XSS Bypass |
2019-10-24 |
2023-02-28 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
In TypeStack class-validator 0.10.2, validate() input validation can be bypassed because certain internal attributes can be overwritten via a conflicting name. Even though there is an optional forbidUnknownValues parameter that can be used to reduce the risk of this bypass, this option is not documented and thus most developers configure input validation in the vulnerable default manner. With this vulnerability, attackers can launch SQL Injection or XSS attacks by injecting arbitrary malicious input. NOTE: a software maintainer agrees with the "is not documented" finding but suggests that much of the responsibility for the risk lies in a different product. |
|
30 |
CVE-2019-18387 |
89 |
|
Exec Code Sql |
2019-10-23 |
2019-10-28 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Sourcecodester Hotel and Lodge Management System 1.0 is vulnerable to unauthenticated SQL injection and can allow remote attackers to execute arbitrary SQL commands via the id parameter to the edit page for Customer, Room, Currency, Room Booking Details, or Tax Details. |
|
31 |
CVE-2019-18344 |
89 |
|
Exec Code Sql |
2019-10-23 |
2020-09-03 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Sourcecodester Online Grading System 1.0 is vulnerable to unauthenticated SQL injection and can allow remote attackers to execute arbitrary SQL commands via the student, instructor, department, room, class, or user page (id or classid parameter). |
|
32 |
CVE-2019-18234 |
89 |
|
Exec Code Sql |
2019-12-23 |
2019-12-30 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Equinox Control Expert all versions, is vulnerable to an SQL injection attack, which may allow an attacker to remotely execute arbitrary code. |
|
33 |
CVE-2019-18229 |
89 |
|
Sql |
2019-10-31 |
2021-05-13 |
4.0 |
None |
Remote |
Low |
??? |
Partial |
None |
None |
|
Advantech WISE-PaaS/RMM, Versions 3.3.29 and prior. Lack of sanitization of user-supplied input cause SQL injection vulnerabilities. An attacker can leverage these vulnerabilities to disclose information. |
|
34 |
CVE-2019-17612 |
89 |
|
Sql |
2019-10-15 |
2019-10-17 |
6.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
Partial |
|
An issue was discovered in 74CMS v5.2.8. There is a SQL Injection generated by the _list method in the Common/Controller/BackendController.class.php file via the index.php?m=Admin&c=Ad&a=category sort parameter. |
|
35 |
CVE-2019-17602 |
89 |
|
Sql |
2019-10-15 |
2021-05-04 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
An issue was discovered in Zoho ManageEngine OpManager before 12.4 build 124089. The OPMDeviceDetailsServlet servlet is prone to SQL injection. Depending on the configuration, this vulnerability could be exploited unauthenticated or authenticated. |
|
36 |
CVE-2019-17580 |
89 |
|
Sql |
2019-10-14 |
2019-10-16 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
tonyy dormsystem through 1.3 allows SQL Injection in admin.php. |
|
37 |
CVE-2019-17553 |
89 |
|
Sql |
2019-10-14 |
2019-10-17 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
An issue was discovered in MetInfo v7.0.0 beta. There is SQL Injection via the admin/?n=tags&c=index&a=doSaveTags URI. |
|
38 |
CVE-2019-17552 |
89 |
|
Sql |
2019-10-14 |
2019-10-16 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
An issue was discovered in idreamsoft iCMS v7.0.14. There is a spider_project.admincp.php SQL injection vulnerability in the 'upload spider project scheme' feature via a two-dimensional payload. |
|
39 |
CVE-2019-17527 |
89 |
|
Sql |
2019-12-19 |
2020-01-02 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
dataForDepandantField in models/custormfields.php in the JS JOBS FREE extension before 1.2.7 for Joomla! allows SQL Injection via the index.php?option=com_jsjobs&task=customfields.getfieldtitlebyfieldandfieldfo child parameter. |
|
40 |
CVE-2019-17429 |
89 |
|
Sql |
2019-10-10 |
2019-10-11 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Adhouma CMS through 2019-10-09 has SQL Injection via the post.php p_id parameter. |
|
41 |
CVE-2019-17419 |
89 |
|
Sql |
2019-10-10 |
2019-10-10 |
6.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
Partial |
|
An issue was discovered in MetInfo 7.0. There is SQL injection via the admin/?n=user&c=admin_user&a=doGetUserInfo id parameter. |
|
42 |
CVE-2019-17418 |
89 |
|
Sql |
2019-10-10 |
2019-10-10 |
6.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
Partial |
|
An issue was discovered in MetInfo 7.0. There is SQL injection via the admin/?n=language&c=language_general&a=doSearchParameter appno parameter, a different issue than CVE-2019-16997. |
|
43 |
CVE-2019-17319 |
89 |
|
Sql |
2019-10-07 |
2019-10-09 |
6.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
Partial |
|
SugarCRM before 8.0.4 and 9.x before 9.0.2 allows SQL injection in the Emails module by a Regular user. |
|
44 |
CVE-2019-17318 |
89 |
|
Sql |
2019-10-07 |
2019-10-09 |
6.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
Partial |
|
SugarCRM before 8.0.4 and 9.x before 9.0.2 allows SQL injection in the pmse_Inbox module by a Regular user. |
|
45 |
CVE-2019-17298 |
89 |
|
Sql |
2019-10-07 |
2019-10-09 |
6.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
Partial |
|
SugarCRM before 8.0.4 and 9.x before 9.0.2 allows SQL injection in the Administration module by a Developer user. |
|
46 |
CVE-2019-17297 |
89 |
|
Sql |
2019-10-07 |
2019-10-09 |
6.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
Partial |
|
SugarCRM before 8.0.4 and 9.x before 9.0.2 allows SQL injection in the Quotes module by a Regular user. |
|
47 |
CVE-2019-17296 |
89 |
|
Sql |
2019-10-07 |
2019-10-09 |
6.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
Partial |
|
SugarCRM before 8.0.4 and 9.x before 9.0.2 allows SQL injection in the Contacts module by a Regular user. |
|
48 |
CVE-2019-17295 |
89 |
|
Sql |
2019-10-07 |
2019-10-09 |
6.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
Partial |
|
SugarCRM before 8.0.4 and 9.x before 9.0.2 allows SQL injection in the history function by a Regular user. |
|
49 |
CVE-2019-17294 |
89 |
|
Sql |
2019-10-07 |
2019-10-09 |
6.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
Partial |
|
SugarCRM before 8.0.4 and 9.x before 9.0.2 allows SQL injection in the export function by a Regular user. |
|
50 |
CVE-2019-17293 |
89 |
|
Sql |
2019-10-07 |
2019-10-10 |
6.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
Partial |
|
SugarCRM before 8.0.4 and 9.x before 9.0.2 allows SQL injection in the pmse_Project module by a Regular user. |
