Critical
CVE-2019-16696
phpIPAM 1.4 allows SQL injection via the app/admin/custom-fields/edit.php table parameter when action=add is used.
Tag: SQL Injection
All CVEs associated with "SQL Injection". Page 111/175 • 20884 CVEs.
Subscribe CVEs: RSS for “SQL Injection” · RSS (High+Critical only)
About “SQL Injection”
A curated feed of “SQL Injection”-related CVEs appears below. We currently track 20884 CVEs for this tag (all time). In the last 365 days, 4061 were published. Average CVSS is 7.7 (all time; 7.3 over 365d), and 76% are rated High/Critical (all time). Top CWEs (last 365 days): CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection'), CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'), CWE-20 - Improper Input Validation.
In our taxonomy this topic maps to a HIGH impact class. Common exploitation patterns for this weakness can lead to high. Use the filters to triage high risk first and validate exposure in your environment. Use the filters below to sort by CVSS, risk and CWE. Each detail page highlights vendor advisories and mitigation tips.
CVEs tagged with this topic. Filters apply to the whole list (loaded from JSON).
CVSS ≥ 0.0
2019-09-22
Critical
CVE-2019-16695
phpIPAM 1.4 allows SQL injection via the app/admin/custom-fields/filter.php table parameter when action=add is used.
Critical
CVE-2019-16694
phpIPAM 1.4 allows SQL injection via the app/admin/custom-fields/edit-result.php table parameter when action=add is used.
Critical
CVE-2019-16693
phpIPAM 1.4 allows SQL injection via the app/admin/custom-fields/order.php table parameter when action=add is used.
Critical
CVE-2019-16692
phpIPAM 1.4 allows SQL injection via the app/admin/custom-fields/filter-result.php table parameter when action=add is used.
2019-09-20
Critical
CVE-2019-16644
App\Home\Controller\ZhuantiController.class.php in TuziCMS 2.0.6 has SQL injection via the index.php/Zhuanti/group?id= substring.
High
CVE-2015-9400
The wordpress-meta-robots plugin through 2.1 for WordPress has wp-admin/post-new.php text SQL injection.
High
CVE-2015-9399
The wp-stats-dashboard plugin through 2.9.4 for WordPress has admin/graph_trend.php type SQL injection.
High
CVE-2015-9398
The gocodes plugin through 1.3.5 for WordPress has wp-admin/tools.php gcid SQL injection.
High
CVE-2015-9395
The users-ultra plugin before 1.5.64 for WordPress has SQL Injection via an ajax action.
Critical
CVE-2019-16642
App\Mobile\Controller\ZhuantiController.class.php in TuziCMS 2.0.6 has SQL injection via the index.php/Mobile/Zhuanti/group?id= substring.
Critical
CVE-2016-11000
The wp-ultimate-exporter plugin through 1.1 for WordPress has SQL injection via the export_type_name parameter.
2019-09-18
Critical
CVE-2019-15301
A SQL injection vulnerability in the method Terrasoft.Core.DB.Column.Const() in Terrasoft Bpm'online CRM-System SDK 7.13 allows attackers to execute arbitrary SQL commands via the value parameter.
2019-09-16
High
CVE-2019-4147
IBM Sterling File Gateway 2.2.0.0 through 6.0.1.0 is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements, which could allow the attacker to view, add, modify or…
Critical
CVE-2019-16264
In Escuela de Gestion Publica Plurinacional (EGPP) Sistema Integrado de Gestion Academica (GESAC) v1, the username parameter of the authentication form is vulnerable to SQL injection, allowing attack…
2019-09-14
Critical
CVE-2019-16309
FlameCMS 3.3.5 has SQL injection in account/login.php via accountName.
2019-09-13
High
CVE-2019-12516
The slickquiz plugin through 1.3.7.1 for WordPress allows SQL Injection by Subscriber users, as demonstrated by a /wp-admin/admin.php?page=slickquiz-scores&id= or /wp-admin/admin.php?page=slickquiz-e…
High
CVE-2016-10951
The fs-shopping-cart plugin 2.07.02 for WordPress has SQL injection via the pid parameter.
High
CVE-2016-10950
The sirv plugin before 1.3.2 for WordPress has SQL injection via the id parameter.
High
CVE-2016-10949
The Relevanssi Premium plugin before 1.14.6.1 for WordPress has SQL injection with resultant unsafe unserialization.
High
CVE-2016-10947
The Post Indexer plugin before 3.0.6.2 for WordPress has SQL injection via the period parameter by a super admin.
High
CVE-2017-18614
The kama-clic-counter plugin 3.4.9 for WordPress has SQL injection via the admin.php order parameter.
High
CVE-2016-10943
The zx-csv-upload plugin 1 for WordPress has SQL injection via the id parameter.
Critical
CVE-2016-10942
The podlove-podcasting-plugin-for-wordpress plugin before 2.3.16 for WordPress has SQL injection via the insert_id parameter exploitable via CSRF.
High
CVE-2016-10940
The zm-gallery plugin 1.0 for WordPress has SQL injection via the order parameter.
High
CVE-2016-10939
The xtremelocator plugin 1.5 for WordPress has SQL injection via the id parameter.
2019-09-12
High
CVE-2019-5996
SQL injection vulnerability in the Video Insight VMS 7.3.2.5 and earlier allows remote authenticated attackers to execute arbitrary SQL commands via unspecified vectors.
High
CVE-2019-5991
SQL injection vulnerability in the Cybozu Garoon 4.0.0 to 4.10.3 allows remote authenticated attackers to execute arbitrary SQL commands via unspecified vectors.
2019-09-11
Medium
CVE-2019-3760
The RSA Identity Governance and Lifecycle software and RSA Via Lifecycle and Governance products prior to 7.1.0 P08 contain a SQL Injection vulnerability in Workflow Architect. A remote authenticated…
2019-09-10
High
CVE-2017-18602
The examapp plugin 1.0 for WordPress has SQL injection via the wp-admin/admin.php?page=examapp_UserResult id parameter.
High
CVE-2017-18597
The jtrt-responsive-tables plugin before 4.1.2 for WordPress has SQL Injection via the admin/class-jtrt-responsive-tables-admin.php tableId parameter.
2019-09-09
High
CVE-2019-12465
An issue was discovered in LibreNMS 1.50.1. A SQL injection flaw was identified in the ajax_rulesuggest.php file where the term parameter is used insecurely in a database query for showing columns of…
High
CVE-2019-12463
An issue was discovered in LibreNMS 1.50.1. The scripts that handle graphing options (includes/html/graphs/common.inc.php and includes/html/graphs/graphs.inc.php) do not sufficiently validate or enco…
High
CVE-2019-10671
An issue was discovered in LibreNMS through 1.47. It does not parameterize all user supplied input within database queries, resulting in SQL injection. An authenticated attacker can subvert these dat…
Critical
CVE-2019-10665
An issue was discovered in LibreNMS through 1.47. The scripts that handle the graphing options (html/includes/graphs/common.inc.php and html/includes/graphs/graphs.inc.php) do not sufficiently valida…
Critical
CVE-2019-16125
In Jobberbase 2.0, the parameter category is not sanitized in public/page_subscribe.php, leading to /subscribe SQL injection.
2019-09-08
Critical
CVE-2019-16119
SQL injection in the photo-gallery (10Web Photo Gallery) plugin before 1.5.35 for WordPress exists via the admin/controllers/Albumsgalleries.php album_id parameter.
2019-09-05
High
CVE-2019-13191
A SQL injection vulnerability in IntraMaps MapControl 8 allows attackers to execute arbitrary SQL commands via the /ApplicationEngine/Search/Refine/Set page.
Medium
CVE-2019-5070
An exploitable SQL injection vulnerability exists in the unauthenticated portion of eFront LMS, versions v5.2.12 and earlier. Specially crafted web request to login page can cause SQL injections, res…
2019-09-03
Critical
CVE-2019-15872
The LoginPress plugin before 1.1.4 for WordPress has SQL injection via an import of settings.
2019-08-29
High
CVE-2019-11363
A SQL injection vulnerability in Snare Central before 7.4.5 allows remote authenticated attackers to execute arbitrary SQL commands via the AgentConsole/UserGroupQuery.php ShowUser parameter.
2019-08-28
High
CVE-2015-9353
The gigpress plugin before 2.3.11 for WordPress has SQL injection in the admin area, a different vulnerability than CVE-2015-4066.
Critical
CVE-2012-6719
The sharebar plugin before 1.2.2 for WordPress has SQL injection.
2019-08-27
Critical
CVE-2019-14314
A SQL injection vulnerability exists in the Imagely NextGEN Gallery plugin before 3.2.11 for WordPress. Successful exploitation of this vulnerability would allow a remote attacker to execute arbitrar…
Critical
CVE-2015-9352
The wp-polls plugin before 2.72 for WordPress has SQL injection.
Critical
CVE-2019-15659
The pie-register plugin before 3.1.2 for WordPress has SQL injection, a different issue than CVE-2018-10969.
Critical
CVE-2019-15646
The rsvpmaker plugin before 6.2 for WordPress has SQL injection.
Critical
CVE-2018-21004
The rsvpmaker plugin before 5.6.4 for WordPress has SQL injection.
Critical
CVE-2018-21003
The buddyforms plugin before 2.2.8 for WordPress has SQL injection.
Critical
CVE-2015-9344
The link-log plugin before 2.1 for WordPress has SQL injection.
2019-08-26
High
CVE-2019-15658
connect-pg-simple before 6.0.1 allows SQL injection if tableName or schemaName is untrusted data.
Critical
CVE-2019-15533
XENFCoreSharp before 2019-07-16 allows SQL injection in web/verify.php.
Critical
CVE-2019-15558
XM^online 2 Common Utils and Endpoints 0.2.1 allows SQL injection, related to Constants.java, DropSchemaResolver.java, and SchemaChangeResolver.java.
Critical
CVE-2019-15557
XM^online 2 User Account and Authentication server 1.0.0 allows SQL injection via a tenant key.
Critical
CVE-2019-15555
FredReinink Wellness-app before 2019-06-19 allows SQL injection, related to dietTrack.php, exerciseGenerator.php, fitnessTrack.php, and server.php.
Critical
CVE-2019-15560
The Reviews Module before 2019-06-14 for OpenSource Table allows SQL injection in database/index.js.
Critical
CVE-2019-15559
DianoxDragon Hawn before 2019-07-10 allows SQL injection.
Critical
CVE-2019-15574
Gesior-AAC before 2019-05-01 allows serviceID SQL injection in accountmanagement.php.
Critical
CVE-2019-15573
Gesior-AAC before 2019-05-01 allows SQL injection in tankyou.php.
Critical
CVE-2019-15572
Gesior-AAC before 2019-05-01 allows ServiceCategoryID SQL injection in shop.php.
Critical
CVE-2019-15571
The WEB control panel before 2019-04-30 for ClonOS allows SQL injection in clonos.php.
Critical
CVE-2019-15570
BEdita through 4.0.0-RC2 allows SQL injection during a save operation for a relation with parameters.
Critical
CVE-2019-15569
HM Courts & Tribunals ccd-data-store-api before 2019-06-10 allows SQL injection, related to SearchQueryFactoryOperation.java and SortDirection.java.
Critical
CVE-2019-15568
idseq-web before 2019-07-01 in Infectious Disease Sequencing Platform IDseq allows SQL injection via tax_levels.
Critical
CVE-2019-15567
OpenForis Arena before 2019-05-07 allows SQL injection in the sorting feature.
Critical
CVE-2019-15566
The Alfresco application before 1.8.7 for Android allows SQL injection in HistorySearchProvider.java.
Critical
CVE-2019-15565
The ICOMMKT connector before 1.0.7 for PrestaShop allows SQL injection in icommktconnector.php.
Critical
CVE-2019-15564
The Compassion Switzerland addons 10.01.4 for Odoo allow SQL injection in models/partner_compassion.py.
Critical
CVE-2019-15563
Observational Health Data Sciences and Informatics (OHDSI) WebAPI before 2.7.2 allows SQL injection in FeatureExtractionService.java.
Critical
CVE-2019-15562
GORM before 1.9.10 allows SQL injection via incomplete parentheses. NOTE: Misusing Gorm by passing untrusted user input where Gorm expects trusted SQL fragments is a vulnerability in the application,…
Critical
CVE-2019-15561
FlashLingo before 2019-06-12 allows SQL injection, related to flashlingo.js and db.js.
Critical
CVE-2019-15556
Pvanloon1983 social_network before 2019-07-03 allows SQL injection in includes/form_handlers/register_handler.php.
Critical
CVE-2019-15534
Raml-Module-Builder 26.4.0 allows SQL Injection in PostgresClient.update.
2019-08-23
Critical
CVE-2019-15537
The proxystatistics module before 3.1.0 for SimpleSAMLphp allows SQL Injection in lib/Auth/Process/DatabaseCommand.php.
Critical
CVE-2019-15536
The Acclaim block plugin before 2019-06-26 for Moodle allows SQL Injection via delete_records.
Critical
CVE-2019-15535
Tasking Manager before 3.4.0 allows SQL Injection via custom SQL.
2019-08-22
Critical
CVE-2015-9334
The email-newsletter plugin through 20.15 for WordPress has SQL injection.
High
CVE-2019-12385
An issue was discovered in Ampache through 3.9.1. The search engine is affected by a SQL Injection, so any user able to perform lib/class/search.class.php searches (even guest users) can dump any dat…
Critical
CVE-2014-10387
The wp-support-plus-responsive-ticket-system plugin before 4.2 for WordPress has SQL injection.
Critical
CVE-2017-18573
The simple-login-log plugin before 1.1.2 for WordPress has SQL injection.
Critical
CVE-2017-18571
The search-everything plugin before 8.1.7 for WordPress has SQL injection related to WordPress 4.7.x, a different vulnerability than CVE-2014-2316.
Critical
CVE-2017-18570
The cforms2 plugin before 14.13 for WordPress has SQL injection in the tracking DB GUI via Delete Entries or Download Entries.
Critical
CVE-2016-10921
The gallery-photo-gallery plugin before 1.0.1 for WordPress has SQL injection.
Critical
CVE-2016-10917
The search-everything plugin before 8.1.6 for WordPress has SQL injection related to empty search strings, a different vulnerability than CVE-2014-2316.
Critical
CVE-2016-10916
The appointment-booking-calendar plugin before 1.1.24 for WordPress has SQL injection, a different vulnerability than CVE-2015-7319.
Critical
CVE-2015-9335
The limit-attempts plugin before 1.1.1 for WordPress has SQL injection during IP address handling.
Critical
CVE-2015-9333
The cforms2 plugin before 14.6.10 for WordPress has SQL injection.
2019-08-21
Critical
CVE-2019-10687
KBPublisher 6.0.2.1 has SQL Injection via the admin/index.php?module=report entry_id[0] parameter, the admin/index.php?module=log id parameter, or an index.php?View=print&id[]= request.
Critical
CVE-2014-10379
The duplicate-post plugin before 2.6 for WordPress has SQL injection.
Critical
CVE-2016-10909
The booking-calendar-contact-form plugin before 1.0.24 for WordPress has SQL injection.
2019-08-20
Critical
CVE-2019-4483
IBM Contract Management 10.1.0 through 10.1.3 and IBM Emptoris Spend Analysis 10.1.0 through 10.1.3 is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements, whic…
Critical
CVE-2019-4481
IBM Contract Management 10.1.0 through 10.1.3 and IBM Emptoris Spend Analysis 10.1.0 through 10.1.3 is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements, whic…
Critical
CVE-2015-9330
The wp-all-import plugin before 3.2.5 for WordPress has blind SQL injection.
Medium
CVE-2019-14430
plugin/Audit/Objects/AuditTable.php in YouPHPTube through 7.2 allows SQL Injection.
2019-08-17
High
CVE-2019-14937
REDCap before 9.3.0 allows time-based SQL injection in the edit calendar event via the cal_id parameter, such as cal_id=55 and sleep(3) to Calendar/calendar_popup_ajax.php. The attacker can obtain a…
2019-08-16
Critical
CVE-2015-9324
The easy-digital-downloads plugin before 2.3.3 for WordPress has SQL injection.
Critical
CVE-2015-9323
The 404-to-301 plugin before 2.0.3 for WordPress has SQL injection.
Critical
CVE-2014-10376
The i-recommend-this plugin before 3.7.3 for WordPress has SQL injection.
Critical
CVE-2017-18548
The note-press plugin before 0.1.2 for WordPress has SQL injection.
Critical
CVE-2016-10904
The olimometer plugin before 2.57 for WordPress has SQL injection.
Critical
CVE-2015-9326
The wp-business-intelligence-lite plugin before 1.6.3 for WordPress has SQL injection.
Critical
CVE-2015-9325
The visitors-online plugin before 0.4 for WordPress has SQL injection.
High
CVE-2019-15105
An issue was discovered in Zoho ManageEngine Application Manager through 14.2. There is a SQL Injection vulnerability in jsp/NewThresholdConfiguration.jsp via the resourceid parameter. Therefore, a l…
High
CVE-2019-15104
An issue was discovered in Zoho ManageEngine OpManager through 12.4x. There is a SQL Injection vulnerability in jsp/NewThresholdConfiguration.jsp via the resourceid parameter. Therefore, a low-author…
2019-08-15
Critical
CVE-2019-13578
A SQL injection vulnerability exists in the Impress GiveWP Give plugin through 2.5.0 for WordPress. Successful exploitation of this vulnerability would allow a remote attacker to execute arbitrary SQ…
2019-08-14
Critical
CVE-2016-10888
The all-in-one-wp-security-and-firewall plugin before 4.0.7 for WordPress has multiple SQL injection issues.
Critical
CVE-2016-10887
The all-in-one-wp-security-and-firewall plugin before 4.0.9 for WordPress has multiple SQL injection issues.
Critical
CVE-2015-9310
The all-in-one-wp-security-and-firewall plugin before 3.9.1 for WordPress has multiple SQL injection issues.
Critical
CVE-2019-15025
The ninja-forms plugin before 3.3.21.2 for WordPress has SQL injection in the search filter on the submissions page.
Critical
CVE-2017-18514
The simple-login-log plugin before 1.1.2 for WordPress has SQL injection.
Critical
CVE-2016-10889
The nextgen-gallery plugin before 2.1.57 for WordPress has SQL injection via a gallery name.
Critical
CVE-2015-9316
The wp-fastest-cache plugin before 0.8.4.9 for WordPress has SQL injection in wp-admin/admin-ajax.php?action=wpfc_wppolls_ajax_request via the poll_id parameter.
Critical
CVE-2015-9315
The newstatpress plugin before 1.0.1 for WordPress has SQL injection.
Critical
CVE-2015-9313
The newstatpress plugin before 1.0.5 for WordPress has SQL injection related to an IMG element.
Critical
CVE-2017-18515
The wp-statistics plugin before 12.0.8 for WordPress has SQL injection.
2019-08-13
Critical
CVE-2015-9301
The liveforms plugin before 3.2.0 for WordPress has SQL injection.
2019-08-12
Critical
CVE-2019-14968
An issue was discovered in imcat 4.9. There is SQL Injection via the index.php order parameter in a mod=faqs action.
High
CVE-2019-14966
An issue was discovered in Frappe Framework 10 through 12 before 12.0.4. There exists an authenticated SQL injection.
Critical
CVE-2019-13462
Lansweeper before 7.1.117.4 allows unauthenticated SQL injection.
2019-08-09
Critical
CVE-2019-14801
The FV Flowplayer Video Player plugin before 7.3.15.727 for WordPress allows email subscription SQL injection.