CWE-89— SQL Injection
The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.— MITRE CWE catalog
18,851 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-89page 101 of 378
- CVE-2018-7180CRITICALCVSS 9.8EG 9.82018-02-17
SQL Injection exists in the Saxum Astro 4.0.14 component for Joomla! via the publicid parameter.
- CVE-2018-7269CRITICALCVSS 9.8EG 9.82018-03-21
The findByCondition function in framework/db/ActiveRecord.php in Yii 2.x before 2.0.15 allows remote attackers to conduct SQL injection attacks via a findOne() or findAll() call, unless a developer recognizes an undocumented need to saniti…
- CVE-2018-7282CRITICALCVSS 9.8EG 9.82019-12-06
The username parameter of the TITool PrintMonitor solution during the login request is vulnerable to and/or time-based blind SQLi.
- CVE-2018-7312CRITICALCVSS 9.8EG 9.82018-02-22
SQL Injection exists in the Alexandria Book Library 3.1.2 component for Joomla! via the letter parameter.
- CVE-2018-7313CRITICALCVSS 9.8EG 9.82018-02-22
SQL Injection exists in the CW Tags 2.0.6 component for Joomla! via the searchtext array parameter.
- CVE-2018-7314CRITICALCVSS 9.8EG 9.82018-02-22
SQL Injection exists in the PrayerCenter 3.0.2 component for Joomla! via the sessionid parameter, a different vulnerability than CVE-2008-6429.
- CVE-2018-7315CRITICALCVSS 9.8EG 9.82018-02-22
SQL Injection exists in the Ek Rishta 2.9 component for Joomla! via the gender, age1, age2, religion, mothertounge, caste, or country parameter.
- CVE-2018-7318CRITICALCVSS 9.8EG 9.82018-02-22
SQL Injection exists in the CheckList 1.1.1 component for Joomla! via the title_search, tag_search, name_search, description_search, or filter_order parameter.
- CVE-2018-7319CRITICALCVSS 9.8EG 9.82018-02-22
SQL Injection exists in the OS Property Real Estate 3.12.7 component for Joomla! via the cooling_system1, heating_system1, or laundry parameter.
- CVE-2018-7463CRITICALCVSS 9.8EG 9.82018-02-26
SQL injection vulnerability in files.php in the "files" component in ASANHAMAYESH CMS 3.4.6 allows a remote attacker to execute arbitrary SQL commands via the "id" parameter.
- CVE-2018-7474CRITICALCVSS 9.8EG 9.82018-03-14
An issue was discovered in Textpattern CMS 4.6.2 and earlier. It is possible to inject SQL code in the variable "qty" on the page index.php.
- CVE-2018-7477CRITICALCVSS 9.8EG 9.82018-02-28
SQL Injection exists in PHP Scripts Mall School Management Script 3.0.4 via the Username and Password fields to parents/Parent_module/parent_login.php.
- CVE-2018-7501HIGHCVSS 7.5EG 7.52018-05-15
In Advantech WebAccess versions V8.2_20170817 and prior, WebAccess versions V8.3.0 and prior, WebAccess Dashboard versions V.2.0.15 and prior, WebAccess Scada Node versions prior to 8.3.1, and WebAccess/NMS 2.0.3 and prior, several SQL inj…
- CVE-2018-7528CRITICALCVSS 9.1EG 9.12018-03-22
An SQL injection vulnerability has been identified in Geutebruck G-Cam/EFD-2250 Version 1.12.0.4 and Topline TopFD-2125 Version 3.15.1 IP cameras, which may allow an attacker to alter stored data.
- CVE-2018-7538CRITICALCVSS 9.8EG 9.82018-03-12
A SQL injection vulnerability in the tracker functionality of Enalean Tuleap software engineering platform before 9.18 allows attackers to execute arbitrary SQL commands.
- CVE-2018-7579HIGHCVSS 7.2EG 7.22018-03-01
\application\admin\controller\update_urls.class.php in YzmCMS 3.6 has SQL Injection via the catids array parameter to admin/update_urls/update_category_url.html.
- CVE-2018-7666CRITICALCVSS 9.8EG 9.82018-03-05
An issue was discovered in ClipBucket before 4.0.0 Release 4902. SQL injection vulnerabilities exist in the actions/vote_channel.php channelId parameter, the ajax/commonAjax.php email parameter, and the ajax/commonAjax.php username paramet…
- CVE-2018-7732CRITICALCVSS 9.8EG 9.82018-03-06
An issue was discovered in YxtCMF 3.1. SQL Injection exists in ShitiController.class.php via the ids array parameter to exam/shiti/delshiti.html.
- CVE-2018-7734HIGHCVSS 7.2EG 7.22018-03-06
Afian FileRun (before 2018.02.13) suffers from a remote SQL injection vulnerability, when logged in as superuser, via the search parameter in a /?module=users§ion=cpanel&page=list request.
- CVE-2018-7735HIGHCVSS 7.2EG 7.22018-03-06
Afian FileRun (before 2018.02.13) suffers from a remote SQL injection vulnerability, when logged in as superuser, via the search parameter in a /?module=metadata§ion=cpanel&page=list_filetypes request.
- CVE-2018-7765HIGHCVSS 8.8EG 8.82018-07-03
The vulnerability exists within processing of track_import_export.php in Schneider Electric U.motion Builder software versions prior to v1.3.4. The underlying SQLite database query is subject to SQL injection on the object_id input paramet…
- CVE-2018-7766HIGHCVSS 8.8EG 8.82018-07-03
The vulnerability exists within processing of track_getdata.php in Schneider Electric U.motion Builder software versions prior to v1.3.4. The underlying SQLite database query is subject to SQL injection on the id input parameter.
- CVE-2018-7767HIGHCVSS 8.8EG 8.82018-07-03
The vulnerability exists within processing of editobject.php in Schneider Electric U.motion Builder software versions prior to v1.3.4. The underlying SQLite database query is subject to SQL injection on the type input parameter.
- CVE-2018-7768HIGHCVSS 8.8EG 8.82018-07-03
The vulnerability exists within processing of loadtemplate.php in Schneider Electric U.motion Builder software versions prior to v1.3.4. The underlying SQLite database query is subject to SQL injection on the tpl input parameter.
- CVE-2018-7769HIGHCVSS 8.8EG 8.82018-07-03
The vulnerability exists within processing of xmlserver.php in Schneider Electric U.motion Builder software versions prior to v1.3.4. The underlying SQLite database query is subject to SQL injection on the id input parameter.
- CVE-2018-7772HIGHCVSS 8.8EG 8.82018-07-03
The vulnerability exists within processing of applets which are exposed on the web service in Schneider Electric U.motion Builder software versions prior to v1.3.4. The underlying SQLite database query to determine whether a user is logged…
- CVE-2018-7773HIGHCVSS 8.8EG 8.82018-07-03
The vulnerability exists within processing of nfcserver.php in Schneider Electric U.motion Builder software versions prior to v1.3.4. The underlying SQLite database query is subject to SQL injection on the sessionid input parameter.
- CVE-2018-7774HIGHCVSS 8.8EG 8.82018-07-03
The vulnerability exists within processing of localize.php in Schneider Electric U.motion Builder software versions prior to v1.3.4. The underlying SQLite database query is subject to SQL injection on the username input parameter.
- CVE-2018-7802HIGHCVSS 8.8EG 8.82018-12-24
A SQL Injection vulnerability exists in EVLink Parking, v3.2.0-12_v1 and earlier, which could give access to the web interface with full privileges.
- CVE-2018-7841CRITICALCVSS 9.8EG 9.8⚠ KEV2019-05-22
A SQL Injection (CWE-89) vulnerability exists in U.motion Builder software version 1.3.4 which could cause unwanted code execution when an improper set of characters is entered.
- CVE-2018-8045HIGHCVSS 8.8EG 8.82018-03-15
In Joomla! 3.5.0 through 3.8.5, the lack of type casting of a variable in a SQL statement leads to a SQL injection vulnerability in the User Notes list view.
- CVE-2018-8057CRITICALCVSS 9.8EG 9.82018-03-11
A SQL Injection vulnerability exists in Western Bridge Cobub Razor 0.8.0 via the channel_name or platform parameter in a /index.php?/manage/channel/addchannel request, related to /application/controllers/manage/channel.php.
- CVE-2018-8733CRITICALCVSS 9.8EG 9.82018-04-18
Authentication bypass vulnerability in the core config manager in Nagios XI 5.2.x through 5.4.x before 5.4.13 allows an unauthenticated attacker to make configuration changes and leverage an authenticated SQL injection vulnerability.
- CVE-2018-8734CRITICALCVSS 9.8EG 9.82018-04-18
SQL injection vulnerability in the core config manager in Nagios XI 5.2.x through 5.4.x before 5.4.13 allows an attacker to execute arbitrary SQL commands via the selInfoKey1 parameter.
- CVE-2018-8802HIGHCVSS 8.1EG 8.12018-03-26
SQL injection vulnerability in the management interface in ePortal Manager allows remote attackers to execute arbitrary SQL commands via unspecified parameters.
- CVE-2018-8820HIGHCVSS 7.5EG 7.52018-03-28
An issue was discovered in Square 9 GlobalForms 6.2.x. A Time Based SQL injection vulnerability in the "match" parameter allows remote authenticated attackers to execute arbitrary SQL commands. It is possible to upgrade access to full serv…
- CVE-2018-8824CRITICALCVSS 9.8EG 9.82018-05-10
modules/bamegamenu/ajax_phpcode.php in the Responsive Mega Menu (Horizontal+Vertical+Dropdown) Pro module 1.0.32 for PrestaShop 1.5.5.0 through 1.7.2.5 allows remote attackers to execute a SQL Injection through function calls in the code p…
- CVE-2018-8914HIGHCVSS 7.3EG 9.82018-05-10
SQL injection vulnerability in UPnP DMA in Synology Media Server before 1.7.6-2842 and before 1.4-2654 allows remote attackers to execute arbitrary SQL commands via the ObjectID parameter.
- CVE-2018-8943CRITICALCVSS 9.8EG 9.82018-03-22
There is a SQL injection in the PHPSHE 1.6 userbank parameter.
- CVE-2018-8953HIGHCVSS 8.8EG 8.82018-04-11
CA Workload Automation AE before r11.3.6 SP7 allows remote attackers to a perform SQL injection via a crafted HTTP request.
- CVE-2018-8967CRITICALCVSS 9.8EG 9.82018-03-24
An issue was discovered in zzcms 8.2. It allows SQL injection via the id parameter in an adv2.php?action=modify request.
- CVE-2018-9019CRITICALCVSS 9.8EG 9.82018-05-22
SQL Injection vulnerability in Dolibarr before version 7.0.2 allows remote attackers to execute arbitrary SQL commands via the sortfield parameter to /accountancy/admin/accountmodel.php, /accountancy/admin/categories_list.php, /accountancy…
- CVE-2018-9029CRITICALCVSS 9.8EG 9.82018-06-18
An improper input validation vulnerability in CA Privileged Access Manager 2.x allows remote attackers to conduct SQL injection attacks.
- CVE-2018-9102MEDIUMCVSS 6.5EG 6.52018-04-25
A vulnerability in the conferencing component of Mitel MiVoice Connect, versions R1707-PREM SP1 (21.84.5535.0) and earlier, and Mitel ST 14.2, versions GA27 (19.49.5200.0) and earlier, could allow an unauthenticated attacker to conduct an …
- CVE-2018-9230CRITICALCVSS 9.8EG 9.82018-04-02
In OpenResty through 1.13.6.1, URI parameters are obtained using the ngx.req.get_uri_args and ngx.req.get_post_args functions that ignore parameters beyond the hundredth one, which might allow remote attackers to bypass intended access res…
- CVE-2018-9245CRITICALCVSS 9.8EG 9.82018-04-22
The Ericsson-LG iPECS NMS A.1Ac login portal has a SQL injection vulnerability in the User ID and password fields that allows users to bypass the login page and execute remote code on the operating system.
- CVE-2018-9247CRITICALCVSS 9.8EG 9.82018-04-04
The upsql function in \Lib\Lib\Action\Admin\DataAction.class.php in Gxlcms QY v1.0.0713 allows remote attackers to execute arbitrary SQL statements via the sql parameter. Consequently, an attacker can execute arbitrary PHP code by placing …
- CVE-2018-9250HIGHCVSS 8.8EG 8.82018-05-18
interface\super\edit_list.php in OpenEMR before v5_0_1_1 allows remote authenticated users to execute arbitrary SQL commands via the newlistname parameter.
- CVE-2018-9309CRITICALCVSS 9.8EG 9.82018-04-05
An issue was discovered in zzcms 8.2. It allows SQL injection via the id parameter in a dl/dl_sendsms.php request.
- CVE-2018-9493MEDIUMCVSS 5.5EG 5.52018-10-02
In the content provider of the download manager, there is a possible SQL injection due to improper input validation. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not ne…
Map vulnerabilities like CWE-89 to your infrastructure
EchelonGraph correlates every CVE — across CWE-89 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →