CWE-89— SQL Injection
The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.— MITRE CWE catalog
18,857 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-89page 102 of 378
- CVE-2018-9924CRITICALCVSS 9.8EG 9.82018-04-10
An issue was discovered in idreamsoft iCMS through 7.0.7. SQL injection exists via the pid array parameter in an admincp.php?app=tag&do=save&frame=iPHP request.
- CVE-2019-0393MEDIUMCVSS 4.3EG 4.32019-11-13
An SQL Injection vulnerability in SAP Quality Management (corrected in S4CORE versions 1.0, 1.01, 1.02, 1.03) allows an attacker to carry out targeted database queries that can read individual fields of historical inspection results.
- CVE-2019-1000023CRITICALCVSS 9.8EG 9.82019-02-04
OPT/NET BV OPTOSS Next Gen Network Management System (NG-NetMS) version v3.6-2 and earlier versions contains a SQL Injection vulnerability in Identified vulnerable parameters: id, id_access_type and id_attr_access that can result in a mali…
- CVE-2019-1010034MEDIUMCVSS 6.5EG 6.52019-07-15
Deepwoods Software WebLibrarian 3.5.2 and earlier is affected by: SQL Injection. The impact is: Exposing the entire database. The component is: Function "AllBarCodes" (defined at database_code.php line 1018) is vulnerable to a boolean-base…
- CVE-2019-1010104CRITICALCVSS 9.8EG 9.82019-07-18
TechyTalk Quick Chat WordPress Plugin All up to the latest is affected by: SQL Injection. The impact is: Access to the database. The component is: like_escape is used in Quick-chat.php line 399. The attack vector is: Crafted ajax request.
- CVE-2019-1010148CRITICALCVSS 9.8EG 9.82019-07-23
zzcms version 8.3 and earlier is affected by: SQL Injection. The impact is: zzcms File Delete to Code Execution.
- CVE-2019-1010153CRITICALCVSS 9.8EG 9.82019-07-23
zzcms 8.3 and earlier is affected by: SQL Injection. The impact is: sql inject. The component is: zs/subzs.php.
- CVE-2019-1010191CRITICALCVSS 9.8EG 9.82019-07-24
marginalia < 1.6 is affected by: SQL Injection. The impact is: The impact is a injection of any SQL queries when a user controller argument is added as a component. The component is: Affects users that add a component that is user controll…
- CVE-2019-1010201MEDIUMCVSS 6.5EG 6.52019-07-23
Jeesite 1.2.7 is affected by: SQL Injection. The impact is: sensitive information disclosure. The component is: updateProcInsIdByBusinessId() function in src/main/java/com.thinkgem.jeesite/modules/act/ActDao.java has SQL Injection vulnerab…
- CVE-2019-1010248CRITICALCVSS 9.8EG 9.82019-07-18
Synetics GmbH I-doit 1.12 and earlier is affected by: SQL Injection. The impact is: Unauthenticated mysql database access. The component is: Web login form. The attack vector is: An attacker can exploit the vulnerability by sending a malic…
- CVE-2019-1010259CRITICALCVSS 9.8EG 9.82019-07-18
SaltStack Salt 2018.3, 2019.2 is affected by: SQL Injection. The impact is: An attacker could escalate privileges on MySQL server deployed by cloud provider. It leads to RCE. The component is: The mysql.user_chpass function from the MySQL …
- CVE-2019-10123CRITICALCVSS 9.8EG 9.82019-05-31
SQL Injection in Advanced InfoData Systems (AIS) ESEL-Server 67 (which is the backend for the AIS logistics mobile app) allows an anonymous attacker to execute arbitrary code in the context of the user of the MSSQL database. The default us…
- CVE-2019-10141HIGHCVSS 8.3EG 8.32019-07-30
A vulnerability was found in openstack-ironic-inspector all versions excluding 5.0.2, 6.0.3, 7.2.4, 8.0.3 and 8.2.1. A SQL-injection vulnerability was found in openstack-ironic-inspector's node_cache.find_node(). This function makes a SQL …
- CVE-2019-10208HIGHCVSS 8.8EG 8.82019-10-29
A flaw was discovered in postgresql versions 9.4.x before 9.4.24, 9.5.x before 9.5.19, 9.6.x before 9.6.15, 10.x before 10.10 and 11.x before 11.5 where arbitrary SQL statements can be executed given a suitable SECURITY DEFINER function. A…
- CVE-2019-10232CRITICALCVSS 9.8EG 9.82019-03-27
Teclib GLPI through 9.3.3 has SQL injection via the "cycle" parameter in /scripts/unlock_tasks.php.
- CVE-2019-10262CRITICALCVSS 9.8EG 9.82019-03-28
A SQL Injection issue was discovered in BlueCMS 1.6. The variable $ad_id is spliced directly in uploads/admin/ad.php in the admin folder, and is not wrapped in single quotes, resulting in injection around the escape of magic quotes.
- CVE-2019-10653CRITICALCVSS 9.8EG 9.82019-07-10
An issue was discovered in Hsycms V1.1. There is a SQL injection vulnerability via a /news/*.html page.
- CVE-2019-10663HIGHCVSS 8.8EG 8.82019-03-30
Grandstream UCM6204 before 1.0.19.20 devices allow remote authenticated users to conduct SQL injection attacks via the sord parameter in a listCodeblueGroup API call to the /cgi? URI.
- CVE-2019-10664CRITICALCVSS 9.8EG 9.82019-03-31
Domoticz before 4.10578 allows SQL Injection via the idx parameter in CWebServer::GetFloorplanImage in WebServer.cpp.
- CVE-2019-10671HIGHCVSS 8.8EG 8.82019-09-09
An issue was discovered in LibreNMS through 1.47. It does not parameterize all user supplied input within database queries, resulting in SQL injection. An authenticated attacker can subvert these database queries to extract or manipulate d…
- CVE-2019-10687CRITICALCVSS 9.8EG 9.82019-08-21
KBPublisher 6.0.2.1 has SQL Injection via the admin/index.php?module=report entry_id[0] parameter, the admin/index.php?module=log id parameter, or an index.php?View=print&id[]= request.
- CVE-2019-10692CRITICALCVSS 9.8EG 9.82019-04-02
In the wp-google-maps plugin before 7.11.18 for WordPress, includes/class.rest-api.php in the REST API does not sanitize field names before a SELECT statement.
- CVE-2019-10707CRITICALCVSS 9.8EG 9.82019-04-02
MKCMS V5.0 has SQL injection via the bplay.php play parameter.
- CVE-2019-10708CRITICALCVSS 9.8EG 9.82019-04-02
S-CMS PHP v1.0 has SQL injection via the 4/js/scms.php?action=unlike id parameter.
- CVE-2019-10748CRITICALCVSS 9.8EG 9.82019-10-29
Sequelize all versions prior to 3.35.1, 4.44.3, and 5.8.11 are vulnerable to SQL Injection due to JSON path keys not being properly escaped for the MySQL/MariaDB dialects.
- CVE-2019-10749CRITICALCVSS 9.8EG 9.82019-10-29
sequelize before version 3.35.1 allows attackers to perform a SQL Injection due to the JSON path keys not being properly sanitized in the Postgres dialect.
- CVE-2019-10752CRITICALCVSS 9.8EG 9.82019-10-17
Sequelize, all versions prior to version 4.44.3 and 5.15.1, is vulnerable to SQL Injection due to sequelize.json() helper function not escaping values properly when formatting sub paths for JSON queries for MySQL, MariaDB and SQLite.
- CVE-2019-10757CRITICALCVSS 9.8EG 9.82019-10-08
knex.js versions before 0.19.5 are vulnerable to SQL Injection attack. Identifiers are escaped incorrectly as part of the MSSQL dialect, allowing attackers to craft a malicious query to the host DB.
- CVE-2019-10762CRITICALCVSS 9.8EG 9.82019-10-30
columnQuote in medoo before 1.7.5 allows remote attackers to perform a SQL Injection due to improper escaping.
- CVE-2019-10763MEDIUMCVSS 6.5EG 6.52019-11-18
pimcore/pimcore before 6.3.0 is vulnerable to SQL Injection. An attacker with limited privileges (classes permission) can achieve a SQL injection that can lead in data leakage. The vulnerability can be exploited via 'id', 'storeId', 'pageS…
- CVE-2019-10766CRITICALCVSS 9.8EG 9.82019-11-19
Pixie versions 1.0.x before 1.0.3, and 2.0.x before 2.0.2 allow SQL Injection in the limit() function due to improper sanitization.
- CVE-2019-10852HIGHCVSS 8.8EG 8.82019-05-23
Computrols CBAS 18.0.0 allows Authenticated Blind SQL Injection via the id GET parameter, as demonstrated by the index.php?m=servers&a=start_pulling&id= substring.
- CVE-2019-10866CRITICALCVSS 9.8EG 9.82019-05-23
In the Form Maker plugin before 1.13.3 for WordPress, it's possible to achieve SQL injection in the function get_labels_parameters in the file form-maker/admin/models/Submissions_fm.php with a crafted value of the /models/Submissioc parame…
- CVE-2019-10910CRITICALCVSS 9.8EG 9.82019-05-16
In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, when service ids allow user input, this could allow for SQL Injection and remote code execution. This is related to symfony/depend…
- CVE-2019-10913CRITICALCVSS 9.8EG 9.82019-05-16
In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, HTTP Methods provided as verbs or using the override header may be treated as trusted input, but they are not validated, possibly …
- CVE-2019-10916HIGHCVSS 8.8EG 8.82019-05-14
A vulnerability has been identified in SIMATIC PCS 7 V8.0 and earlier (All versions), SIMATIC PCS 7 V8.1 (All versions < V8.1 with WinCC V7.3 Upd 19), SIMATIC PCS 7 V8.2 (All versions < V8.2 SP1 with WinCC V7.4 SP1 Upd11), SIMATIC PCS 7 V9…
- CVE-2019-11057HIGHCVSS 8.8EG 8.82019-05-17
SQL injection vulnerability in Vtiger CRM before 7.1.0 hotfix3 allows authenticated users to execute arbitrary SQL commands.
- CVE-2019-11196CRITICALCVSS 9.8EG 9.82019-04-12
An authentication bypass vulnerability in all versions of ValuePLUS Integrated University Management System (IUMS) allows unauthenticated, remote attackers to gain administrator privileges via the Teachers Web Panel (TWP) User ID or Passwo…
- CVE-2019-11362CRITICALCVSS 9.8EG 9.82019-04-20
app/controllers/frontend/PostController.php in ROCBOSS V2.2.1 has SQL injection via the Post:doReward score paramter, as demonstrated by the /do/reward/3 URI.
- CVE-2019-11363HIGHCVSS 7.2EG 7.22019-08-29
A SQL injection vulnerability in Snare Central before 7.4.5 allows remote authenticated attackers to execute arbitrary SQL commands via the AgentConsole/UserGroupQuery.php ShowUser parameter.
- CVE-2019-11448CRITICALCVSS 9.8EG 9.82019-04-22
An issue was discovered in Zoho ManageEngine Applications Manager 11.0 through 14.0. An unauthenticated user can gain the authority of SYSTEM on the server due to a Popup_SLA.jsp sid SQL injection vulnerability. For example, the attacker c…
- CVE-2019-11450CRITICALCVSS 9.8EG 9.82019-04-22
whatsns 4.0 allows index.php?question/ajaxadd.html title SQL injection.
- CVE-2019-11451HIGHCVSS 7.2EG 7.22019-04-22
whatsns 4.0 allows index.php?inform/add.html qid SQL injection.
- CVE-2019-11452HIGHCVSS 7.2EG 7.22019-04-22
whatsns 4.0 allows index.php?admin_category/remove.html cid[] SQL injection.
- CVE-2019-11469CRITICALCVSS 9.8EG 9.82019-04-23
Zoho ManageEngine Applications Manager 12 through 14 allows FaultTemplateOptions.jsp resourceid SQL injection. Subsequently, an unauthenticated user can gain the authority of SYSTEM on the server by uploading a malicious file via the "Exec…
- CVE-2019-11512CRITICALCVSS 9.8EG 9.82019-07-09
Contao 4.x allows SQL Injection. Fixed in Contao 4.4.39 and Contao 4.7.5.
- CVE-2019-11518HIGHCVSS 7.2EG 7.22019-04-25
An issue was discovered in SEMCMS 3.8. SEMCMS_Inquiry.php allows AID[] SQL Injection because the class.phpmailer.php inject_check_sql protection mechanism is incomplete.
- CVE-2019-11567HIGHCVSS 7.2EG 7.22019-04-27
An issue was discovered in AikCms v2.0. There is a SQL Injection vulnerability via $_GET['del'], as demonstrated by an admin/page/system/nav.php?del= URI.
- CVE-2019-11600HIGHCVSS 8.1EG 8.12019-05-13
A SQL injection vulnerability in the activities API in OpenProject before 8.3.2 allows a remote attacker to execute arbitrary SQL commands via the id parameter. The attack can be performed unauthenticated if OpenProject is configured not t…
- CVE-2019-11613MEDIUMCVSS 6.5EG 6.52019-04-30
doorGets 7.0 has a SQL injection vulnerability in /doorgets/app/views/ajax/contactView.php. A remote normal registered user could exploit the vulnerability to obtain database sensitive information.
Map vulnerabilities like CWE-89 to your infrastructure
EchelonGraph correlates every CVE — across CWE-89 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →