CWE-89— SQL Injection
The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.— MITRE CWE catalog
18,857 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-89page 103 of 378
- CVE-2019-11614HIGHCVSS 7.5EG 7.52019-04-30
doorGets 7.0 has a SQL injection vulnerability in /doorgets/app/views/ajax/commentView.php. A remote unauthorized attacker could exploit the vulnerability to obtain database sensitive information.
- CVE-2019-11619MEDIUMCVSS 4.9EG 4.92019-04-30
doorGets 7.0 has a SQL injection vulnerability in /doorgets/app/requests/user/configurationRequest.php when action=analytics. A remote background administrator privilege user (or a user with permission to manage configuration analytics) co…
- CVE-2019-11620MEDIUMCVSS 4.9EG 4.92019-04-30
doorGets 7.0 has a SQL injection vulnerability in /doorgets/app/requests/user/modulecategoryRequest.php. A remote background administrator privilege user (or a user with permission to manage modulecategory) could exploit the vulnerability …
- CVE-2019-11621MEDIUMCVSS 4.9EG 4.92019-04-30
doorGets 7.0 has a SQL injection vulnerability in /doorgets/app/requests/user/configurationRequest.php when action=network. A remote background administrator privilege user (or a user with permission to manage network configuration) could …
- CVE-2019-11622MEDIUMCVSS 4.9EG 4.92019-04-30
doorGets 7.0 has a SQL injection vulnerability in /doorgets/app/requests/user/modulecategoryRequest.php. A remote background administrator privilege user (or a user with permission to manage modulecategory) could exploit the vulnerability …
- CVE-2019-11623MEDIUMCVSS 4.9EG 4.92019-04-30
doorGets 7.0 has a SQL injection vulnerability in /doorgets/app/requests/user/configurationRequest.php when action=siteweb. A remote background administrator privilege user (or a user with permission to manage configuration siteweb) could …
- CVE-2019-11625MEDIUMCVSS 4.9EG 4.92019-04-30
doorGets 7.0 has a SQL injection vulnerability in /doorgets/app/requests/user/emailingRequest.php. A remote background administrator privilege user (or a user with permission to manage emailing) could exploit the vulnerability to obtain da…
- CVE-2019-11678CRITICALCVSS 9.8EG 9.82019-05-02
The "default reports" feature in Zoho ManageEngine Firewall Analyzer before 12.3 Build 123218 is vulnerable to SQL Injection.
- CVE-2019-11768CRITICALCVSS 9.8EG 9.82019-06-05
An issue was discovered in phpMyAdmin before 4.9.0.1. A vulnerability was reported where a specially crafted database name can be used to trigger an SQL injection attack through the designer feature.
- CVE-2019-11821HIGHCVSS 7.3EG 9.82019-06-30
SQL injection vulnerability in synophoto_csPhotoDB.php in Synology Photo Station before 6.8.11-3489 and before 6.3-2977 allows remote attackers to execute arbitrary SQL command via the type parameter.
- CVE-2019-11880HIGHCVSS 7.5EG 7.52019-05-22
CommSy through 8.6.5 has SQL Injection via the cid parameter. This is fixed in 9.2.
- CVE-2019-11970HIGHCVSS 8.8EG 8.82019-06-05
A SQL injection code execution vulnerability was identified in HPE Intelligent Management Center (IMC) PLAT earlier than version 7.3 E0506P09.
- CVE-2019-11971HIGHCVSS 8.8EG 8.82019-06-05
A SQL injection code execution vulnerability was identified in HPE Intelligent Management Center (IMC) PLAT earlier than version 7.3 E0506P09.
- CVE-2019-11972HIGHCVSS 8.8EG 8.82019-06-05
A SQL injection code execution vulnerability was identified in HPE Intelligent Management Center (IMC) PLAT earlier than version 7.3 E0506P09.
- CVE-2019-11973HIGHCVSS 8.8EG 8.82019-06-05
A SQL injection code execution vulnerability was identified in HPE Intelligent Management Center (IMC) PLAT earlier than version 7.3 E0506P09.
- CVE-2019-11974HIGHCVSS 8.8EG 8.82019-06-05
A SQL injection code execution vulnerability was identified in HPE Intelligent Management Center (IMC) PLAT earlier than version 7.3 E0506P09.
- CVE-2019-11975HIGHCVSS 8.8EG 8.82019-06-05
A SQL injection code execution vulnerability was identified in HPE Intelligent Management Center (IMC) PLAT earlier than version 7.3 E0506P09.
- CVE-2019-11976HIGHCVSS 8.8EG 8.82019-06-05
A SQL injection code execution vulnerability was identified in HPE Intelligent Management Center (IMC) PLAT earlier than version 7.3 E0506P09.
- CVE-2019-11977HIGHCVSS 8.8EG 8.82019-06-05
A SQL injection code execution vulnerability was identified in HPE Intelligent Management Center (IMC) PLAT earlier than version 7.3 E0506P09.
- CVE-2019-11978HIGHCVSS 8.8EG 8.82019-06-05
A SQL injection code execution vulnerability was identified in HPE Intelligent Management Center (IMC) PLAT earlier than version 7.3 E0506P09.
- CVE-2019-11979HIGHCVSS 8.8EG 8.82019-06-05
A SQL injection code execution vulnerability was identified in HPE Intelligent Management Center (IMC) PLAT earlier than version 7.3 E0506P09.
- CVE-2019-11984HIGHCVSS 8.8EG 8.82019-06-05
A SQL injection code execution vulnerability was identified in HPE Intelligent Management Center (IMC) PLAT earlier than version 7.3 E0506P09.
- CVE-2019-12149CRITICALCVSS 9.8EG 9.82019-06-11
SQL injection vulnerability in silverstripe/restfulserver module 1.0.x before 1.0.9, 2.0.x before 2.0.4, and 2.1.x before 2.1.2 and silverstripe/registry module 2.1.x before 2.1.1 and 2.2.x before 2.2.1 allows attackers to execute arbitrar…
- CVE-2019-12193CRITICALCVSS 9.8EG 9.82019-07-19
H3C H3Cloud OS all versions allows SQL injection via the ear/grid_event sidx parameter.
- CVE-2019-12196CRITICALCVSS 9.8EG 9.82019-06-05
A SQL injection vulnerability in /client/api/json/v2/nfareports/compareReport in Zoho ManageEngine NetFlow Analyzer 12.3 allows attackers to execute arbitrary SQL commands via the DeviceID parameter.
- CVE-2019-12239HIGHCVSS 7.2EG 7.22019-05-20
The WP Booking System plugin 1.5.1 for WordPress has no CSRF protection, which allows attackers to reach certain SQL injection issues that require administrative access.
- CVE-2019-12251HIGHCVSS 8.8EG 8.82019-05-21
sadmin/ceditpost.php in UCMS 1.4.7 allows SQL Injection via the index.php?do=sadmin_ceditpost cvalue parameter.
- CVE-2019-12279CRITICALCVSS 9.8EG 9.82019-05-22
Nagios XI 5.6.1 allows SQL injection via the username parameter to login.php?forgotpass (aka the reset password form). NOTE: The vendor disputes this issues as not being a vulnerability because the issue does not seem to be a legitimate SQ…
- CVE-2019-12348CRITICALCVSS 9.8EG 9.82021-05-24
An issue was discovered in zzcms 2019. SQL Injection exists in user/ztconfig.php via the daohang or img POST parameter.
- CVE-2019-12349CRITICALCVSS 9.8EG 9.82022-06-02
An issue was discovered in zzcms 2019. SQL Injection exists in /admin/dl_sendsms.php via the id parameter.
- CVE-2019-12350CRITICALCVSS 9.8EG 9.82022-06-02
An issue was discovered in zzcms 2019. SQL Injection exists in dl/dl_download.php via an id parameter value with a trailing comma.
- CVE-2019-12351CRITICALCVSS 9.8EG 9.82022-06-02
An issue was discovered in zzcms 2019. SQL Injection exists in dl/dl_print.php via an id parameter value with a trailing comma.
- CVE-2019-12352HIGHCVSS 8.8EG 8.82022-06-17
An issue was discovered in zzcms 2019. There is a SQL injection Vulnerability in /dl/dl_sendmail.php (when the attacker has dls_print authority) via a dlid cookie.
- CVE-2019-12353HIGHCVSS 7.2EG 7.22022-06-17
An issue was discovered in zzcms 2019. There is a SQL injection Vulnerability in /admin/dl_sendmail.php (when the attacker has admin authority) via the id parameter.
- CVE-2019-12354HIGHCVSS 7.2EG 7.22022-06-17
An issue was discovered in zzcms 2019. There is a SQL injection Vulnerability in /admin/showbad.php (when the attacker has admin authority) via the id parameter.
- CVE-2019-12355HIGHCVSS 8.8EG 8.82022-06-17
An issue was discovered in zzcms 2019. There is a SQL injection Vulnerability in /user/dls_print.php (when the attacker has dls_print authority) via the id parameter.
- CVE-2019-12356HIGHCVSS 8.8EG 8.82022-06-17
An issue was discovered in zzcms 2019. There is a SQL injection Vulnerability in /user/dls_download.php (when the attacker has dls_download authority) via the id parameter.
- CVE-2019-12357HIGHCVSS 7.2EG 7.22022-06-17
An issue was discovered in zzcms 2019. There is a SQL injection Vulnerability in /admin/deluser.php (when the attacker has admin authority) via the id parameter.
- CVE-2019-12358HIGHCVSS 8.8EG 8.82022-06-17
An issue was discovered in zzcms 2019. There is a SQL injection Vulnerability in /dl/dl_sendsms.php (when the attacker has dls_print authority) via a dlid cookie.
- CVE-2019-12359HIGHCVSS 7.2EG 7.22022-06-17
An issue was discovered in zzcms 2019. There is a SQL injection Vulnerability in /admin/ztliuyan_sendmail.php (when the attacker has admin authority) via the id parameter.
- CVE-2019-12372HIGHCVSS 7.8EG 7.82019-05-28
Petraware pTransformer ADC before 2.1.7.22827 allows SQL Injection via the User ID parameter to the login form.
- CVE-2019-12374HIGHCVSS 8.1EG 8.12019-06-03
A SQL Injection vulnerability exists in Ivanti LANDESK Management Suite (LDMS, aka Endpoint Manager) 10.0.1.168 Service Update 5 due to improper username sanitization in the Basic Authentication implementation in core/provisioning.secure/P…
- CVE-2019-12385HIGHCVSS 8.8EG 8.82019-08-22
An issue was discovered in Ampache through 3.9.1. The search engine is affected by a SQL Injection, so any user able to perform lib/class/search.class.php searches (even guest users) can dump any data contained in the database (sessions, h…
- CVE-2019-12465HIGHCVSS 8.1EG 8.12019-09-09
An issue was discovered in LibreNMS 1.50.1. A SQL injection flaw was identified in the ajax_rulesuggest.php file where the term parameter is used insecurely in a database query for showing columns of a table, as demonstrated by an ajax_rul…
- CVE-2019-12516HIGHCVSS 8.8EG 8.82019-09-13
The slickquiz plugin through 1.3.7.1 for WordPress allows SQL Injection by Subscriber users, as demonstrated by a /wp-admin/admin.php?page=slickquiz-scores&id= or /wp-admin/admin.php?page=slickquiz-edit&id= or /wp-admin/admin.php?page=slic…
- CVE-2019-12570HIGHCVSS 8.8EG 8.82019-07-03
A SQL injection vulnerability in the Xpert Solution "Server Status by Hostname/IP" plugin 4.6 for WordPress allows an authenticated user to execute arbitrary SQL commands via GET parameters.
- CVE-2019-12598CRITICALCVSS 9.8EG 9.82019-06-07
SuiteCRM 7.8.x before 7.8.30, 7.10.x before 7.10.17, and 7.11.x before 7.11.5 allows SQL Injection (issue 1 of 3).
- CVE-2019-12599CRITICALCVSS 9.8EG 9.82019-06-07
SuiteCRM 7.10.x before 7.10.17 and 7.11.x before 7.11.5 allows SQL Injection.
- CVE-2019-12600CRITICALCVSS 9.8EG 9.82019-06-07
SuiteCRM 7.8.x before 7.8.30, 7.10.x before 7.10.17, and 7.11.x before 7.11.5 allows SQL Injection (issue 2 of 3).
- CVE-2019-12601CRITICALCVSS 9.8EG 9.82019-06-07
SuiteCRM 7.8.x before 7.8.30, 7.10.x before 7.10.17, and 7.11.x before 7.11.5 allows SQL Injection (issue 3 of 3).
Map vulnerabilities like CWE-89 to your infrastructure
EchelonGraph correlates every CVE — across CWE-89 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →