CWE-89— SQL Injection
The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.— MITRE CWE catalog
18,857 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-89page 104 of 378
- CVE-2019-12619MEDIUMCVSS 6.5EG 6.52020-01-26
A vulnerability in the web interface for Cisco SD-WAN Solution vManage could allow an authenticated, remote attacker to impact the integrity of an affected system by executing arbitrary SQL queries. The vulnerability is due to insufficient…
- CVE-2019-12679HIGHCVSS 8.8EG 8.82019-10-02
Multiple vulnerabilities in the web-based management interface of Cisco Firepower Management Center (FMC) Software could allow an authenticated, remote attacker to execute arbitrary SQL injections on an affected device. These vulnerabiliti…
- CVE-2019-12680HIGHCVSS 8.8EG 8.82019-10-02
Multiple vulnerabilities in the web-based management interface of Cisco Firepower Management Center (FMC) Software could allow an authenticated, remote attacker to execute arbitrary SQL injections on an affected device. These vulnerabiliti…
- CVE-2019-12681HIGHCVSS 8.8EG 8.82019-10-02
Multiple vulnerabilities in the web-based management interface of Cisco Firepower Management Center (FMC) Software could allow an authenticated, remote attacker to execute arbitrary SQL injections on an affected device. These vulnerabiliti…
- CVE-2019-12682HIGHCVSS 8.8EG 8.82019-10-02
Multiple vulnerabilities in the web-based management interface of Cisco Firepower Management Center (FMC) Software could allow an authenticated, remote attacker to execute arbitrary SQL injections on an affected device. These vulnerabiliti…
- CVE-2019-12683HIGHCVSS 8.8EG 8.82019-10-02
Multiple vulnerabilities in the web-based management interface of Cisco Firepower Management Center (FMC) Software could allow an authenticated, remote attacker to execute arbitrary SQL injections on an affected device. These vulnerabiliti…
- CVE-2019-12684HIGHCVSS 8.8EG 8.82019-10-02
Multiple vulnerabilities in the web-based management interface of Cisco Firepower Management Center (FMC) Software could allow an authenticated, remote attacker to execute arbitrary SQL injections on an affected device. These vulnerabiliti…
- CVE-2019-12685HIGHCVSS 8.8EG 8.82019-10-02
Multiple vulnerabilities in the web-based management interface of Cisco Firepower Management Center (FMC) Software could allow an authenticated, remote attacker to execute arbitrary SQL injections on an affected device. These vulnerabiliti…
- CVE-2019-12686HIGHCVSS 8.8EG 8.82019-10-02
Multiple vulnerabilities in the web-based management interface of Cisco Firepower Management Center (FMC) Software could allow an authenticated, remote attacker to execute arbitrary SQL injections on an affected device. These vulnerabiliti…
- CVE-2019-12710MEDIUMCVSS 4.9EG 4.92019-10-02
A vulnerability in the web-based interface of Cisco Unified Communications Manager and Cisco Unified Communications Manager Session Management Edition (SME) could allow an authenticated, remote attacker to impact the confidentiality of an …
- CVE-2019-12720HIGHCVSS 7.5EG 7.52019-11-12
AUO SunVeillance Monitoring System before v1.1.9e is vulnerable to mvc_send_mail.aspx (MailAdd parameter) SQL Injection. An Attacker can carry a SQL Injection payload to the server, allowing the attacker to read privileged data. This also …
- CVE-2019-12723CRITICALCVSS 9.8EG 9.82019-07-10
An issue was discovered in the Teclib Fields plugin through 1.9.2 for GLPI. it allows SQL Injection via container_id and old_order parameters to ajax/reorder.php by an unauthenticated user.
- CVE-2019-12838CRITICALCVSS 9.8EG 9.82019-07-11
SchedMD Slurm 17.11.x, 18.08.0 through 18.08.7, and 19.05.0 allows SQL Injection.
- CVE-2019-12850CRITICALCVSS 9.8EG 9.82019-07-03
A query injection was possible in JetBrains YouTrack. The issue was fixed in YouTrack 2018.4.49168.
- CVE-2019-12872HIGHCVSS 7.2EG 7.22019-06-18
dotCMS before 5.1.6 is vulnerable to a SQL injection that can be exploited by an attacker of the role Publisher via view_unpushed_bundles.jsp.
- CVE-2019-12918CRITICALCVSS 9.8EG 9.82019-11-06
Quest KACE Systems Management Appliance Server Center version 9.1.317 is vulnerable to SQL injection. The affected file is software_library.php and affected parameters are order[0][column] and order[0][dir].
- CVE-2019-12939CRITICALCVSS 9.8EG 9.82019-06-24
LiveZilla Server before 8.0.1.1 is vulnerable to SQL Injection in server.php via the p_ext_rse parameter.
- CVE-2019-12946HIGHCVSS 7.5EG 7.52019-07-19
Elcom CMS before 10.7 has SQL Injection via EventSearchByState.aspx and EventSearchAdv.aspx.
- CVE-2019-12960CRITICALCVSS 9.8EG 9.82019-06-25
LiveZilla Server before 8.0.1.1 is vulnerable to SQL Injection in functions.internal.build.inc.php via the parameter p_dt_s_d.
- CVE-2019-12989CRITICALCVSS 9.8EG 9.8⚠ KEV2019-07-16
Citrix SD-WAN 10.2.x before 10.2.3 and NetScaler SD-WAN 10.0.x before 10.0.8 allow SQL Injection.
- CVE-2019-13026CRITICALCVSS 9.8EG 9.82019-07-30
OXID eShop 6.0.x before 6.0.5 and 6.1.x before 6.1.4 allows SQL Injection via a crafted URL, leading to full access by an attacker. This includes all shopping cart options, customer data, and the database. No interaction between the attack…
- CVE-2019-13027CRITICALCVSS 9.8EG 9.82019-07-12
Realization Concerto Critical Chain Planner (aka CCPM) 5.10.8071 has SQL Injection in at least in the taskupdt/taskdetails.aspx webpage via the projectname parameter.
- CVE-2019-13076HIGHCVSS 8.8EG 8.82019-11-06
Quest KACE Systems Management Appliance Server Center 9.1.317 is vulnerable to SQL injection. An authenticated user has the ability to execute arbitrary commands against the database. The affected component is /userui/ticket_list.php, and …
- CVE-2019-13078HIGHCVSS 8.8EG 8.82019-11-06
Quest KACE Systems Management Appliance Server Center 9.1.317 is vulnerable to SQL injection. An authenticated user has the ability to execute arbitrary commands against the database. The affected component is /common/user_profile.php. The…
- CVE-2019-13079HIGHCVSS 8.8EG 8.82019-11-06
Quest KACE Systems Management Appliance Server Center 9.1.317 is vulnerable to SQL injection. An authenticated user has the ability to execute arbitrary commands against the database. The affected component is /adminui/history_log.php. The…
- CVE-2019-13086CRITICALCVSS 9.8EG 9.82019-06-30
core/MY_Security.php in CSZ CMS 1.2.2 before 2019-06-20 has member/login/check SQL injection by sending a crafted HTTP User-Agent header and omitting the csrf_csz parameter.
- CVE-2019-13191HIGHCVSS 7.5EG 7.52019-09-05
A SQL injection vulnerability in IntraMaps MapControl 8 allows attackers to execute arbitrary SQL commands via the /ApplicationEngine/Search/Refine/Set page.
- CVE-2019-13275CRITICALCVSS 9.8EG 9.82019-07-04
An issue was discovered in the VeronaLabs wp-statistics plugin before 12.6.7 for WordPress. The v1/hit endpoint of the API, when the non-default "use cache plugin" setting is enabled, is vulnerable to unauthenticated blind SQL Injection.
- CVE-2019-13292CRITICALCVSS 9.8EG 9.82019-07-04
A SQL Injection issue was discovered in webERP 4.15. Payments.php accepts payment data in base64 format. After this is decoded, it is deserialized. Then, this deserialized data goes directly into a SQL query, with no sanitizing checks.
- CVE-2019-13373CRITICALCVSS 9.8EG 9.82019-07-06
An issue was discovered in the D-Link Central WiFi Manager CWM(100) before v1.03R0100_BETA6. Input does not get validated and arbitrary SQL statements can be executed in the database via the /web/Public/Conn.php parameter dbSQL.
- CVE-2019-13375CRITICALCVSS 9.8EG 9.82019-07-06
A SQL Injection was discovered in D-Link Central WiFi Manager CWM(100) before v1.03R0100_BETA6 in PayAction.class.php with the index.php/Pay/passcodeAuth parameter passcode. The vulnerability does not need any authentication.
- CVE-2019-13409CRITICALCVSS 9.8EG 9.82019-10-17
A SQL injection vulnerability was discovered in TOPMeeting before version 8.8 (2019/08/19). An attacker can use a union based injection query string though a search meeting room feature to get databases schema and username/password.
- CVE-2019-13413CRITICALCVSS 9.8EG 9.82019-07-08
The Rencontre plugin before 3.1.3 for WordPress allows SQL Injection via inc/rencontre_widget.php.
- CVE-2019-13447CRITICALCVSS 9.8EG 9.82019-07-17
An issue was discovered in Sertek Xpare 3.67. The login form does not sanitize input data. Because of this, a malicious agent could access the backend database via SQL injection.
- CVE-2019-13462CRITICALCVSS 9.1EG 9.12019-08-12
Lansweeper before 7.1.117.4 allows unauthenticated SQL injection.
- CVE-2019-13489CRITICALCVSS 9.8EG 9.82019-07-10
Trape through 2019-05-08 has SQL injection via the data[2] variable in core/db.py, as demonstrated by the /bs t parameter.
- CVE-2019-13507CRITICALCVSS 9.8EG 9.82019-07-11
hidea.com AZ Admin 1.0 has news_det.php?cod= SQL Injection.
- CVE-2019-13569CRITICALCVSS 9.8EG 9.82019-07-19
A SQL injection vulnerability exists in the Icegram Email Subscribers & Newsletters plugin through 4.1.7 for WordPress. Successful exploitation of this vulnerability would allow a remote attacker to execute arbitrary SQL commands on the af…
- CVE-2019-13570HIGHCVSS 7.2EG 7.22019-07-23
The AJdG AdRotate plugin before 5.3 for WordPress allows SQL Injection.
- CVE-2019-13571CRITICALCVSS 9.8EG 9.82019-07-29
A SQL injection vulnerability exists in the Vsourz Digital Advanced CF7 DB plugin through 1.6.1 for WordPress. Successful exploitation of this vulnerability would allow a remote attacker to execute arbitrary SQL commands on the affected sy…
- CVE-2019-13572CRITICALCVSS 9.8EG 9.82019-08-01
The Adenion Blog2Social plugin through 5.5.0 for WordPress allows SQL Injection.
- CVE-2019-13573CRITICALCVSS 9.8EG 9.82019-07-17
A SQL injection vulnerability exists in the FolioVision FV Flowplayer Video Player plugin before 7.3.19.727 for WordPress. Successful exploitation of this vulnerability would allow a remote attacker to execute arbitrary SQL commands on the…
- CVE-2019-13575CRITICALCVSS 9.8EG 9.82019-07-18
A SQL injection vulnerability exists in WPEverest Everest Forms plugin for WordPress through 1.4.9. Successful exploitation of this vulnerability would allow a remote attacker to execute arbitrary SQL commands on the affected system via in…
- CVE-2019-13578CRITICALCVSS 9.8EG 9.82019-08-15
A SQL injection vulnerability exists in the Impress GiveWP Give plugin through 2.5.0 for WordPress. Successful exploitation of this vulnerability would allow a remote attacker to execute arbitrary SQL commands on the affected system via in…
- CVE-2019-13957CRITICALCVSS 9.8EG 9.82019-10-02
In Umbraco 7.3.8, there is SQL Injection in the backoffice/PageWApprove/PageWApproveApi/GetInpectSearch method via the nodeName parameter.
- CVE-2019-13969HIGHCVSS 8.8EG 8.82019-07-19
Metinfo 6.x allows SQL Injection via the id parameter in an admin/index.php?n=ui_set&m=admin&c=index&a=doget_text_content&table=lang&field=1 request.
- CVE-2019-13978HIGHCVSS 8.8EG 8.82019-07-19
Ovidentia 8.4.3 has SQL Injection via the id parameter in an index.php?tg=delegat&idx=mem request.
- CVE-2019-14230CRITICALCVSS 9.8EG 9.82019-07-21
An issue was discovered in the Viral Quiz Maker - OnionBuzz plugin before 1.2.7 for WordPress. One could exploit the id parameter in the set_count ajax nopriv handler due to there being no sanitization prior to use in a SQL query in saveQu…
- CVE-2019-14231CRITICALCVSS 9.8EG 9.82019-07-21
An issue was discovered in the Viral Quiz Maker - OnionBuzz plugin before 1.2.2 for WordPress. One could exploit the points parameter in the ob_get_results ajax nopriv handler due to there being no sanitization prior to use in a SQL query …
- CVE-2019-14234CRITICALCVSS 9.8EG 9.82019-08-09
An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. Due to an error in shallow key transformation, key and index lookups for django.contrib.postgres.fields.JSONField, and key lookups for dj…
Map vulnerabilities like CWE-89 to your infrastructure
EchelonGraph correlates every CVE — across CWE-89 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →