CWE-89— SQL Injection
The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.— MITRE CWE catalog
18,857 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-89page 105 of 378
- CVE-2019-14254CRITICALCVSS 9.8EG 9.82019-09-18
An issue was discovered in the secure portal in Publisure 2.1.2. Because SQL queries are not well sanitized, there are multiple SQL injections in userAccFunctions.php functions. Using this, an attacker can access passwords and/or grant acc…
- CVE-2019-14266HIGHCVSS 8.8EG 8.82019-07-25
OpenSNS v6.1.0 allows SQL Injection via the index.php?s=/ucenter/Config/ uid parameter because of the getNeedQueryData function in Application/Common/Model/UserModel.class.php.
- CVE-2019-14313CRITICALCVSS 9.8EG 9.82019-07-30
A SQL injection vulnerability exists in the 10Web Photo Gallery plugin before 1.5.31 for WordPress. Successful exploitation of this vulnerability would allow a remote attacker to execute arbitrary SQL commands on the affected system via fi…
- CVE-2019-14314CRITICALCVSS 9.8EG 9.82019-08-27
A SQL injection vulnerability exists in the Imagely NextGEN Gallery plugin before 3.2.11 for WordPress. Successful exploitation of this vulnerability would allow a remote attacker to execute arbitrary SQL commands on the affected system vi…
- CVE-2019-14348CRITICALCVSS 9.8EG 9.82019-08-05
The BearDev JoomSport plugin 3.3 for WordPress allows SQL injection to steal, modify, or delete database information via the joomsport_season/new-yorkers/?action=playerlist sid parameter.
- CVE-2019-14430MEDIUMCVSS 5.3EG 5.32019-08-20
plugin/Audit/Objects/AuditTable.php in YouPHPTube through 7.2 allows SQL Injection.
- CVE-2019-14529CRITICALCVSS 9.8EG 9.82019-08-02
OpenEMR before 5.0.2 allows SQL Injection in interface/forms/eye_mag/save.php.
- CVE-2019-14695CRITICALCVSS 9.8EG 9.82019-08-06
A SQL injection vulnerability exists in the Sygnoos Popup Builder plugin before 3.45 for WordPress. Successful exploitation of this vulnerability would allow a remote attacker to execute arbitrary SQL commands on the affected system via co…
- CVE-2019-14702CRITICALCVSS 9.8EG 9.82019-08-06
An issue was discovered on MicroDigital N-series cameras with firmware through 6400.0.8.5. SQL injection vulnerabilities exist in 13 forms that are reachable through HTTPD. An attacker can, for example, create an admin account.
- CVE-2019-14754CRITICALCVSS 9.8EG 9.82019-08-08
Open-School 3.0, and Community Edition 2.3, allows SQL Injection via the index.php?r=students/students/document id parameter.
- CVE-2019-14801CRITICALCVSS 9.8EG 9.82019-08-09
The FV Flowplayer Video Player plugin before 7.3.15.727 for WordPress allows email subscription SQL injection.
- CVE-2019-14900MEDIUMCVSS 6.5EG 6.52020-07-06
A flaw was found in Hibernate ORM in versions before 5.3.18, 5.4.18 and 5.5.0.Beta1. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SELECT or GROUP BY parts of th…
- CVE-2019-14937HIGHCVSS 7.5EG 7.52019-08-17
REDCap before 9.3.0 allows time-based SQL injection in the edit calendar event via the cal_id parameter, such as cal_id=55 and sleep(3) to Calendar/calendar_popup_ajax.php. The attacker can obtain a user's login sessionid from the database…
- CVE-2019-14966HIGHCVSS 8.8EG 8.82019-08-12
An issue was discovered in Frappe Framework 10 through 12 before 12.0.4. There exists an authenticated SQL injection.
- CVE-2019-14968CRITICALCVSS 9.8EG 9.82019-08-12
An issue was discovered in imcat 4.9. There is SQL Injection via the index.php order parameter in a mod=faqs action.
- CVE-2019-15016HIGHCVSS 8.8EG 8.82019-10-09
An SQL injection vulnerability exists in the management interface of Zingbox Inspector versions 1.288 and earlier, that allows for unsanitized data provided by an authenticated user to be passed from the web UI into the database.
- CVE-2019-15025CRITICALCVSS 9.8EG 9.82019-08-14
The ninja-forms plugin before 3.3.21.2 for WordPress has SQL injection in the search filter on the submissions page.
- CVE-2019-15104HIGHCVSS 8.8EG 8.82019-08-16
An issue was discovered in Zoho ManageEngine OpManager through 12.4x. There is a SQL Injection vulnerability in jsp/NewThresholdConfiguration.jsp via the resourceid parameter. Therefore, a low-authority user can gain the authority of SYSTE…
- CVE-2019-15105HIGHCVSS 8.8EG 8.82019-08-16
An issue was discovered in Zoho ManageEngine Application Manager through 14.2. There is a SQL Injection vulnerability in jsp/NewThresholdConfiguration.jsp via the resourceid parameter. Therefore, a low-authority user can gain the authority…
- CVE-2019-15300HIGHCVSS 8.8EG 8.82019-11-27
A problem was found in Centreon Web through 19.04.3. An authenticated SQL injection is present in the page include/Administration/parameters/ldap/xml/ldap_host.php. The arId parameter is not properly filtered before being passed to the SQL…
- CVE-2019-15301CRITICALCVSS 9.8EG 9.82019-09-18
A SQL injection vulnerability in the method Terrasoft.Core.DB.Column.Const() in Terrasoft Bpm'online CRM-System SDK 7.13 allows attackers to execute arbitrary SQL commands via the value parameter.
- CVE-2019-15533CRITICALCVSS 9.8EG 9.82019-08-26
XENFCoreSharp before 2019-07-16 allows SQL injection in web/verify.php.
- CVE-2019-15534CRITICALCVSS 9.8EG 9.82019-08-26
Raml-Module-Builder 26.4.0 allows SQL Injection in PostgresClient.update.
- CVE-2019-15535CRITICALCVSS 9.8EG 9.82019-08-23
Tasking Manager before 3.4.0 allows SQL Injection via custom SQL.
- CVE-2019-15536CRITICALCVSS 9.8EG 9.82019-08-23
The Acclaim block plugin before 2019-06-26 for Moodle allows SQL Injection via delete_records.
- CVE-2019-15537CRITICALCVSS 9.8EG 9.82019-08-23
The proxystatistics module before 3.1.0 for SimpleSAMLphp allows SQL Injection in lib/Auth/Process/DatabaseCommand.php.
- CVE-2019-15555CRITICALCVSS 9.8EG 9.82019-08-26
FredReinink Wellness-app before 2019-06-19 allows SQL injection, related to dietTrack.php, exerciseGenerator.php, fitnessTrack.php, and server.php.
- CVE-2019-15556CRITICALCVSS 9.8EG 9.82019-08-26
Pvanloon1983 social_network before 2019-07-03 allows SQL injection in includes/form_handlers/register_handler.php.
- CVE-2019-15557CRITICALCVSS 9.8EG 9.82019-08-26
XM^online 2 User Account and Authentication server 1.0.0 allows SQL injection via a tenant key.
- CVE-2019-15558CRITICALCVSS 9.8EG 9.82019-08-26
XM^online 2 Common Utils and Endpoints 0.2.1 allows SQL injection, related to Constants.java, DropSchemaResolver.java, and SchemaChangeResolver.java.
- CVE-2019-15559CRITICALCVSS 9.8EG 9.82019-08-26
DianoxDragon Hawn before 2019-07-10 allows SQL injection.
- CVE-2019-15560CRITICALCVSS 9.8EG 9.82019-08-26
The Reviews Module before 2019-06-14 for OpenSource Table allows SQL injection in database/index.js.
- CVE-2019-15561CRITICALCVSS 9.8EG 9.82019-08-26
FlashLingo before 2019-06-12 allows SQL injection, related to flashlingo.js and db.js.
- CVE-2019-15562CRITICALCVSS 9.8EG 9.82019-08-26
GORM before 1.9.10 allows SQL injection via incomplete parentheses. NOTE: Misusing Gorm by passing untrusted user input where Gorm expects trusted SQL fragments is a vulnerability in the application, not in Gorm
- CVE-2019-15563CRITICALCVSS 9.8EG 9.82019-08-26
Observational Health Data Sciences and Informatics (OHDSI) WebAPI before 2.7.2 allows SQL injection in FeatureExtractionService.java.
- CVE-2019-15564CRITICALCVSS 9.8EG 9.82019-08-26
The Compassion Switzerland addons 10.01.4 for Odoo allow SQL injection in models/partner_compassion.py.
- CVE-2019-15565CRITICALCVSS 9.8EG 9.82019-08-26
The ICOMMKT connector before 1.0.7 for PrestaShop allows SQL injection in icommktconnector.php.
- CVE-2019-15566CRITICALCVSS 9.8EG 9.82019-08-26
The Alfresco application before 1.8.7 for Android allows SQL injection in HistorySearchProvider.java.
- CVE-2019-15567CRITICALCVSS 9.8EG 9.82019-08-26
OpenForis Arena before 2019-05-07 allows SQL injection in the sorting feature.
- CVE-2019-15568CRITICALCVSS 9.8EG 9.82019-08-26
idseq-web before 2019-07-01 in Infectious Disease Sequencing Platform IDseq allows SQL injection via tax_levels.
- CVE-2019-15569CRITICALCVSS 9.8EG 9.82019-08-26
HM Courts & Tribunals ccd-data-store-api before 2019-06-10 allows SQL injection, related to SearchQueryFactoryOperation.java and SortDirection.java.
- CVE-2019-15570CRITICALCVSS 9.8EG 9.82019-08-26
BEdita through 4.0.0-RC2 allows SQL injection during a save operation for a relation with parameters.
- CVE-2019-15571CRITICALCVSS 9.8EG 9.82019-08-26
The WEB control panel before 2019-04-30 for ClonOS allows SQL injection in clonos.php.
- CVE-2019-15572CRITICALCVSS 9.8EG 9.82019-08-26
Gesior-AAC before 2019-05-01 allows ServiceCategoryID SQL injection in shop.php.
- CVE-2019-15573CRITICALCVSS 9.8EG 9.82019-08-26
Gesior-AAC before 2019-05-01 allows SQL injection in tankyou.php.
- CVE-2019-15574CRITICALCVSS 9.8EG 9.82019-08-26
Gesior-AAC before 2019-05-01 allows serviceID SQL injection in accountmanagement.php.
- CVE-2019-15622LOWCVSS 2.4EG 2.42020-02-04
Not strictly enough sanitization in the Nextcloud Android app 3.6.0 allowed an attacker to get content information from protected tables when using custom queries.
- CVE-2019-15646CRITICALCVSS 9.8EG 9.82019-08-27
The rsvpmaker plugin before 6.2 for WordPress has SQL injection.
- CVE-2019-15658HIGHCVSS 7.3EG 7.32019-08-26
connect-pg-simple before 6.0.1 allows SQL injection if tableName or schemaName is untrusted data.
- CVE-2019-15659CRITICALCVSS 9.8EG 9.82019-08-27
The pie-register plugin before 3.1.2 for WordPress has SQL injection, a different issue than CVE-2018-10969.
Map vulnerabilities like CWE-89 to your infrastructure
EchelonGraph correlates every CVE — across CWE-89 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →