CWE-89— SQL Injection
The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.— MITRE CWE catalog
18,857 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-89page 107 of 378
- CVE-2019-17418HIGHCVSS 7.2EG 9.02019-10-10
An issue was discovered in MetInfo 7.0. There is SQL injection via the admin/?n=language&c=language_general&a=doSearchParameter appno parameter, a different issue than CVE-2019-16997.
- CVE-2019-17419HIGHCVSS 7.2EG 7.22019-10-10
An issue was discovered in MetInfo 7.0. There is SQL injection via the admin/?n=user&c=admin_user&a=doGetUserInfo id parameter.
- CVE-2019-17429CRITICALCVSS 9.8EG 9.82019-10-10
Adhouma CMS through 2019-10-09 has SQL Injection via the post.php p_id parameter.
- CVE-2019-17527CRITICALCVSS 9.8EG 9.82019-12-19
dataForDepandantField in models/custormfields.php in the JS JOBS FREE extension before 1.2.7 for Joomla! allows SQL Injection via the index.php?option=com_jsjobs&task=customfields.getfieldtitlebyfieldandfieldfo child parameter.
- CVE-2019-17552CRITICALCVSS 9.8EG 9.82019-10-14
An issue was discovered in idreamsoft iCMS v7.0.14. There is a spider_project.admincp.php SQL injection vulnerability in the 'upload spider project scheme' feature via a two-dimensional payload.
- CVE-2019-17553CRITICALCVSS 9.8EG 9.82019-10-14
An issue was discovered in MetInfo v7.0.0 beta. There is SQL Injection via the admin/?n=tags&c=index&a=doSaveTags URI.
- CVE-2019-17580CRITICALCVSS 9.8EG 9.82019-10-14
tonyy dormsystem through 1.3 allows SQL Injection in admin.php.
- CVE-2019-17602CRITICALCVSS 9.8EG 9.82019-10-15
An issue was discovered in Zoho ManageEngine OpManager before 12.4 build 124089. The OPMDeviceDetailsServlet servlet is prone to SQL injection. Depending on the configuration, this vulnerability could be exploited unauthenticated or authen…
- CVE-2019-17612HIGHCVSS 7.2EG 7.22019-10-15
An issue was discovered in 74CMS v5.2.8. There is a SQL Injection generated by the _list method in the Common/Controller/BackendController.class.php file via the index.php?m=Admin&c=Ad&a=category sort parameter.
- CVE-2019-17647CRITICALCVSS 9.8EG 9.82020-03-05
An issue was discovered in Centreon before 2.8.30, 18.10.8, 19.04.5, and 19.10.2. SQL Injection exists via the include/monitoring/status/Hosts/xml/hostXML.php instance parameter.
- CVE-2019-18229MEDIUMCVSS 6.5EG 6.52019-10-31
Advantech WISE-PaaS/RMM, Versions 3.3.29 and prior. Lack of sanitization of user-supplied input cause SQL injection vulnerabilities. An attacker can leverage these vulnerabilities to disclose information.
- CVE-2019-18234CRITICALCVSS 9.8EG 9.82019-12-23
Equinox Control Expert all versions, is vulnerable to an SQL injection attack, which may allow an attacker to remotely execute arbitrary code.
- CVE-2019-1824HIGHCVSS 8.1EG 8.12019-05-16
A vulnerability in the web-based management interface of Cisco Prime Infrastructure (PI) and Cisco Evolved Programmable Network (EPN) Manager could allow an authenticated, remote attacker to execute arbitrary SQL queries. This vulnerabilit…
- CVE-2019-1825HIGHCVSS 8.1EG 8.12019-05-16
A vulnerability in the web-based management interface of Cisco Prime Infrastructure (PI) and Cisco Evolved Programmable Network (EPN) Manager could allow an authenticated, remote attacker to execute arbitrary SQL queries. This vulnerabilit…
- CVE-2019-18344CRITICALCVSS 9.8EG 9.82019-10-23
Sourcecodester Online Grading System 1.0 is vulnerable to unauthenticated SQL injection and can allow remote attackers to execute arbitrary SQL commands via the student, instructor, department, room, class, or user page (id or classid para…
- CVE-2019-18387CRITICALCVSS 9.8EG 9.82019-10-23
Sourcecodester Hotel and Lodge Management System 1.0 is vulnerable to unauthenticated SQL injection and can allow remote attackers to execute arbitrary SQL commands via the id parameter to the edit page for Customer, Room, Currency, Room B…
- CVE-2019-18413LOWCVSS 3.7EG 3.72019-10-24
In TypeStack class-validator 0.10.2, validate() input validation can be bypassed because certain internal attributes can be overwritten via a conflicting name. Even though there is an optional forbidUnknownValues parameter that can be used…
- CVE-2019-18464CRITICALCVSS 9.8EG 9.82019-10-31
In Progress MOVEit Transfer 10.2 before 10.2.6 (2018.3), 11.0 before 11.0.4 (2019.0.4), and 11.1 before 11.1.3 (2019.1.3), multiple SQL Injection vulnerabilities have been found in the REST API that could allow an unauthenticated attacker …
- CVE-2019-18622CRITICALCVSS 9.8EG 9.82019-11-22
An issue was discovered in phpMyAdmin before 4.9.2. A crafted database/table name can be used to trigger a SQL injection attack through the designer feature.
- CVE-2019-18646HIGHCVSS 7.2EG 7.22019-11-14
The Untangle NG firewall 14.2.0 is vulnerable to authenticated inline-query SQL injection within the timeDataDynamicColumn parameter when logged in as an admin user.
- CVE-2019-18662CRITICALCVSS 9.8EG 9.82019-11-02
An issue was discovered in YouPHPTube through 7.7. User input passed through the live_stream_code POST parameter to /plugin/LiveChat/getChat.json.php is not properly sanitized (in getFromChat in plugin/LiveChat/Objects/LiveChatObj.php) bef…
- CVE-2019-18663CRITICALCVSS 9.8EG 9.82019-11-04
A SQL injection vulnerability in a /login/forgot1 POST request in ARP-GUARD 4.0.0-5 allows unauthenticated remote attackers to execute arbitrary SQL commands via the user_id parameter.
- CVE-2019-18784CRITICALCVSS 9.8EG 9.82019-11-06
SuiteCRM 7.10.x versions prior to 7.10.21 and 7.11.x versions prior to 7.11.9 allow SQL Injection.
- CVE-2019-18866HIGHCVSS 7.5EG 7.52020-05-07
Unauthenticated SQL injection via the username in the login mechanism in Blaauw Remote Kiln Control through v3.00r4 allows a user to extract arbitrary data from the rkc database.
- CVE-2019-18890MEDIUMCVSS 6.5EG 6.52019-11-21
A SQL injection vulnerability in Redmine through 3.2.9 and 3.3.x before 3.3.10 allows Redmine users to access protected information via a crafted object query.
- CVE-2019-19016HIGHCVSS 7.5EG 7.52019-12-02
An issue was discovered in TitanHQ WebTitan before 5.18. Some functions, such as /history-x.php, of the administration interface are vulnerable to SQL Injection through the results parameter. This could be used by an attacker to extract se…
- CVE-2019-19026MEDIUMCVSS 4.9EG 4.92020-03-20
Cloud Native Computing Foundation Harbor prior to 1.8.6 and 1.9.3 allows SQL Injection via project quotas in the VMware Harbor Container Registry for the Pivotal Platform.
- CVE-2019-19029HIGHCVSS 7.2EG 7.22020-03-20
Cloud Native Computing Foundation Harbor prior to 1.8.6 and 1.9.3 allows SQL Injection via user-groups in the VMware Harbor Container Registry for the Pivotal Platform.
- CVE-2019-19094HIGHCVSS 7.6EG 7.62020-04-02
Lack of input checks for SQL queries in ABB eSOMS versions 3.9 to 6.0.3 might allow an attacker SQL injection attacks against the backend database.
- CVE-2019-19113CRITICALCVSS 9.8EG 9.82019-11-18
main/resources/mapper/NewBeeMallGoodsMapper.xml in newbee-mall (aka New Bee) before 2019-10-23 allows search?goodsCategoryId=&keyword= SQL Injection.
- CVE-2019-19207HIGHCVSS 8.8EG 8.82019-11-21
rConfig 3.9.2 allows devices.php?searchColumn= SQL injection.
- CVE-2019-19209HIGHCVSS 7.5EG 7.52020-03-16
Dolibarr ERP/CRM before 10.0.3 allows SQL Injection.
- CVE-2019-19245CRITICALCVSS 9.8EG 9.82019-12-02
NAPC Xinet Elegant 6 Asset Library 6.1.655 allows Pre-Authentication SQL Injection via the /elegant6/login LoginForm[username] field when double quotes are used.
- CVE-2019-19250CRITICALCVSS 9.8EG 9.82019-11-25
OpenTrade before 2019-11-23 allows SQL injection, related to server/modules/api/v1.js and server/utils.js.
- CVE-2019-19286HIGHCVSS 7.2EG 7.22020-12-14
A vulnerability has been identified in XHQ (All Versions < 6.1). The web interface could allow SQL injection attacks if an attacker is able to modify content of particular web pages.
- CVE-2019-19292HIGHCVSS 8.8EG 8.82020-03-10
A vulnerability has been identified in Control Center Server (CCS) (All versions < V1.5.0). The Control Center Server (CCS) contains an SQL injection vulnerability in its XML-based communication protocol as provided by default on ports 544…
- CVE-2019-1942MEDIUMCVSS 4.3EG 6.52019-07-17
A vulnerability in the sponsor portal web interface for Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to impact the integrity of an affected system by executing arbitrary SQL queries. The vulnerability …
- CVE-2019-19499MEDIUMCVSS 6.5EG 6.52020-08-28
Grafana <= 6.4.3 has an Arbitrary File Read vulnerability, which could be exploited by an authenticated attacker that has privileges to modify the data source configurations.
- CVE-2019-19607CRITICALCVSS 9.8EG 9.82020-03-02
A SQL injection vulnerability in the web conferencing component of Mitel MiCollab AWV before 8.1.2.2 could allow an unauthenticated attack due to insufficient input validation for the session parameter. A successful exploit could allow an …
- CVE-2019-19608CRITICALCVSS 9.8EG 9.82020-03-02
A SQL injection vulnerability in in the web conferencing component of Mitel MiCollab AWV before 8.1.2.2 could allow an unauthenticated attack due to insufficient input validation for the registeredList.cgi page. A successful exploit could …
- CVE-2019-19649CRITICALCVSS 9.8EG 9.82019-12-11
Zoho ManageEngine Applications Manager before 13620 allows a remote unauthenticated SQL injection via the SyncEventServlet eventid parameter to the SyncEventServlet.java doGet function.
- CVE-2019-19650HIGHCVSS 8.8EG 8.82019-12-11
Zoho ManageEngine Applications Manager before 13640 allows a remote authenticated SQL injection via the Agent servlet agentid parameter to the Agent.java process function.
- CVE-2019-19732HIGHCVSS 7.2EG 7.22019-12-30
translation_manage_text.ajax.php and various *_manage.ajax.php in MFScripts YetiShare 3.5.2 through 4.5.3 directly insert values from the aSortDir_0 and/or sSortDir_0 parameter into a SQL string. This allows an attacker to inject their own…
- CVE-2019-19734HIGHCVSS 8.8EG 8.82019-12-30
_account_move_file_in_folder.ajax.php in MFScripts YetiShare 3.5.2 directly inserts values from the fileIds parameter into a SQL string. This allows an attacker to inject their own SQL and manipulate the query, typically extracting data fr…
- CVE-2019-19740CRITICALCVSS 9.8EG 9.82019-12-12
Octeth Oempro 4.7 and 4.8 allow SQL injection. The parameter CampaignID in Campaign.Get is vulnerable.
- CVE-2019-19846CRITICALCVSS 9.8EG 9.82019-12-18
In Joomla! before 3.9.14, the lack of validation of configuration parameters used in SQL queries caused various SQL injection vectors.
- CVE-2019-19850HIGHCVSS 7.2EG 7.22019-12-17
An issue was discovered in TYPO3 before 8.7.30, 9.x before 9.5.12, and 10.x before 10.2.2. Because escaping of user-submitted content is mishandled, the class QueryGenerator is vulnerable to SQL injection. Exploitation requires having the …
- CVE-2019-19876CRITICALCVSS 9.8EG 9.82020-11-27
An issue was discovered in B&R Industrial Automation APROL before R4.2 V7.08. An EnMon PHP script was vulnerable to SQL injection, a different vulnerability than CVE-2019-10006.
- CVE-2019-19986HIGHCVSS 7.5EG 7.52020-02-26
An issue was discovered in Selesta Visual Access Manager (VAM) 4.15.0 through 4.29. An attacker without authentication is able to execute arbitrary SQL SELECT statements by injecting the HTTP (POST or GET) parameter persoid into /tools/Vam…
- CVE-2019-20059HIGHCVSS 8.8EG 8.82020-02-10
payment_manage.ajax.php and various *_manage.ajax.php in MFScripts YetiShare 3.5.2 through 4.5.4 directly insert values from the sSortDir_0 parameter into a SQL string. This allows an attacker to inject their own SQL and manipulate the que…
Map vulnerabilities like CWE-89 to your infrastructure
EchelonGraph correlates every CVE — across CWE-89 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →