CWE-89— SQL Injection
The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.— MITRE CWE catalog
18,858 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-89page 114 of 378
- CVE-2020-13566HIGHCVSS 8.8EG 8.82021-04-13
SQL injection vulnerabilities exist in phpGACL 3.3.7. A specially crafted HTTP request can lead to a SQL injection. An attacker can send an HTTP request to trigger this vulnerability In admin/edit_group.php, when the POST parameter action …
- CVE-2020-13567CRITICALCVSS 9.8EG 9.82022-04-18
Multiple SQL injection vulnerabilities exist in phpGACL 3.3.7. A specially crafted HTTP request can lead to a SQL injection. An attacker can send an HTTP request to trigger this vulnerability.
- CVE-2020-13568HIGHCVSS 8.8EG 8.82021-04-13
SQL injection vulnerability exists in phpGACL 3.3.7. A specially crafted HTTP request can lead to a SQL injection. An attacker can send an HTTP request to trigger this vulnerability in admin/edit_group.php, when the POST parameter action i…
- CVE-2020-13587HIGHCVSS 8.8EG 8.82021-04-09
An exploitable SQL injection vulnerability exists in the "forms_fields_rules/rules" page of the Rukovoditel Project Management App 2.7.2. A specially crafted HTTP request can lead to SQL injection. An attacker can make an authenticated HTT…
- CVE-2020-13588HIGHCVSS 8.8EG 8.82021-08-17
An exploitable SQL injection vulnerability exists in the ‘entities/fields’ page of the Rukovoditel Project Management App 2.7.2. The heading_field_id parameter in ‘‘entities/fields’ page is vulnerable to authenticated SQL injecti…
- CVE-2020-13589HIGHCVSS 8.8EG 8.82021-08-17
An exploitable SQL injection vulnerability exists in the ‘entities/fields’ page of the Rukovoditel Project Management App 2.7.2. The entities_id parameter in the 'entities/fields page (mulitple_edit or copy_selected or export function)…
- CVE-2020-13590HIGHCVSS 7.2EG 7.22022-04-18
Multiple exploitable SQL injection vulnerabilities exist in the 'entities/fields' page of the Rukovoditel Project Management App 2.7.2. A specially crafted HTTP request can lead to SQL injection. An attacker can make authenticated HTTP req…
- CVE-2020-13591HIGHCVSS 8.8EG 8.82021-04-09
An exploitable SQL injection vulnerability exists in the "access_rules/rules_form" page of the Rukovoditel Project Management App 2.7.2. A specially crafted HTTP request can lead to SQL injection. An attacker can make an authenticated HTTP…
- CVE-2020-13592HIGHCVSS 8.8EG 8.82021-04-09
An exploitable SQL injection vulnerability exists in "global_lists/choices" page of the Rukovoditel Project Management App 2.7.2. A specially crafted HTTP request can lead to SQL injection. An attacker can make an authenticated HTTP reques…
- CVE-2020-13640CRITICALCVSS 9.8EG 9.82020-06-18
A SQL injection issue in the gVectors wpDiscuz plugin 5.3.5 and earlier for WordPress allows remote attackers to execute arbitrary SQL commands via the order parameter of a wpdLoadMoreComments request. (No 7.x versions are affected.)
- CVE-2020-13769HIGHCVSS 8.8EG 8.82020-11-16
LDMS/alert_log.aspx in Ivanti Endpoint Manager through 2020.1 allows SQL Injection via a /remotecontrolauth/api/device request.
- CVE-2020-13873CRITICALCVSS 9.8EG 9.82021-05-12
A SQL Injection vulnerability in get_topic_info() in sys/CODOF/Forum/Topic.php in Codoforum before 4.9 allows remote attackers (pre-authentication) to bypass the admin page via a leaked password-reset token of the admin. (As an admin, an a…
- CVE-2020-13877CRITICALCVSS 9.8EG 9.82020-11-12
SQL Injection issues in various ASPX pages of ResourceXpress Meeting Monitor 4.9 could lead to remote code execution and information disclosure.
- CVE-2020-13921CRITICALCVSS 9.8EG 9.82020-08-05
**Resolved** Only when using H2/MySQL/TiDB as Apache SkyWalking storage, there is a SQL injection vulnerability in the wildcard query cases.
- CVE-2020-13926CRITICALCVSS 9.8EG 9.82020-07-14
Kylin concatenates and executes a Hive SQL in Hive CLI or beeline when building a new segment; some part of the HQL is from system configurations, while the configuration can be overwritten by certain rest api, which makes SQL injection at…
- CVE-2020-13968CRITICALCVSS 9.8EG 9.82020-12-23
CRK Business Platform <= 2019.1 allows can inject SQL statements against the DB on any path using the 'strSessao' parameter.
- CVE-2020-13993HIGHCVSS 7.5EG 7.52020-07-09
An issue was discovered in Mods for HESK 3.1.0 through 2019.1.0. A blind time-based SQL injection issue allows remote unauthenticated attackers to retrieve information from the database via a ticket.
- CVE-2020-13996HIGHCVSS 8.8EG 8.82020-06-09
The J2Store plugin before 3.3.13 for Joomla! allows a SQL injection attack by a trusted store manager.
- CVE-2020-14054CRITICALCVSS 9.8EG 9.82020-06-15
SOKKIA GNR5 Vanguard WEB version 1.2 (build: 91f2b2c3a04d203d79862f87e2440cb7cefc3cd3) and hardware version 212 allows remote attackers to bypass admin authentication via a SQL injection attack that uses the User Name or Password field on …
- CVE-2020-14068CRITICALCVSS 9.8EG 9.82020-06-29
An issue was discovered in MK-AUTH 19.01. The web login functionality allows an attacker to bypass authentication and gain client privileges via SQL injection in central/executar_login.php.
- CVE-2020-14069MEDIUMCVSS 6.8EG 6.82020-06-29
An issue was discovered in MK-AUTH 19.01. There are SQL injection issues in mkt/ PHP scripts, as demonstrated by arp.php, dhcp.php, hotspot.php, ip.php, pgaviso.php, pgcorte.php, pppoe.php, queues.php, and wifi.php.
- CVE-2020-14092CRITICALCVSS 9.8EG 9.82020-07-02
The CodePeople Payment Form for PayPal Pro plugin before 1.1.65 for WordPress allows SQL Injection.
- CVE-2020-14159HIGHCVSS 8.8EG 8.82020-06-15
By using an Automate API in ConnectWise Automate before 2020.5.178, a remote authenticated user could execute commands and/or modifications within an individual Automate instance by triggering an SQL injection vulnerability in /LabTech/age…
- CVE-2020-14207MEDIUMCVSS 5.3EG 5.32020-12-08
The DiveBook plugin 1.1.4 for WordPress was prone to a SQL injection within divelog.php, allowing unauthenticated users to retrieve data from the database via the divelog.php filter_diver parameter.
- CVE-2020-14295HIGHCVSS 7.2EG 7.22020-06-17
A SQL injection issue in color.php in Cacti 1.2.12 allows an admin to inject SQL via the filter parameter. This can lead to remote command execution because the product accepts stacked queries.
- CVE-2020-14349HIGHCVSS 7.1EG 7.12020-08-24
It was found that PostgreSQL versions before 12.4, before 11.9 and before 10.14 did not properly sanitize the search_path during logical replication. An authenticated attacker could use this flaw in an attack similar to CVE-2018-1058, in o…
- CVE-2020-14443HIGHCVSS 8.8EG 8.82020-06-18
A SQL injection vulnerability in accountancy/customer/card.php in Dolibarr 11.0.3 allows remote authenticated users to execute arbitrary SQL commands via the id parameter.
- CVE-2020-14497CRITICALCVSS 9.8EG 9.82020-07-15
Advantech iView, versions 5.6 and prior, contains multiple SQL injection vulnerabilities that are vulnerable to the use of an attacker-controlled string in the construction of SQL queries. An attacker could extract user credentials, read o…
- CVE-2020-14960HIGHCVSS 7.2EG 7.22020-06-22
A SQL injection vulnerability in PHP-Fusion 9.03.50 affects the endpoint administration/comments.php via the ctype parameter,
- CVE-2020-14972CRITICALCVSS 9.8EG 9.82020-06-22
Multiple SQL injection vulnerabilities in Sourcecodester Pisay Online E-Learning System 1.0 allow remote unauthenticated attackers to bypass authentication and achieve Remote Code Execution (RCE) via the user_email, user_pass, and id param…
- CVE-2020-14982MEDIUMCVSS 6.5EG 6.52020-07-15
A Blind SQL Injection vulnerability in Kronos WebTA 3.8.x and later before 4.0 (affecting the com.threeis.webta.H352premPayRequest servlet's SortBy parameter) allows an attacker with the Employee, Supervisor, or Timekeeper role to read sen…
- CVE-2020-15008HIGHCVSS 7.5EG 7.52020-07-07
A SQLi exists in the probe code of all Connectwise Automate versions before 2020.7 or 2019.12. A SQL Injection in the probe implementation to save data to a custom table exists due to inadequate server side validation. As the code creates …
- CVE-2020-15052HIGHCVSS 7.5EG 7.52020-07-20
An issue was discovered in Artica Proxy CE before 4.28.030.418. SQL Injection exists via the Netmask, Hostname, and Alias fields.
- CVE-2020-15072HIGHCVSS 8.8EG 8.82020-07-08
An issue was discovered in phpList through 3.5.4. An error-based SQL Injection vulnerability exists via the Import Administrators section.
- CVE-2020-15108HIGHCVSS 7.1EG 7.12020-07-17
In glpi before 9.5.1, there is a SQL injection for all usages of "Clone" feature. This has been fixed in 9.5.1.
- CVE-2020-15153HIGHCVSS 8.2EG 8.22021-04-30
Ampache before version 4.2.2 allows unauthenticated users to perform SQL injection. Refer to the referenced GitHub Security Advisory for details and a workaround. This is fixed in version 4.2.2 and the development branch.
- CVE-2020-15160CRITICALCVSS 9.8EG 9.82020-09-24
PrestaShop from version 1.7.5.0 and before version 1.7.6.8 is vulnerable to a blind SQL Injection attack in the Catalog Product edition page with location parameter. The problem is fixed in 1.7.6.8
- CVE-2020-15176HIGHCVSS 8.7EG 8.72020-10-07
In GLPI before version 9.5.2, when supplying a back tick in input that gets put into a SQL query,the application does not escape or sanitize allowing for SQL Injection to occur. Leveraging this vulnerability an attacker is able to exfiltra…
- CVE-2020-15226MEDIUMCVSS 5.0EG 5.02020-10-07
In GLPI before version 9.5.2, there is a SQL Injection in the API's search function. Not only is it possible to break the SQL syntax, but it is also possible to utilise a UNION SELECT query to reflect sensitive information such as the curr…
- CVE-2020-15308HIGHCVSS 7.2EG 7.22020-06-26
Support Incident Tracker (aka SiT! or SiTracker) 3.67 p2 allows post-authentication SQL injection via the site_edit.php typeid or site parameter, the search_incidents_advanced.php search_title parameter, or the report_qbe.php criteriafield…
- CVE-2020-15333MEDIUMCVSS 5.3EG 5.32022-09-29
Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 allows attackers to discover accounts via MySQL "select * from Administrator_users" and "select * from Users_users" requests.
- CVE-2020-15363CRITICALCVSS 9.8EG 9.82020-06-28
The Nexos theme through 1.7 for WordPress allows side-map/?search_order= SQL Injection.
- CVE-2020-15394CRITICALCVSS 9.8EG 9.82020-09-25
The REST API in Zoho ManageEngine Applications Manager before build 14740 allows an unauthenticated SQL Injection via a crafted request, leading to Remote Code Execution.
- CVE-2020-15468CRITICALCVSS 9.8EG 9.82020-07-01
Persian VIP Download Script 1.0 allows SQL Injection via the cart_edit.php active parameter.
- CVE-2020-15487CRITICALCVSS 9.8EG 9.82020-09-30
Re:Desk 2.3 contains a blind unauthenticated SQL injection vulnerability in the getBaseCriteria() function in the protected/models/Ticket.php file. By modifying the folder GET parameter, it is possible to execute arbitrary SQL statements v…
- CVE-2020-15504CRITICALCVSS 9.8EG 9.82020-07-10
A SQL injection vulnerability in the user and admin web interfaces of Sophos XG Firewall v18.0 MR1 and older potentially allows an attacker to run arbitrary code remotely. The fix is built into the re-release of XG Firewall v18 MR-1 (named…
- CVE-2020-15533CRITICALCVSS 9.8EG 9.82020-10-01
In Zoho ManageEngine Application Manager 14.7 Build 14730 (before 14684, and between 14689 and 14750), the AlarmEscalation module is vulnerable to unauthenticated SQL Injection attack.
- CVE-2020-15539CRITICALCVSS 9.8EG 9.82020-07-05
SQL injection can occur in We-com Municipality portal CMS 2.1.x via the cerca/ keywords field.
- CVE-2020-15540CRITICALCVSS 9.8EG 9.82020-07-05
We-com OpenData CMS 2.0 allows SQL Injection via the username field on the administrator login page.
- CVE-2020-15616HIGHCVSS 7.5EG 7.52020-07-28
This vulnerability allows remote attackers to disclose sensitive information on affected installations of CentOS Web Panel cwp-e17.0.9.8.923. Authentication is not required to exploit this vulnerability. The specific flaw exists within aja…
Map vulnerabilities like CWE-89 to your infrastructure
EchelonGraph correlates every CVE — across CWE-89 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →