CWE-89— SQL Injection
The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.— MITRE CWE catalog
18,859 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-89page 119 of 378
- CVE-2020-24569MEDIUMCVSS 4.3EG 4.32020-09-30
An issue was discovered in MB CONNECT LINE mymbCONNECT24 and mbCONNECT24 through 2.6.1. There is a blind SQL injection in the knximport component via an advanced attack vector, allowing logged in attackers to discover arbitrary information.
- CVE-2020-24593HIGHCVSS 7.2EG 7.22020-09-25
Mitel MiCloud Management Portal before 6.1 SP5 could allow a remote attacker to conduct a SQL Injection attack and access user credentials due to improper input validation.
- CVE-2020-24600CRITICALCVSS 9.8EG 9.82022-12-26
Shilpi CAPExWeb 1.1 allows SQL injection via a servlet/capexweb.cap_sendMail GET request.
- CVE-2020-24617HIGHCVSS 8.8EG 8.82021-02-19
Mailtrain through 1.24.1 allows SQL Injection in statsClickedSubscribersByColumn in lib/models/campaigns.js via /campaigns/clicked/ajax because variable column names are not properly escaped.
- CVE-2020-24623MEDIUMCVSS 6.5EG 6.52020-09-18
A potential security vulnerability has been identified in Hewlett Packard Enterprise Universal API Framework. The vulnerability could be remotely exploited to allow SQL injection in HPE Universal API Framework for VMware Esxi v2.5.2 and HP…
- CVE-2020-24667HIGHCVSS 8.8EG 8.82021-06-10
Trace Financial CRESTBridge <6.3.0.02 contains an authenticated SQL injection vulnerability, which was fixed in 6.3.0.03.
- CVE-2020-24671HIGHCVSS 8.8EG 8.82021-06-10
Trace Financial CRESTBridge <6.3.0.02 contains an authenticated SQL injection vulnerability, which was fixed in 6.3.0.03.
- CVE-2020-24673CRITICALCVSS 9.8EG 9.82020-12-22
In S+ Operations and S+ Historian, a successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), re…
- CVE-2020-24769CRITICALCVSS 9.8EG 9.82022-03-30
SQL injection vulnerability in takeconfirm.php in NexusPHP 1.5 allows remote attackers to execute arbitrary SQL commands via the classes parameter.
- CVE-2020-24770CRITICALCVSS 9.8EG 9.82022-03-30
SQL injection vulnerability in modrules.php in NexusPHP 1.5 allows remote attackers to execute arbitrary SQL commands via the id parameter.
- CVE-2020-24791CRITICALCVSS 9.8EG 9.82021-03-10
FUEL CMS 1.4.8 allows SQL injection via the 'fuel_replace_id' parameter in pages/replace/1. Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underl…
- CVE-2020-24841CRITICALCVSS 9.8EG 9.82021-02-16
PNPSCADA 2.200816204020 allows SQL injection via parameter 'interf' in /browse.jsp. Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying dat…
- CVE-2020-24862HIGHCVSS 7.5EG 7.52021-06-02
The catID parameter in Pharmacy Medical Store and Sale Point v1.0 has been found to be vulnerable to a Time-Based blind SQL injection via the /medical/inventories.php path which allows attackers to retrieve all databases.
- CVE-2020-24877CRITICALCVSS 9.8EG 9.82021-03-15
A SQL injection vulnerability in zzzphp v1.8.0 through /form/index.php?module=getjson may lead to a possible access restriction bypass.
- CVE-2020-24913CRITICALCVSS 9.8EG 9.82021-03-04
A SQL injection vulnerability in qcubed (all versions including 3.1.1) in profile.php via the strQuery parameter allows an unauthenticated attacker to access the database by injecting SQL code via a crafted POST request.
- CVE-2020-24932CRITICALCVSS 9.8EG 9.82021-10-27
An SQL Injection vulnerability exists in Sourcecodester Complaint Management System 1.0 via the cid parameter in complaint-details.php.
- CVE-2020-24950HIGHCVSS 8.8EG 8.82023-08-11
SQL Injection vulnerability in file Base_module_model.php in Daylight Studio FUEL-CMS version 1.4.9, allows remote attackers to execute arbitrary code via the col parameter to function list_items.
- CVE-2020-25004CRITICALCVSS 9.8EG 9.82020-09-03
Heybbs v1.2 has a SQL injection vulnerability in user.php file via the ID parameter which may allow a remote attacker to execute arbitrary code.
- CVE-2020-25005CRITICALCVSS 9.8EG 9.82020-09-03
Heybbs v1.2 has a SQL injection vulnerability in msg.php file via the ID parameter which may allow a remote attacker to execute arbitrary code.
- CVE-2020-25006CRITICALCVSS 9.8EG 9.82020-09-03
Heybbs v1.2 has a SQL injection vulnerability in login.php file via the username parameter which may allow a remote attacker to execute arbitrary code.
- CVE-2020-25034MEDIUMCVSS 6.5EG 6.52020-10-26
eMPS prior to eMPS 9.0 FireEye EX 3500 devices allows remote authenticated users to conduct SQL injection attacks via the sort, sort_by, search{URL], or search[attachment] parameter to the email search feature.
- CVE-2020-25130MEDIUMCVSS 6.5EG 6.52020-09-25
An issue was discovered in Observium Professional, Enterprise & Community 20.8.10631. It is vulnerable to SQL Injection due to the fact that it is possible to inject malicious SQL statements in malformed parameter types. Sending an imprope…
- CVE-2020-25132CRITICALCVSS 9.8EG 9.82020-09-25
An issue was discovered in Observium Professional, Enterprise & Community 20.8.10631. It is vulnerable to SQL Injection due to the fact that it is possible to inject malicious SQL statements in malformed parameter types. Sending the improp…
- CVE-2020-25143HIGHCVSS 8.8EG 8.82020-09-25
An issue was discovered in Observium Professional, Enterprise & Community 20.8.10631. It is vulnerable to SQL Injection due to the fact that it is possible to inject malicious SQL statements in malformed parameter types. This can occur via…
- CVE-2020-25147CRITICALCVSS 9.8EG 9.82020-09-25
An issue was discovered in Observium Professional, Enterprise & Community 20.8.10631. It is vulnerable to SQL Injection due to the fact that it is possible to inject malicious SQL statements in malformed parameter types. This can occur via…
- CVE-2020-25157HIGHCVSS 7.5EG 7.52020-10-20
The R-SeeNet webpage (1.5.1 through 2.4.10) suffers from SQL injection, which allows a remote attacker to invoke queries on the database and retrieve sensitive information.
- CVE-2020-25253CRITICALCVSS 9.8EG 9.82020-09-11
An issue was discovered in Hyland OnBase 16.0.2.83 and below, 17.0.2.109 and below, 18.0.0.37 and below, 19.8.16.1000 and below and 20.3.10.1000 and below. It allows SQL injection, as demonstrated by the TableName, ColumnName, Name, UserId…
- CVE-2020-25254CRITICALCVSS 9.8EG 9.82020-09-11
An issue was discovered in Hyland OnBase 16.0.2.83 and below, 17.0.2.109 and below, 18.0.0.37 and below, 19.8.16.1000 and below and 20.3.10.1000 and below. It allows SQL injection, as demonstrated by TestConnection_LocalOrLinkedServer, Cre…
- CVE-2020-25273CRITICALCVSS 9.8EG 9.82020-10-08
In SourceCodester Online Bus Booking System 1.0, there is Authentication bypass on the Admin Login screen in admin.php via username or password SQL injection.
- CVE-2020-25362HIGHCVSS 7.5EG 7.52021-06-02
The id paramater in Online Shopping Alphaware 1.0 has been discovered to be vulnerable to an Error-Based blind SQL injection in the /alphaware/details.php path. This allows an attacker to retrieve all databases.
- CVE-2020-25379HIGHCVSS 8.8EG 8.82020-09-14
Wordpress Plugin Store / Mike Rooijackers Recall Products V0.8 fails to sanitize input from the 'Manufacturer[]' parameter which allows an authenticated attacker to inject a malicious SQL query.
- CVE-2020-25409CRITICALCVSS 9.8EG 9.82021-05-24
Projectsworlds College Management System Php 1.0 is vulnerable to SQL injection issues over multiple parameters.
- CVE-2020-25475CRITICALCVSS 9.8EG 9.82020-11-24
SimplePHPscripts News Script PHP Pro 2.3 is affected by a SQL Injection via the id parameter in an editNews action.
- CVE-2020-25487HIGHCVSS 7.8EG 7.82020-09-22
PHPGURUKUL Zoo Management System Using PHP and MySQL version 1.0 is affected by: SQL Injection via zms/animal-detail.php.
- CVE-2020-25514HIGHCVSS 8.4EG 8.42020-09-22
Sourcecodester Simple Library Management System 1.0 is affected by Incorrect Access Control via the Login Panel, http://<site>/lms/admin.php.
- CVE-2020-25608HIGHCVSS 7.2EG 7.22020-12-18
The SAS portal of Mitel MiCollab before 9.2 could allow an attacker to access user credentials due to improper input validation, aka SQL Injection.
- CVE-2020-25638HIGHCVSS 7.4EG 7.42020-12-02
A flaw was found in hibernate-core in versions prior to and including 5.4.23.Final. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SQL comments of the query. This…
- CVE-2020-25695HIGHCVSS 8.8EG 8.82020-11-16
A flaw was found in PostgreSQL versions before 13.1, before 12.5, before 11.10, before 10.15, before 9.6.20 and before 9.5.24. An attacker having permission to create non-temporary objects in at least one schema can execute arbitrary SQL f…
- CVE-2020-25700MEDIUMCVSS 6.5EG 6.52020-11-19
In moodle, some database module web services allowed students to add entries within groups they did not belong to. Versions affected: 3.9 to 3.9.2, 3.8 to 3.8.5, 3.7 to 3.7.8, 3.5 to 3.5.14 and earlier unsupported versions. This is fixed i…
- CVE-2020-25727HIGHCVSS 7.5EG 7.52020-09-17
The Reset Password add-on before 1.2.0 for Alfresco suffers from CMIS-SQL Injection, which allows a malicious user to inject a query within the email input field.
- CVE-2020-25751HIGHCVSS 8.8EG 8.82020-09-18
The paGO Commerce plugin 2.5.9.0 for Joomla! allows SQL Injection via the administrator/index.php?option=com_pago&view=comments filter_published parameter.
- CVE-2020-25760HIGHCVSS 8.8EG 8.82020-09-30
Projectworlds Visitor Management System in PHP 1.0 allows SQL Injection. The file front.php does not perform input validation on the 'rid' parameter. An attacker can append SQL queries to the input to extract sensitive information from the…
- CVE-2020-25762CRITICALCVSS 9.1EG 9.12020-09-30
An issue was discovered in SourceCodester Seat Reservation System 1.0. The file admin_class.php does not perform input validation on the username and password parameters. An attacker can send malicious input in the post request to /admin/a…
- CVE-2020-25839CRITICALCVSS 9.8EG 9.82020-11-20
NetIQ Identity Manager 4.8 prior to version 4.8 SP2 HF1 are affected by an injection vulnerability. This vulnerability is fixed in NetIQ IdM 4.8 SP2 HF1.
- CVE-2020-25889CRITICALCVSS 9.8EG 9.82020-12-08
Online Bus Booking System Project Using PHP/MySQL version 1.0 has SQL injection via the login page. By placing SQL injection payload on the login page attackers can bypass the authentication and can gain the admin privilege.
- CVE-2020-25905CRITICALCVSS 9.8EG 9.82022-01-28
An SQL Injection vulnerabilty exists in Sourcecodester Mobile Shop System in PHP MySQL 1.0 via the email parameter in (1) login.php or (2) LoginAsAdmin.php.
- CVE-2020-25952CRITICALCVSS 9.8EG 9.82020-11-16
SQL injection vulnerability in PHPGurukul User Registration & Login and User Management System With admin panel 2.1 allows remote attackers to execute arbitrary SQL commands and bypass authentication.
- CVE-2020-25990CRITICALCVSS 9.8EG 9.82020-10-01
WebsiteBaker 2.12.2 allows SQL Injection via parameter 'display_name' in /websitebaker/admin/preferences/save.php. Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulner…
- CVE-2020-26042CRITICALCVSS 9.8EG 9.82020-09-30
An issue was discovered in Hoosk CMS v1.8.0. There is a SQL injection vulnerability in install/index.php
- CVE-2020-26045CRITICALCVSS 9.8EG 9.82021-01-05
FUEL CMS 1.4.11 allows SQL Injection via parameter 'name' in /fuel/permissions/create/. Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying…
Map vulnerabilities like CWE-89 to your infrastructure
EchelonGraph correlates every CVE — across CWE-89 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →