CWE-89— SQL Injection
The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.— MITRE CWE catalog
18,860 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-89page 121 of 378
- CVE-2020-28102CRITICALCVSS 9.8EG 9.82022-01-11
cscms v4.1 allows for SQL injection via the "js_del" function.
- CVE-2020-28103CRITICALCVSS 9.8EG 9.82022-01-11
cscms v4.1 allows for SQL injection via the "page_del" function.
- CVE-2020-28115HIGHCVSS 8.8EG 8.82020-11-05
SQL Injection vulnerability in "Documents component" found in AudimexEE version 14.1.0 allows an attacker to execute arbitrary SQL commands via the object_path parameter.
- CVE-2020-28133CRITICALCVSS 9.8EG 9.82020-11-17
An issue was discovered in SourceCodester Simple Grocery Store Sales And Inventory System 1.0. There was authentication bypass in web login functionality allows an attacker to gain client privileges via SQL injection in sales_inventory/log…
- CVE-2020-28138CRITICALCVSS 9.8EG 9.82020-11-17
SourceCodester Online Clothing Store 1.0 is affected by a SQL Injection via the txtUserName parameter to login.php.
- CVE-2020-28172CRITICALCVSS 9.8EG 9.82021-03-31
A SQL injection vulnerability in Simple College Website 1.0 allows remote unauthenticated attackers to bypass the admin authentication mechanism in college_website/admin/ajax.php?action=login, thus gaining access to the website administrat…
- CVE-2020-28183CRITICALCVSS 9.8EG 9.82020-11-17
SQL injection vulnerability in SourceCodester Water Billing System 1.0 via the username and password parameters to process.php.
- CVE-2020-28413MEDIUMCVSS 5.3EG 5.32020-12-30
In MantisBT 2.24.3, SQL Injection can occur in the parameter "access" of the mc_project_get_users function through the API SOAP.
- CVE-2020-28657CRITICALCVSS 9.8EG 9.82021-03-02
In bPanel 2.0, the administrative ajax endpoints (aka ajax/aj_*.php) are accessible without authentication and allow SQL injections, which could lead to platform compromise.
- CVE-2020-28679HIGHCVSS 8.8EG 8.82022-01-10
A vulnerability in the showReports module of Zoho ManageEngine Applications Manager before build 14550 allows authenticated attackers to execute a SQL injection via a crafted request.
- CVE-2020-28702HIGHCVSS 7.5EG 7.52021-11-01
A SQL injection vulnerability in TopicMapper.xml of PybbsCMS v5.2.1 allows attackers to access sensitive database information.
- CVE-2020-28860HIGHCVSS 8.8EG 8.82020-12-14
OpenAssetDigital Asset Management (DAM) through 12.0.19 does not correctly sanitize user supplied input, incorporating it into its SQL queries, allowing for authenticated blind SQL injection.
- CVE-2020-28960CRITICALCVSS 9.8EG 9.82021-10-22
Chichen Tech CMS v1.0 was discovered to contain multiple SQL injection vulnerabilities in the file product_list.php via the id and cid parameters.
- CVE-2020-28994CRITICALCVSS 9.8EG 9.82020-11-24
A SQL injection vulnerability was discovered in Karenderia Multiple Restaurant System, affecting versions 5.4.2 and below. The vulnerability allows for an unauthenticated attacker to perform various tasks such as modifying and leaking all …
- CVE-2020-29011HIGHCVSS 8.8EG 8.82021-08-04
Instances of SQL Injection vulnerabilities in the checksum search and MTA-quarantine modules of FortiSandbox 3.2.0 through 3.2.2, and 3.1.0 through 3.1.4 may allow an authenticated attacker to execute unauthorized code on the underlying SQ…
- CVE-2020-29015CRITICALCVSS 9.8EG 9.82021-01-14
A blind SQL injection in the user interface of FortiWeb 6.3.0 through 6.3.7 and version before 6.2.4 may allow an unauthenticated, remote attacker to execute arbitrary SQL queries or commands by sending a request with a crafted Authorizati…
- CVE-2020-29139HIGHCVSS 7.2EG 7.22021-02-15
A SQL injection vulnerability in interface/main/finder/patient_select.php from library/patient.inc in OpenEMR before 5.0.2.5 allows a remote authenticated attacker to execute arbitrary SQL commands via the searchFields parameter.
- CVE-2020-29140HIGHCVSS 7.2EG 7.22021-02-15
A SQL injection vulnerability in interface/reports/immunization_report.php in OpenEMR before 5.0.2.5 allows a remote authenticated attacker to execute arbitrary SQL commands via the form_code parameter.
- CVE-2020-29142HIGHCVSS 7.2EG 7.22021-02-15
A SQL injection vulnerability in interface/usergroup/usergroup_admin.php in OpenEMR before 5.0.2.5 allows a remote authenticated attacker to execute arbitrary SQL commands via the schedule_facility parameter when restrict_user_facility=on …
- CVE-2020-29143HIGHCVSS 7.2EG 7.22021-02-15
A SQL injection vulnerability in interface/reports/non_reported.php in OpenEMR before 5.0.2.5 allows a remote authenticated attacker to execute arbitrary SQL commands via the form_code parameter.
- CVE-2020-29147HIGHCVSS 7.5EG 7.52021-07-14
A SQL injection vulnerability in wy_controlls/wy_side_visitor.php of Wayang-CMS v1.0 allows attackers to obtain sensitive database information.
- CVE-2020-29163HIGHCVSS 8.8EG 8.82021-02-03
PacsOne Server (PACS Server In One Box) below 7.1.1 is affected by SQL injection.
- CVE-2020-29168CRITICALCVSS 9.8EG 9.82023-02-17
SQL Injection vulnerability in Projectworlds Online Doctor Appointment Booking System, allows attackers to gain sensitive information via the q parameter to the getuser.php endpoint.
- CVE-2020-29214CRITICALCVSS 9.8EG 9.82021-06-15
SQL injection vulnerability in SourceCodester Alumni Management System 1.0 allows the user to inject SQL payload to bypass the authentication via admin/login.php.
- CVE-2020-29228HIGHCVSS 7.5EG 7.52020-12-30
EGavilanMedia User Registration and Login System With Admin Panel 1.0 is affected by SQL injection in the User Login Page.
- CVE-2020-29280CRITICALCVSS 9.8EG 9.82020-12-02
The Victor CMS v1.0 application is vulnerable to SQL injection via the 'search' parameter on the search.php page.
- CVE-2020-29282CRITICALCVSS 9.8EG 9.82020-12-02
SQL injection vulnerability in BloodX 1.0 allows attackers to bypass authentication.
- CVE-2020-29283CRITICALCVSS 9.8EG 9.82020-12-02
An SQL injection vulnerability was discovered in Online Doctor Appointment Booking System PHP and Mysql via the q parameter to getuser.php.
- CVE-2020-29284CRITICALCVSS 9.8EG 9.82020-12-02
The file view-chair-list.php in Multi Restaurant Table Reservation System 1.0 does not perform input validation on the table_id parameter which allows unauthenticated SQL Injection. An attacker can send malicious input in the GET request t…
- CVE-2020-29285CRITICALCVSS 9.8EG 9.82020-12-02
SQL injection vulnerability was discovered in Point of Sales in PHP/PDO 1.0, which can be exploited via the id parameter to edit_category.php.
- CVE-2020-29287CRITICALCVSS 9.8EG 9.82020-12-02
An SQL injection vulnerability was discovered in Car Rental Management System v1.0 can be exploited via the id parameter in view_car.php or the car_id parameter in booking.php.
- CVE-2020-29288CRITICALCVSS 9.8EG 9.82020-12-02
An SQL injection vulnerability was discovered in Gym Management System In manage_user.php file, GET parameter 'id' is vulnerable.
- CVE-2020-29297CRITICALCVSS 9.8EG 9.82023-01-20
Multiple SQL Injection vulnerabilities in tourist5 Online-food-ordering-system 1.0.
- CVE-2020-29437HIGHCVSS 8.1EG 8.12021-01-05
SQL injection in the Buzz module of OrangeHRM through 4.6 allows remote authenticated attackers to execute arbitrary SQL commands via the orangehrmBuzzPlugin/lib/dao/BuzzDao.php loadMorePostsForm[profileUserId] parameter to the buzz/loadMo…
- CVE-2020-29472CRITICALCVSS 9.8EG 9.82020-12-24
EGavilan Media Under Construction page with cPanel 1.0 contains a SQL injection vulnerability. An attacker can gain Admin Panel access using malicious SQL injection queries to perform remote arbitrary code execution.
- CVE-2020-29474CRITICALCVSS 9.8EG 9.82020-12-24
EGavilan Media EGM Address Book 1.0 contains a SQL injection vulnerability. An attacker can gain Admin Panel access using malicious SQL injection queries to perform remote arbitrary code execution.
- CVE-2020-29493CRITICALCVSS 10.0EG 10.02021-01-14
DELL EMC Avamar Server, versions 19.1, 19.2, 19.3, contain a SQL Injection Vulnerability in Fitness Analyzer. A remote unauthenticated attacker could potentially exploit this vulnerability, leading to the execution of certain SQL commands …
- CVE-2020-29574CRITICALCVSS 9.8EG 9.8⚠ KEV2020-12-11
An SQL injection vulnerability in the WebAdmin of Cyberoam OS through 2020-12-04 allows unauthenticated attackers to execute arbitrary SQL statements remotely.
- CVE-2020-3154MEDIUMCVSS 4.9EG 4.92020-02-19
A vulnerability in the web UI of Cisco Cloud Web Security (CWS) could allow an authenticated, remote attacker to execute arbitrary SQL queries. The vulnerability exists because the web-based management interface improperly validates SQL va…
- CVE-2020-3184HIGHCVSS 7.2EG 7.22020-05-22
A vulnerability in the web-based management interface of Cisco Prime Collaboration Provisioning Software could allow an authenticated, remote attacker to conduct SQL injection attacks on an affected system. The vulnerability exists because…
- CVE-2020-3339MEDIUMCVSS 5.4EG 5.42020-06-03
A vulnerability in the web-based management interface of Cisco Prime Infrastructure could allow an authenticated, remote attacker to conduct SQL injection attacks on an affected system. The vulnerability is due to improper validation of us…
- CVE-2020-3378MEDIUMCVSS 4.3EG 4.32020-07-16
A vulnerability in the web-based management interface for Cisco SD-WAN vManage Software could allow an authenticated, remote attacker to impact the integrity of an affected system by executing arbitrary SQL queries. The vulnerability is du…
- CVE-2020-3450MEDIUMCVSS 4.9EG 4.92020-07-16
A vulnerability in the web-based management interface of Cisco Vision Dynamic Signage Director could allow an authenticated, remote attacker with administrative credentials to conduct SQL injection attacks on an affected system. The vulner…
- CVE-2020-3462MEDIUMCVSS 6.3EG 6.32020-07-31
A vulnerability in the web-based management interface of Cisco Data Center Network Manager (DCNM) could allow an authenticated, remote attacker to conduct SQL injection attacks on an affected system. The vulnerability is due to improper va…
- CVE-2020-3468MEDIUMCVSS 5.4EG 5.42020-07-16
A vulnerability in the web-based management interface of Cisco SD-WAN vManage Software could allow an authenticated, remote attacker to conduct SQL injection attacks on an affected system. The vulnerability exists because the web-based man…
- CVE-2020-35012HIGHCVSS 7.2EG 7.22021-12-01
The Events Manager WordPress plugin before 5.9.8 does not sanitise and escape a parameter before using it in a SQL statement, leading to an SQL Injection
- CVE-2020-35122HIGHCVSS 7.5EG 7.52020-12-15
An issue was discovered in the Keysight Database Connector plugin before 1.5.0 for Confluence. A malicious user could bypass the access controls for using a saved database connection profile to submit arbitrary SQL against a saved database…
- CVE-2020-35151HIGHCVSS 8.8EG 8.82020-12-21
The Online Marriage Registration System 1.0 post parameter "searchdata" in the user/search.php request is vulnerable to Time Based Sql Injection.
- CVE-2020-35242CRITICALCVSS 9.8EG 9.82020-12-26
Flamingo (aka FlamingoIM) through 2020-09-29 has a SQL injection vulnerability in UserManager::updateUserTeamInfoInDbAndMemory.
- CVE-2020-35243CRITICALCVSS 9.8EG 9.82020-12-26
Flamingo (aka FlamingoIM) through 2020-09-29 has a SQL injection vulnerability in UserManager::updateUserInfoInDb.
Map vulnerabilities like CWE-89 to your infrastructure
EchelonGraph correlates every CVE — across CWE-89 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →