CWE-89— SQL Injection
The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.— MITRE CWE catalog
18,860 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-89page 125 of 378
- CVE-2020-6133HIGHCVSS 8.8EG 8.82020-09-01
SQL injection vulnerabilities exist in the ID parameters of OS4Ed openSIS 7.3 pages. The id parameter in the page CourseMoreInfo.php is vulnerable to SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnera…
- CVE-2020-6134HIGHCVSS 8.8EG 8.82020-09-01
SQL injection vulnerabilities exist in the ID parameters of OS4Ed openSIS 7.3 pages. The id parameter in the page MassDropModal.php is vulnerable to SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerab…
- CVE-2020-6135HIGHCVSS 8.8EG 8.82020-09-01
An exploitable SQL injection vulnerability exists in the Validator.php functionality of OS4Ed openSIS 7.3. A specially crafted HTTP request can lead to SQL injection. An attacker can make an authenticated HTTP request to trigger this vulne…
- CVE-2020-6136HIGHCVSS 8.8EG 8.82020-09-01
An exploitable SQL injection vulnerability exists in the DownloadWindow.php functionality of OS4Ed openSIS 7.3. A specially crafted HTTP request can lead to SQL injection. An attacker can make an authenticated HTTP request to trigger this …
- CVE-2020-6137CRITICALCVSS 9.8EG 9.82020-09-01
SQL injection vulnerability exists in the password reset functionality of OS4Ed openSIS 7.3. The password_stf_email parameter in the password reset page /opensis/ResetUserInfo.php is vulnerable to SQL injection. An attacker can send an HTT…
- CVE-2020-6138CRITICALCVSS 9.8EG 9.82020-09-01
SQL injection vulnerability exists in the password reset functionality of OS4Ed openSIS 7.3. The uname parameter in the password reset page /opensis/ResetUserInfo.php is vulnerable to SQL injection An attacker can send an HTTP request to t…
- CVE-2020-6139CRITICALCVSS 9.8EG 9.82020-09-01
SQL injection vulnerability exists in the password reset functionality of OS4Ed openSIS 7.3. The username_stf_email parameter in the password reset page /opensis/ResetUserInfo.php is vulnerable to SQL injection. An attacker can send an HTT…
- CVE-2020-6140CRITICALCVSS 9.8EG 9.82020-09-01
SQL injection vulnerability exists in the password reset functionality of OS4Ed openSIS 7.3. The password_stf_email parameter in the password reset page /opensis/ResetUserInfo.php is vulnerable to SQL injection. An attacker can send an HTT…
- CVE-2020-6141CRITICALCVSS 9.8EG 9.82020-09-01
An exploitable SQL injection vulnerability exists in the login functionality of OS4Ed openSIS 7.3. A specially crafted HTTP request can lead to SQL injection. An attacker can send an HTTP request to trigger this vulnerability.
- CVE-2020-6145HIGHCVSS 8.8EG 8.82020-08-10
An SQL injection vulnerability exists in the frappe.desk.reportview.get functionality of ERPNext 11.1.38. A specially crafted HTTP request can cause an SQL injection. An attacker can make an authenticated HTTP request to trigger this vulne…
- CVE-2020-6241HIGHCVSS 8.8EG 8.82020-05-12
SAP Adaptive Server Enterprise, version 16.0, allows an authenticated user to execute crafted database queries to elevate privileges of users in the system, leading to SQL Injection.
- CVE-2020-6249HIGHCVSS 8.8EG 8.82020-05-12
The use of an admin backend report within SAP Master Data Governance, versions - S4CORE 101, S4FND 102, 103, 104, SAP_BS_FND 748; allows an attacker to execute crafted database queries, exposing the backend database, leading to SQL Injecti…
- CVE-2020-6253HIGHCVSS 7.2EG 7.22020-05-12
Under certain conditions, SAP Adaptive Server Enterprise (Web Services), versions 15.7, 16.0, allows an authenticated user to execute crafted database queries to elevate their privileges, modify database objects, or execute commands they a…
- CVE-2020-6577CRITICALCVSS 9.8EG 9.82021-03-19
The IT-Recht Kanzlei plugin in Zen Cart 1.5.6c (German edition) allows itrk-api.php rechtstext_language SQL Injection.
- CVE-2020-6637CRITICALCVSS 9.8EG 9.82020-08-24
openSIS Community Edition version 7.3 is vulnerable to SQL injection via the USERNAME parameter of index.php.
- CVE-2020-6880CRITICALCVSS 9.8EG 9.82020-12-01
A ZXELINK wireless controller has a SQL injection vulnerability. A remote attacker does not need to log in. By sending malicious SQL statements, because the device does not properly filter parameters, successful use can obtain management r…
- CVE-2020-6960CRITICALCVSS 9.8EG 9.82020-01-22
The following versions of MAXPRO VMS and NVR, MAXPRO VMS:HNMSWVMS prior to Version VMS560 Build 595 T2-Patch, HNMSWVMSLT prior to Version VMS560 Build 595 T2-Patch, MAXPRO NVR: MAXPRO NVR XE prior to Version NVR 5.6 Build 595 T2-Patch, MAX…
- CVE-2020-7229CRITICALCVSS 9.8EG 9.82020-01-21
An issue was discovered in Simplejobscript.com SJS before 1.65. There is unauthenticated SQL injection via the search engine. The parameter is landing_location. The function is countSearchedJobs(). The file is _lib/class.Job.php.
- CVE-2020-7356CRITICALCVSS 10.0EG 10.02020-08-06
CAYIN xPost suffers from an unauthenticated SQL Injection vulnerability. Input passed via the GET parameter 'wayfinder_seqid' in wayfinder_meeting_input.jsp is not properly sanitized before being returned to the user or used in SQL queries…
- CVE-2020-7383MEDIUMCVSS 6.5EG 6.52020-10-14
A SQL Injection issue in Rapid7 Nexpose version prior to 6.6.49 that may have allowed an authenticated user with a low permission level to access resources & make changes they should not have been able to access.
- CVE-2020-7471CRITICALCVSS 9.8EG 9.82020-02-03
Django 1.11 before 1.11.28, 2.2 before 2.2.10, and 3.0 before 3.0.3 allows SQL Injection if untrusted data is used as a StringAgg delimiter (e.g., in Django applications that offer downloads of data as a series of rows with a user-specifie…
- CVE-2020-7493HIGHCVSS 7.8EG 7.82020-06-16
A CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability exists in EcoStruxure Operator Terminal Expert 3.1 Service Pack 1 and prior (formerly known as Vijeo XD) which could cause malicio…
- CVE-2020-7500CRITICALCVSS 9.8EG 9.82020-06-16
A CWE-89:Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability exists in U.motion Servers and Touch Panels (affected versions listed in the security notification) which could cause arbitrary cod…
- CVE-2020-7577HIGHCVSS 8.1EG 8.12020-07-14
A vulnerability has been identified in Camstar Enterprise Platform (All versions), Opcenter Execution Core (All versions < V8.2). Through the use of several vulnerable fields of the application, an authenticated user could perform an SQL I…
- CVE-2020-7759MEDIUMCVSS 6.5EG 6.52020-10-30
The package pimcore/pimcore from 6.7.2 and before 6.8.3 are vulnerable to SQL Injection in data classification functionality in ClassificationstoreController. This can be exploited by sending a specifically-crafted input in the relationIds…
- CVE-2020-7819CRITICALCVSS 9.3EG 9.32021-09-07
A SQL-Injection vulnerability in the nTracker USB Enterprise(secure USB management solution) allows a remote unauthenticated attacker to perform SQL query to access username password and other session related information.
- CVE-2020-7939HIGHCVSS 8.8EG 8.82020-01-23
SQL Injection in DTML or in connection objects in Plone 4.0 through 5.2.1 allows users to perform unwanted SQL queries. (This is a problem in Zope.)
- CVE-2020-7981CRITICALCVSS 9.8EG 9.82020-01-25
sql.rb in Geocoder before 1.6.1 allows Boolean-based SQL injection when within_bounding_box is used in conjunction with untrusted sw_lat, sw_lng, ne_lat, or ne_lng data.
- CVE-2020-8211CRITICALCVSS 9.8EG 9.82020-08-17
Improper input validation in Citrix XenMobile Server 10.12 before RP3, Citrix XenMobile Server 10.11 before RP6, Citrix XenMobile Server 10.10 RP6 and Citrix XenMobile Server before 10.9 RP5 allows SQL Injection.
- CVE-2020-8242HIGHCVSS 7.2EG 7.22022-02-18
Unsanitized user input in ExpressionEngine <= 5.4.0 control panel member creation leads to an SQL injection. The user needs member creation/admin control panel access to execute the attack.
- CVE-2020-8427CRITICALCVSS 9.8EG 9.82020-02-17
In Unitrends Backup before 10.4.1, an HTTP request parameter was not properly sanitized, allowing for SQL injection that resulted in an authentication bypass.
- CVE-2020-8435HIGHCVSS 8.1EG 8.12020-03-12
An issue was discovered in the RegistrationMagic plugin 4.6.0.0 for WordPress. There is SQL injection via the rm_analytics_show_form rm_form_id parameter.
- CVE-2020-8519CRITICALCVSS 9.8EG 9.82020-07-07
SQL injection with the search parameter in Records.php for phpzag live add edit delete data tables records with ajax php mysql
- CVE-2020-8520CRITICALCVSS 9.8EG 9.82020-07-07
SQL injection in order and column parameters in Records.php for phpzag live add edit delete data tables records with ajax php mysql
- CVE-2020-8521CRITICALCVSS 9.8EG 9.82020-07-07
SQL injection with start and length parameters in Records.php for phpzag live add edit delete data tables records with ajax php mysql
- CVE-2020-8592CRITICALCVSS 9.8EG 9.82020-02-03
eG Manager 7.1.2 allows SQL Injection via the user parameter to com.eg.LoginHelperServlet (aka the Forgot Password feature).
- CVE-2020-8596HIGHCVSS 7.5EG 7.52020-02-11
participants-database.php in the Participants Database plugin 1.9.5.5 and previous versions for WordPress has a time-based SQL injection vulnerability via the ascdesc, list_filter_count, or sortBy parameters. It is possible to exfiltrate d…
- CVE-2020-8611HIGHCVSS 8.8EG 8.82020-02-14
In Progress MOVEit Transfer 2019.1 before 2019.1.4 and 2019.2 before 2019.2.1, multiple SQL Injection vulnerabilities have been found in the REST API that could allow an authenticated attacker to gain unauthorized access to MOVEit Transfer…
- CVE-2020-8637CRITICALCVSS 9.8EG 9.82020-04-03
A SQL injection vulnerability in TestLink 1.9.20 allows attackers to execute arbitrary SQL commands in dragdroptreenodes.php via the node_id parameter.
- CVE-2020-8638CRITICALCVSS 9.8EG 9.82020-04-03
A SQL injection vulnerability in TestLink 1.9.20 allows attackers to execute arbitrary SQL commands in planUrgency.php via the urgency parameter.
- CVE-2020-8645CRITICALCVSS 9.8EG 9.82020-02-07
An issue was discovered in Simplejobscript.com SJS through 1.66. There is an unauthenticated SQL injection via the job applications search function. The vulnerable parameter is job_id. The function is getJobApplicationsByJobId(). The file …
- CVE-2020-8656CRITICALCVSS 9.8EG 9.82020-02-07
An issue was discovered in EyesOfNetwork 5.3. The EyesOfNetwork API 2.4.2 is prone to SQL injection, allowing an unauthenticated attacker to perform various tasks such as authentication bypass via the username field to getApiKey in include…
- CVE-2020-8783CRITICALCVSS 9.8EG 9.82020-03-16
SuiteCRM 7.10.x versions prior to 7.10.23 and 7.11.x versions prior to 7.11.11 allow SQL Injection (issue 1 of 4).
- CVE-2020-8784CRITICALCVSS 9.8EG 9.82020-03-16
SuiteCRM 7.10.x versions prior to 7.10.23 and 7.11.x versions prior to 7.11.11 allow SQL Injection (issue 2 of 4).
- CVE-2020-8785CRITICALCVSS 9.8EG 9.82020-03-16
SuiteCRM 7.10.x versions prior to 7.10.23 and 7.11.x versions prior to 7.11.11 allow SQL Injection (issue 3 of 4).
- CVE-2020-8786CRITICALCVSS 9.8EG 9.82020-03-16
SuiteCRM 7.10.x versions prior to 7.10.23 and 7.11.x versions prior to 7.11.11 allow SQL Injection (issue 4 of 4).
- CVE-2020-8802CRITICALCVSS 9.8EG 9.82020-02-13
SuiteCRM through 7.11.11 has Incorrect Access Control via action_saveHTMLField Bean Manipulation.
- CVE-2020-8804MEDIUMCVSS 6.5EG 6.52020-02-13
SuiteCRM through 7.11.10 allows SQL Injection via the SOAP API, the EmailUIAjax interface, or the MailMerge module.
- CVE-2020-8841HIGHCVSS 8.8EG 8.82020-02-10
An issue was discovered in TestLink 1.9.19. The relation_type parameter of the lib/requirements/reqSearch.php endpoint is vulnerable to authenticated SQL Injection.
- CVE-2020-8887HIGHCVSS 7.5EG 7.52020-09-22
Telestream Tektronix Medius before 10.7.5 and Sentry before 10.7.5 have a SQL injection vulnerability allowing an unauthenticated attacker to dump database contents via the page parameter in a page=login request to index.php (aka the serve…
Map vulnerabilities like CWE-89 to your infrastructure
EchelonGraph correlates every CVE — across CWE-89 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →