CWE-89— SQL Injection
The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.— MITRE CWE catalog
18,851 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-89page 99 of 378
- CVE-2018-3754HIGHCVSS 8.8EG 8.82018-07-03
Node.js third-party module query-mysql versions 0.0.0, 0.0.1, and 0.0.2 are vulnerable to an SQL injection vulnerability due to lack of user input sanitization. This may allow an attacker to run arbitrary SQL queries when fetching data fro…
- CVE-2018-3783CRITICALCVSS 9.8EG 9.82018-08-17
A privilege escalation detected in flintcms versions <= 1.1.9 allows account takeover due to blind MongoDB injection in password reset.
- CVE-2018-3811CRITICALCVSS 9.8EG 9.82018-01-01
SQL Injection vulnerability in the Oturia Smart Google Code Inserter plugin before 3.5 for WordPress allows unauthenticated attackers to execute SQL queries in the context of the web server. The saveGoogleAdWords() function in smartgooglec…
- CVE-2018-3879HIGHCVSS 8.8EG 8.82018-08-23
An exploitable JSON injection vulnerability exists in the credentials handler of video-core's HTTP server of Samsung SmartThings Hub STH-ETH-250 devices with firmware version 0.20.17. The video-core process incorrectly parses the user-cont…
- CVE-2018-3882HIGHCVSS 8.8EG 8.82018-09-12
An exploitable SQL injection vulnerability exists in the authenticated part of ERPNext v10.1.6. Specially crafted web requests can cause SQL injections resulting in data compromise. The searchfield parameter can be used to perform an SQL i…
- CVE-2018-3883HIGHCVSS 8.8EG 8.82018-09-12
An exploitable SQL injection vulnerability exists in the authenticated part of ERPNext v10.1.6. Specially crafted web requests can cause SQL injections resulting in data compromise. The employee and sort_order parameter can be used to perf…
- CVE-2018-3884HIGHCVSS 8.8EG 8.82018-09-12
An exploitable SQL injection vulnerability exists in the authenticated part of ERPNext v10.1.6. Specially crafted web requests can cause SQL injections resulting in data compromise. The sort_by and start parameter can be used to perform an…
- CVE-2018-3885HIGHCVSS 8.8EG 8.82018-09-12
An exploitable SQL injection vulnerability exists in the authenticated part of ERPNext v10.1.6. Specially crafted web requests can cause SQL injections resulting in data compromise. The order_by parameter can be used to perform an SQL inje…
- CVE-2018-4056CRITICALCVSS 9.8EG 9.82019-02-05
An exploitable SQL injection vulnerability exists in the administrator web portal function of coTURN prior to version 4.5.0.9. A login message with a specially crafted username can cause an SQL injection, resulting in authentication bypass…
- CVE-2018-5211CRITICALCVSS 9.8EG 9.82018-01-09
PHP Melody version 2.7.1 suffer from SQL Injection Time-based attack on the page ajax.php with the parameter playlist.
- CVE-2018-5315CRITICALCVSS 9.8EG 9.82018-01-12
The Wachipi WP Events Calendar plugin 1.0 for WordPress has SQL Injection via the event_id parameter to event.php.
- CVE-2018-5372HIGHCVSS 8.8EG 8.82018-01-12
The Testimonial Slider plugin through 1.2.4 for WordPress has SQL Injection via settings\sliders.php (current_slider_id parameter).
- CVE-2018-5373HIGHCVSS 8.8EG 8.82018-01-12
The Smooth Slider plugin through 2.8.6 for WordPress has SQL Injection via smooth-slider.php (trid parameter).
- CVE-2018-5374HIGHCVSS 8.8EG 8.82018-01-12
The Dbox 3D Slider Lite plugin through 1.2.2 for WordPress has SQL Injection via settings\sliders.php (current_slider_id parameter).
- CVE-2018-5384CRITICALCVSS 9.8EG 9.82018-07-24
Navarino Infinity web interface up to version 2.2 exposes an unauthenticated script that is prone to blind sql injection. If successfully exploited the user can get info from the underlying postgresql database that could lead into to total…
- CVE-2018-5404MEDIUMCVSS 6.5EG 6.52019-06-03
The Quest Kace K1000 Appliance, versions prior to 9.0.270, allows an authenticated, remote attacker with least privileges ('User Console Only' role) to potentially exploit multiple Blind SQL Injection vulnerabilities to retrieve sensitive …
- CVE-2018-5443MEDIUMCVSS 5.3EG 5.32018-01-25
A SQL Injection issue was discovered in Advantech WebAccess/SCADA versions prior to V8.2_20170817. WebAccess/SCADA does not properly sanitize its inputs for SQL commands.
- CVE-2018-5695HIGHCVSS 7.2EG 7.22018-01-14
The WpJobBoard plugin 4.4.4 for WordPress allows SQL injection via the order or sort parameter to the wpjb-job or wpjb-alerts module, with a request to wp-admin/admin.php.
- CVE-2018-5696CRITICALCVSS 9.8EG 9.82018-01-14
The iJoomla com_adagency plugin 6.0.9 for Joomla! allows SQL injection via the `advertiser_status` and `status_select` parameters to index.php.
- CVE-2018-5697HIGHCVSS 7.2EG 7.22018-01-14
Icy Phoenix 2.2.0.105 allows SQL injection via an unapprove request to admin_kb_art.php or the order parameter to admin_jr_admin.php, related to functions_kb.php.
- CVE-2018-5778CRITICALCVSS 9.8EG 9.82018-01-24
An issue was discovered in Ipswitch WhatsUp Gold before 2017 Plus SP1 (17.1.1). Multiple SQL injection vulnerabilities are present in the legacy .ASP pages, which could allow attackers to execute arbitrary SQL commands via unspecified vect…
- CVE-2018-5960HIGHCVSS 8.8EG 8.82018-01-22
Zenario v7.1 - v7.6 has SQL injection via the `Name` input field of organizer.php or admin_boxes.ajax.php in the `Categories - Edit` module.
- CVE-2018-5970CRITICALCVSS 9.8EG 9.82018-02-17
SQL Injection exists in the JGive 2.0.9 component for Joomla! via the filter_org_ind_type or campaign_countries parameter.
- CVE-2018-5971CRITICALCVSS 9.8EG 9.82018-02-17
SQL Injection exists in the MediaLibrary Free 4.0.12 component for Joomla! via the id parameter or the mid array parameter.
- CVE-2018-5972CRITICALCVSS 9.8EG 9.82018-01-24
SQL Injection exists in Classified Ads CMS Quickad 4.0 via the keywords, placeid, cat, or subcat parameter to the listing URI.
- CVE-2018-5973CRITICALCVSS 9.8EG 9.82018-01-25
SQL Injection exists in Professional Local Directory Script 1.0 via the sellers_subcategories.php IndustryID parameter, or the suppliers.php IndustryID or CategoryID parameter.
- CVE-2018-5974CRITICALCVSS 9.8EG 9.82018-02-17
SQL Injection exists in the SimpleCalendar 3.1.9 component for Joomla! via the catid array parameter.
- CVE-2018-5975CRITICALCVSS 9.8EG 9.82018-02-17
SQL Injection exists in the Smart Shoutbox 3.0.0 component for Joomla! via the shoutauthor parameter to the archive URI.
- CVE-2018-5977CRITICALCVSS 9.8EG 9.82018-01-24
SQL Injection exists in Affiligator Affiliate Webshop Management System 2.1.0 via a search/?q=&price_type=range&price= request.
- CVE-2018-5978CRITICALCVSS 9.8EG 9.82018-01-24
SQL Injection exists in Facebook Style Php Ajax Chat Zechat 1.5 via the login.php User field.
- CVE-2018-5979CRITICALCVSS 9.8EG 9.82018-01-24
SQL Injection exists in Wchat Fully Responsive PHP AJAX Chat Script 1.5 via the login.php User field.
- CVE-2018-5980CRITICALCVSS 9.8EG 9.82018-02-17
SQL Injection exists in the Solidres 2.5.1 component for Joomla! via the direction parameter in a hub.search action.
- CVE-2018-5981CRITICALCVSS 9.8EG 9.82018-02-17
SQL Injection exists in the Gallery WD 1.3.6 component for Joomla! via the tag_id parameter or gallery_id parameter.
- CVE-2018-5982CRITICALCVSS 9.8EG 9.82018-02-17
SQL Injection exists in the Advertisement Board 3.1.0 component for Joomla! via a task=show_rss_categories&catname= request.
- CVE-2018-5983CRITICALCVSS 9.8EG 9.82018-02-17
SQL Injection exists in the JquickContact 1.3.2.2.1 component for Joomla! via a task=refresh&sid= request.
- CVE-2018-5984CRITICALCVSS 9.8EG 9.82018-01-24
SQL Injection exists in the Tumder (An Arcade Games Platform) 2.1 component for Joomla! via the PATH_INFO to the category/ URI.
- CVE-2018-5985CRITICALCVSS 9.8EG 9.82018-01-24
SQL Injection exists in the LiveCRM SaaS Cloud 1.0 component for Joomla! via an r=site/login&company_id= request.
- CVE-2018-5986CRITICALCVSS 9.8EG 9.82018-01-24
SQL Injection exists in Easy Car Script 2014 via the s_order or s_row parameter to site_search.php.
- CVE-2018-5987CRITICALCVSS 9.8EG 9.82018-02-17
SQL Injection exists in the Pinterest Clone Social Pinboard 2.0 component for Joomla! via the pin_id or user_id parameter in a task=getlikeinfo action, the ends parameter in a view=gift action, the category parameter in a view=home action,…
- CVE-2018-5988CRITICALCVSS 9.8EG 9.82018-01-24
SQL Injection exists in Flexible Poll 1.2 via the id parameter to mobile_preview.php or index.php.
- CVE-2018-5989CRITICALCVSS 9.8EG 9.82018-02-17
SQL Injection exists in the ccNewsletter 2.x component for Joomla! via the id parameter in a task=removeSubscriber action, a related issue to CVE-2011-5099.
- CVE-2018-5990CRITICALCVSS 9.8EG 9.82018-02-17
SQL Injection exists in the AllVideos Reloaded 1.2.x component for Joomla! via the divid parameter.
- CVE-2018-5991CRITICALCVSS 9.8EG 9.82018-02-17
SQL Injection exists in the Form Maker 3.6.12 component for Joomla! via the id, from, or to parameter in a view=stats request, a different vulnerability than CVE-2015-2798.
- CVE-2018-5992CRITICALCVSS 9.8EG 9.82018-02-17
SQL Injection exists in the Staff Master through 1.0 RC 1 component for Joomla! via the name parameter in a view=staff request.
- CVE-2018-5993CRITICALCVSS 9.8EG 9.82018-02-17
SQL Injection exists in the Aist through 2.0 component for Joomla! via the id parameter in a view=showvacancy request.
- CVE-2018-5994CRITICALCVSS 9.8EG 9.82018-02-17
SQL Injection exists in the JS Jobs 1.1.9 component for Joomla! via the zipcode parameter in a newest-jobs request, or the ta parameter in a view_resume request.
- CVE-2018-6004CRITICALCVSS 9.8EG 9.82018-02-17
SQL Injection exists in the File Download Tracker 3.0 component for Joomla! via the dynfield[phone] or sess parameter.
- CVE-2018-6005CRITICALCVSS 9.8EG 9.82018-02-17
SQL Injection exists in the Realpin through 1.5.04 component for Joomla! via the pinboard parameter.
- CVE-2018-6006CRITICALCVSS 9.8EG 9.82018-02-17
SQL Injection exists in the JS Autoz 1.0.9 component for Joomla! via the vtype, pre, or prs parameter.
- CVE-2018-6024CRITICALCVSS 9.8EG 9.82018-02-18
SQL Injection exists in the Project Log 1.5.3 component for Joomla! via the search parameter.
Map vulnerabilities like CWE-89 to your infrastructure
EchelonGraph correlates every CVE — across CWE-89 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →