Vulnerabilities (CVE)

Filtered by CWE-89
Total 15370 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2018-5778 1 Progress 1 Whatsup Gold 2024-11-21 7.5 HIGH 9.8 CRITICAL
An issue was discovered in Ipswitch WhatsUp Gold before 2017 Plus SP1 (17.1.1). Multiple SQL injection vulnerabilities are present in the legacy .ASP pages, which could allow attackers to execute arbitrary SQL commands via unspecified vectors.
CVE-2018-5697 1 Icyphoenix 1 Icyphoenix 2024-11-21 6.5 MEDIUM 7.2 HIGH
Icy Phoenix 2.2.0.105 allows SQL injection via an unapprove request to admin_kb_art.php or the order parameter to admin_jr_admin.php, related to functions_kb.php.
CVE-2018-5696 1 Ijoomla 1 Ad Agency 2024-11-21 7.5 HIGH 9.8 CRITICAL
The iJoomla com_adagency plugin 6.0.9 for Joomla! allows SQL injection via the `advertiser_status` and `status_select` parameters to index.php.
CVE-2018-5695 1 Wpjobboard 1 Wpjobboard 2024-11-21 6.5 MEDIUM 7.2 HIGH
The WpJobBoard plugin 4.4.4 for WordPress allows SQL injection via the order or sort parameter to the wpjb-job or wpjb-alerts module, with a request to wp-admin/admin.php.
CVE-2018-5443 1 Advantech 1 Webaccess\/scada 2024-11-21 5.0 MEDIUM 5.3 MEDIUM
A SQL Injection issue was discovered in Advantech WebAccess/SCADA versions prior to V8.2_20170817. WebAccess/SCADA does not properly sanitize its inputs for SQL commands.
CVE-2018-5404 1 Quest 2 Kace Systems Management Appliance, Kace Systems Management Appliance Firmware 2024-11-21 4.0 MEDIUM 6.5 MEDIUM
The Quest Kace K1000 Appliance, versions prior to 9.0.270, allows an authenticated, remote attacker with least privileges ('User Console Only' role) to potentially exploit multiple Blind SQL Injection vulnerabilities to retrieve sensitive information from the database or copy the entire database. An authenticated remote attacker could leverage Blind SQL injections to obtain sensitive data.
CVE-2018-5384 1 Navarino 1 Infinity 2024-11-21 5.0 MEDIUM 9.8 CRITICAL
Navarino Infinity web interface up to version 2.2 exposes an unauthenticated script that is prone to blind sql injection. If successfully exploited the user can get info from the underlying postgresql database that could lead into to total compromise of the product. The said script is available with no authentication.
CVE-2018-5374 1 Slidervilla 1 Dbox Slider 2024-11-21 6.5 MEDIUM 8.8 HIGH
The Dbox 3D Slider Lite plugin through 1.2.2 for WordPress has SQL Injection via settings\sliders.php (current_slider_id parameter).
CVE-2018-5373 1 Slidervilla 1 Smooth Slider 2024-11-21 6.5 MEDIUM 8.8 HIGH
The Smooth Slider plugin through 2.8.6 for WordPress has SQL Injection via smooth-slider.php (trid parameter).
CVE-2018-5372 1 Slidervilla 1 Testimonial Slider 2024-11-21 6.5 MEDIUM 8.8 HIGH
The Testimonial Slider plugin through 1.2.4 for WordPress has SQL Injection via settings\sliders.php (current_slider_id parameter).
CVE-2018-5315 1 Wp Events Calendar Project 1 Wp Events Calendar 2024-11-21 7.5 HIGH 9.8 CRITICAL
The Wachipi WP Events Calendar plugin 1.0 for WordPress has SQL Injection via the event_id parameter to event.php.
CVE-2018-5211 1 Phpsugar 1 Php Melody 2024-11-21 7.5 HIGH 9.8 CRITICAL
PHP Melody version 2.7.1 suffer from SQL Injection Time-based attack on the page ajax.php with the parameter playlist.
CVE-2018-4056 2 Coturn Project, Debian 2 Coturn, Debian Linux 2024-11-21 7.5 HIGH 9.8 CRITICAL
An exploitable SQL injection vulnerability exists in the administrator web portal function of coTURN prior to version 4.5.0.9. A login message with a specially crafted username can cause an SQL injection, resulting in authentication bypass, which could give access to the TURN server administrator web portal. An attacker can log in via the external interface of the TURN server to trigger this vulnerability.
CVE-2018-3885 1 Erpnext 1 Erpnext 2024-11-21 6.5 MEDIUM 8.8 HIGH
An exploitable SQL injection vulnerability exists in the authenticated part of ERPNext v10.1.6. Specially crafted web requests can cause SQL injections resulting in data compromise. The order_by parameter can be used to perform an SQL injection attack. An attacker can use a browser to trigger these vulnerabilities, and no special tools are required.
CVE-2018-3884 1 Erpnext 1 Erpnext 2024-11-21 6.5 MEDIUM 8.8 HIGH
An exploitable SQL injection vulnerability exists in the authenticated part of ERPNext v10.1.6. Specially crafted web requests can cause SQL injections resulting in data compromise. The sort_by and start parameter can be used to perform an SQL injection attack. An attacker can use a browser to trigger these vulnerabilities, and no special tools are required.
CVE-2018-3883 1 Erpnext 1 Erpnext 2024-11-21 6.5 MEDIUM 8.8 HIGH
An exploitable SQL injection vulnerability exists in the authenticated part of ERPNext v10.1.6. Specially crafted web requests can cause SQL injections resulting in data compromise. The employee and sort_order parameter can be used to perform an SQL injection attack. An attacker can use a browser to trigger these vulnerabilities, and no special tools are required.
CVE-2018-3882 1 Erpnext 1 Erpnext 2024-11-21 6.5 MEDIUM 8.8 HIGH
An exploitable SQL injection vulnerability exists in the authenticated part of ERPNext v10.1.6. Specially crafted web requests can cause SQL injections resulting in data compromise. The searchfield parameter can be used to perform an SQL injection attack. An attacker can use a browser to trigger these vulnerabilities, and no special tools are required.
CVE-2018-3879 1 Samsung 2 Sth-eth-250, Sth-eth-250 Firmware 2024-11-21 6.5 MEDIUM 8.8 HIGH
An exploitable JSON injection vulnerability exists in the credentials handler of video-core's HTTP server of Samsung SmartThings Hub STH-ETH-250 devices with firmware version 0.20.17. The video-core process incorrectly parses the user-controlled JSON payload, leading to a JSON injection which in turn leads to a SQL injection in the video-core database. An attacker can send a series of HTTP requests to trigger this vulnerability.
CVE-2018-3811 1 Oturia 1 Smart Google Code Inserter 2024-11-21 7.5 HIGH 9.8 CRITICAL
SQL Injection vulnerability in the Oturia Smart Google Code Inserter plugin before 3.5 for WordPress allows unauthenticated attackers to execute SQL queries in the context of the web server. The saveGoogleAdWords() function in smartgooglecode.php did not use prepared statements and did not sanitize the $_POST["oId"] variable before passing it as input into the SQL query.
CVE-2018-3783 1 Flintcms 1 Flintcms 2024-11-21 7.5 HIGH 9.8 CRITICAL
A privilege escalation detected in flintcms versions <= 1.1.9 allows account takeover due to blind MongoDB injection in password reset.