CWE-89— SQL Injection

SQL injection vulnerability in the Kitchen recipe (mv_cooking) extension before 0.4.1 for TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors, as exploited in the wild as of February 2012.

SQL injection vulnerability in the Category-System (toi_category) extension 0.6.0 and earlier for TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.

SQL injection vulnerability in the White Papers (mm_whtppr) extension 0.0.4 and earlier for TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.

SQL injection vulnerability in the Documents download (rtg_files) extension before 1.5.2 for TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.

SQL injection vulnerability in the Post data records to facebook (bc_post2facebook) extension before 0.2.2 for TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.

SQL injection vulnerability in Joomla! 1.7.x and 2.5.x before 2.5.2 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.

SQL injection vulnerability in search.php in phxEventManager 2.0 beta 5 allows remote attackers to execute arbitrary SQL commands via the search_terms parameter.

SQL injection vulnerability in pfile/file.php in Powie pFile 1.02 allows remote attackers to execute arbitrary SQL commands via the id parameter.

Multiple SQL injection vulnerabilities in freelancerKit 2.35 allow remote attackers to execute arbitrary SQL commands via unspecified vectors to the (1) notes and (2) tickets components.

Multiple SQL injection vulnerabilities in Dolibarr CMS 3.2.0 Alpha and earlier allow remote authenticated users to execute arbitrary SQL commands via the (1) memberslist parameter (aka Member List) in list.php or (2) rowid parameter to adh…

SQL injection vulnerability in Advantech/BroadWin WebAccess 7.0 allows remote authenticated users to execute arbitrary SQL commands via a malformed URL. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-0234.

SQL injection vulnerability in Segue 2.2.10.2 and earlier allows remote attackers to execute arbitrary SQL commands via unspecified vectors.

Multiple SQL injection vulnerabilities in Plixer International Scrutinizer NetFlow & sFlow Analyzer 8.6.2.16204, and possibly other versions before 9.0.1.19899, allow remote attackers to execute arbitrary SQL commands via the (1) addip par…

SQL injection vulnerability in CONTIMEX Impulsio CMS allows remote attackers to execute arbitrary SQL commands via the id parameter to index.php.

SQL injection vulnerability in the updateStatus function in lib/models/benefits/Hsp.php in OrangeHRM before 2.7 allows remote authenticated users to execute arbitrary SQL commands via the hspSummaryId parameter to plugins/ajaxCalls/haltRes…

SQL injection vulnerability in admin/plib/api-rpc/Agent.php in Parallels Plesk Panel 7.x and 8.x before 8.6 MU#2, 9.x before 9.5 MU#11, 10.0.x before MU#13, 10.1.x before MU#22, 10.2.x before MU#16, and 10.3.x before MU#5 allows remote att…

Multiple SQL injection vulnerabilities in ajaxserver.php in NextBBS 0.6 allow remote attackers to execute arbitrary SQL commands via the (1) curstr parameter in the findUsers function, (2) id parameter in the isIdAvailable function, or (3)…

SQL injection vulnerability in the conversion form for Events in the Date module 6.x-2.x before 6.x-2.8 for Drupal allows remote authenticated users with the "administer Date Tools" privilege to execute arbitrary SQL commands via unspecifi…

SQL injection vulnerability in the Search Autocomplete module before 7.x-2.1 for Drupal allows remote authenticated users with the "use search_autocomplete" permission to execute arbitrary SQL commands via unspecified vectors.

SQL injection vulnerability in the Multisite Search module 6.x-2.2 for Drupal allows remote authenticated users with certain permissions to execute arbitrary SQL commands via the Site table prefix field.

SQL injection vulnerability in getcity.php in Hotel Booking Portal 0.1 allows remote attackers to execute arbitrary SQL commands via the country parameter.

SQL injection vulnerability in loginscript.php in e-ticketing allows remote attackers to execute arbitrary SQL commands via the password parameter.

SQL injection vulnerability in my.activation.php3 in F5 FirePass 6.0.0 through 6.1.0 and 7.0.0 allows remote attackers to execute arbitrary SQL commands via the state parameter.

SQL injection vulnerability in artykul_print.php in CreateVision CMS allows remote attackers to execute arbitrary SQL commands via the id parameter.

SQL injection vulnerability in search.php in SocialCMS 1.0.5 allows remote attackers to execute arbitrary SQL commands via the category parameter.

SQL injection vulnerability in MyJobList 0.1.3 allows remote attackers to execute arbitrary SQL commands via the eid parameter in a profile action to index.php.

SQL injection vulnerability in Emerson DeltaV and DeltaV Workstations 9.3.1, 10.3.1, 11.3, and 11.3.1 and DeltaV ProEssentials Scientific Graph 5.0.0.6 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.

Multiple SQL injection vulnerabilities in PHP Address Book 6.2.12 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) to_group parameter to group.php or (2) id parameter to vcard.php. NOTE: the edit.php vector…

SQL injection vulnerability in admin/country/edit.php in Newscoop before 3.5.5 and 4.x before 4 RC4 allows remote attackers to execute arbitrary SQL commands via the f_country_code parameter.

SQL injection vulnerability in HP Performance Insight for Networks 5.3.x, 5.41, 5.41.001, and 5.41.002 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.

SQL injection vulnerability in the get_last_conversation_lines function in common/logger.py in Gajim before 0.15 allows remote attackers to execute arbitrary SQL commands via the jig parameter.

Multiple SQL injection vulnerabilities in login.php in Timesheet Next Gen 1.5.2 allow remote attackers to execute arbitrary SQL commands via the (1) username or (2) password parameters.

SQL injection vulnerability in wp-load.php in the BuddyPress plugin 1.5.x before 1.5.5 of WordPress allows remote attackers to execute arbitrary SQL commands via the page parameter in an activity_widget_filter action.

SQL injection vulnerability in interface/login/validateUser.php in OpenEMR 4.1.0 and possibly earlier allows remote attackers to execute arbitrary SQL commands via the u parameter.

SQL injection vulnerability in ModuleServlet.do in the Storage Manager Profiler in IBM System Storage DS Storage Manager before 10.83.xx.18 on DS Series devices allows remote authenticated users to execute arbitrary SQL commands via the se…

SQL injection vulnerability in users.php in PHP Gift Registry 1.5.5 allows remote authenticated users to execute arbitrary SQL commands via the userid parameter in an edit action.

SQL injection vulnerability in the Addressbook module for Drupal 6.x-4.2 and earlier allows remote attackers to execute arbitrary SQL commands via unspecified vectors.

sapi/cgi/cgi_main.c in PHP before 5.3.13 and 5.4.x before 5.4.3, when configured as a CGI script (aka php-cgi), does not properly handle query strings that contain a %3D sequence but no = (equals sign) character, which allows remote attack…

Multiple SQL injection vulnerabilities in MyBB (aka MyBulletinBoard) before 1.6.7 allow remote administrators to execute arbitrary SQL commands via unspecified vectors in the (1) user search or (2) Mail Log in the Admin Control Panel (ACP).

SQL injection vulnerability in the User Inline Moderation feature in the Admin Control Panel (ACP) in MyBB (aka MyBulletinBoard) before 1.6.7 allows remote administrators to execute arbitrary SQL commands via unspecified vectors.

SQL injection vulnerability in serendipity/serendipity_admin.php in Serendipity before 1.6.1 allows remote attackers to execute arbitrary SQL commands via the serendipity[plugin_to_conf] parameter. NOTE: this issue might be resultant from…

SQL injection vulnerability in includes/picture.class.php in Galette 0.63, 0.63.1, 0.63.2, 0.63.3, and 0.64rc1 allows remote attackers to execute arbitrary SQL commands via the id_adh parameter to picture.php.

SQL injection vulnerability in calendar/event.php in the calendar implementation in Moodle 1.9.x before 1.9.18 allows remote authenticated users to execute arbitrary SQL commands via a crafted calendar event.

SQL injection vulnerability in the management console in Symantec Web Gateway 5.0.x before 5.0.3.18 allows remote attackers to execute arbitrary SQL commands via unspecified vectors, related to a "blind SQL injection" issue.

SQL injection vulnerability in WrVMwareHostList.asp in Ipswitch WhatsUp Gold 15.02 allows remote attackers to execute arbitrary SQL commands via the sGroupList parameter.

Multiple SQL injection vulnerabilities in the get_sample_filters_by_signature function in Cumin before 0.1.5444, as used in Red Hat Enterprise Messaging, Realtime, and Grid (MRG) 2.0, allow remote attackers to execute arbitrary SQL command…

SQL injection vulnerability in the Counter module for Drupal allows remote attackers to execute arbitrary SQL commands via unspecified vectors related to "recording visits."

SQL injection vulnerability in public_html/lists/admin in phpList before 2.10.18 allows remote attackers to execute arbitrary SQL commands via the sortby parameter in a find action.

SQL injection vulnerability in include/functions_trackbacks.inc.php in Serendipity 1.6.2 allows remote attackers to execute arbitrary SQL commands via the url parameter to comment.php.

Multiple SQL injection vulnerabilities in admin/bbcodes.php in Viscacha 0.8.1.1 allow remote attackers to execute arbitrary SQL commands via the (1) bbcodeexample, (2) buttonimage, or (3) bbcodetag parameter.