Vulnerabilities (CVE)

Filtered by CWE-89
Total 15791 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2018-20018 1 S-cms 1 S-cms 2024-11-21 5.0 MEDIUM 7.5 HIGH
S-CMS V3.0 has SQL injection via the S_id parameter, as demonstrated by the /1/?type=productinfo&S_id=140 URI.
CVE-2018-1994 1 Ibm 2 Infosphere Information Server On Cloud, Infosphere Metadata Asset Manager 2024-11-21 7.5 HIGH 6.3 MEDIUM
IBM InfoSphere Information Server 11.5 and 11.7 is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements, which could allow the attacker to view, add, modify or delete information in the back-end database. IBM X-Force ID: 154494.
CVE-2018-1819 1 Ibm 1 Financial Transaction Manager 2024-11-21 6.5 MEDIUM 6.3 MEDIUM
IBM Financial Transaction Manager for Digital Payments for Multi-Platform 3.0.2, 3.0.4, 3.0.6, and 3.2.0 is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements, which could allow the attacker to view, add, modify or delete information in the back-end database. IBM X-force ID: 150023.
CVE-2018-1756 1 Ibm 1 Security Identity Governance And Intelligence 2024-11-21 5.0 MEDIUM 7.5 HIGH
IBM Security Identity Governance and Intelligence 5.2.3.2 and 5.2.4 is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements, which could allow the attacker to view, information in the back-end database. IBM X-Force ID: 148599.
CVE-2018-1699 1 Ibm 1 Maximo Asset Management 2024-11-21 6.5 MEDIUM 6.3 MEDIUM
IBM Maximo Asset Management 7.6 through 7.6.3 is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements, which could allow the attacker to view, add, modify or delete information in the back-end database. IBM X-Force ID: 145968.
CVE-2018-1674 1 Ibm 2 Business Automation Workflow, Business Process Manager 2024-11-21 6.5 MEDIUM 6.3 MEDIUM
IBM Business Process Manager 8.5 through 8.6 and 18.0.0.0 through 18.0.0.1 are vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements, which could allow the attacker to view, add, modify or delete information in the back-end database. IBM X-Force ID: 145109.
CVE-2018-1414 1 Ibm 2 Maximo Asset Management, Maximo Asset Management Essentials 2024-11-21 6.5 MEDIUM 8.8 HIGH
IBM Maximo Asset Management 7.5 and 7.6 is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements, which could allow the attacker to view, add, modify or delete information in the back-end database. IBM X-Force ID: 138820.
CVE-2018-1292 1 Apache 1 Fineract 2024-11-21 5.5 MEDIUM 8.1 HIGH
Within the 'getReportType' method in Apache Fineract 1.0.0, 0.6.0-incubating, 0.5.0-incubating, 0.4.0-incubating, a hacker could inject SQL to read/update data for which he doesn't have authorization for by way of the 'reportName' parameter.
CVE-2018-1291 1 Apache 1 Fineract 2024-11-21 5.5 MEDIUM 8.1 HIGH
Apache Fineract 1.0.0, 0.6.0-incubating, 0.5.0-incubating, 0.4.0-incubating exposes different REST end points to query domain specific entities with a Query Parameter 'orderBy' which are appended directly with SQL statements. A hacker/user can inject/draft the 'orderBy' query parameter by way of the "order" param in such a way to read/update the data for which he doesn't have authorization.
CVE-2018-1290 1 Apache 1 Fineract 2024-11-21 7.5 HIGH 9.8 CRITICAL
In Apache Fineract versions 1.0.0, 0.6.0-incubating, 0.5.0-incubating, 0.4.0-incubating, Using a single quotation escape with two continuous SQL parameters can cause a SQL injection. This could be done in Methods like retrieveAuditEntries of AuditsApiResource Class and retrieveCommands of MakercheckersApiResource Class.
CVE-2018-1289 1 Apache 1 Fineract 2024-11-21 6.5 MEDIUM 8.8 HIGH
In Apache Fineract versions 1.0.0, 0.6.0-incubating, 0.5.0-incubating, 0.4.0-incubating, the system exposes different REST end points to query domain specific entities with a Query Parameter 'orderBy' and 'sortOrder' which are appended directly with SQL statements. A hacker/user can inject/draft the 'orderBy' and 'sortOrder' query parameter in such a way to read/update the data for which he doesn't have authorization.
CVE-2018-1282 1 Apache 1 Hive 2024-11-21 7.5 HIGH 9.1 CRITICAL
This vulnerability in Apache Hive JDBC driver 0.7.1 to 2.3.2 allows carefully crafted arguments to be used to bypass the argument escaping/cleanup that JDBC driver does in PreparedStatement implementation.
CVE-2018-1280 1 Pivotal Software 1 Greenplum Command Center 2024-11-21 5.0 MEDIUM 7.5 HIGH
Pivotal Greenplum Command Center versions 2.x prior to 2.5.1 contains a blind SQL injection vulnerability. An unauthenticated user can perform a SQL injection in the command center which results in disclosure of database contents.
CVE-2018-1252 1 Rsa 1 Web Threat Detection 2024-11-21 6.5 MEDIUM 8.8 HIGH
RSA Web Threat Detection versions prior to 6.4, contain an SQL injection vulnerability in the Administration and Forensics applications. An authenticated malicious user with low privileges could potentially exploit this vulnerability to execute SQL commands on the back-end database to gain unauthorized access to the tool's monitoring and user information by supplying specially crafted input data to the affected application.
CVE-2018-1132 1 Opendaylight 1 Sdninterfaceapp 2024-11-21 7.5 HIGH 7.5 HIGH
A flaw was found in Opendaylight's SDNInterfaceapp (SDNI). Attackers can SQL inject the component's database (SQLite) without authenticating to the controller or SDNInterfaceapp. SDNInterface has been deprecated in OpenDayLight since it was last used in the final Carbon series release. In addition to the component not being included in OpenDayLight in newer releases, the SDNInterface component is not packaged in the opendaylight package included in RHEL.
CVE-2018-1096 2 Redhat, Theforeman 2 Satellite, Foreman 2024-11-21 4.0 MEDIUM 6.5 MEDIUM
An input sanitization flaw was found in the id field in the dashboard controller of Foreman before 1.16.1. A user could use this flaw to perform an SQL injection attack on the back end database.
CVE-2018-19998 1 Dolibarr 1 Dolibarr 2024-11-21 6.5 MEDIUM 8.8 HIGH
SQL injection vulnerability in user/card.php in Dolibarr version 8.0.2 allows remote authenticated users to execute arbitrary SQL commands via the employee parameter.
CVE-2018-19994 1 Dolibarr 1 Dolibarr 2024-11-21 6.5 MEDIUM 8.8 HIGH
An error-based SQL injection vulnerability in product/card.php in Dolibarr version 8.0.2 allows remote authenticated users to execute arbitrary SQL commands via the desiredstock parameter.
CVE-2018-19952 1 Qnap 2 Music Station, Qts 2024-11-21 5.0 MEDIUM 7.5 HIGH
If exploited, this SQL injection vulnerability could allow remote attackers to obtain application information. This issue affects: QNAP Systems Inc. Music Station versions prior to 5.1.13; versions prior to 5.2.9; versions prior to 5.3.11.
CVE-2018-19925 1 Sales \& Company Management System Project 1 Sales \& Company Management System 2024-11-21 7.5 HIGH 9.8 CRITICAL
An issue was discovered in Sales & Company Management System (SCMS) through 2018-06-06. It has SQL injection via the member/member_order.php type parameter, related to the O_state parameter.