CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Description
The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-108 · CAPEC-109 · CAPEC-110 · CAPEC-470 · CAPEC-66 · CAPEC-7
CVEs mapped to this weakness (10,236)
page 10 of 512| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2017-17629 | Cri | 0.67 | 9.8 | 0.02 | Dec 13, 2017 | Secure E-commerce Script 2.0.1 has SQL Injection via the category.php searchmain or searchcat parameter, or the single_detail.php sid parameter. | ||
| CVE-2017-17628 | Cri | 0.67 | 9.8 | 0.02 | Dec 13, 2017 | Responsive Realestate Script 3.2 has SQL Injection via the property-list tbud parameter. | ||
| CVE-2017-17627 | Cri | 0.67 | 9.8 | 0.02 | Dec 13, 2017 | Readymade Video Sharing Script 3.2 has SQL Injection via the single-video-detail.php report_videos array parameter. | ||
| CVE-2017-17626 | Cri | 0.67 | 9.8 | 0.03 | Dec 13, 2017 | Readymade PHP Classified Script 3.3 has SQL Injection via the /categories subctid or mctid parameter. | ||
| CVE-2017-17625 | Cri | 0.67 | 9.8 | 0.03 | Dec 13, 2017 | Professional Service Script 1.0 has SQL Injection via the service-list city parameter. | ||
| CVE-2017-17624 | Cri | 0.67 | 9.8 | 0.03 | Dec 13, 2017 | PHP Multivendor Ecommerce 1.0 has SQL Injection via the single_detail.php sid parameter, or the category.php searchcat or chid1 parameter. | ||
| CVE-2017-17623 | Cri | 0.67 | 9.8 | 0.03 | Dec 13, 2017 | Opensource Classified Ads Script 3.2 has SQL Injection via the advance_result.php keyword parameter. | ||
| CVE-2017-17622 | Cri | 0.67 | 9.8 | 0.04 | Dec 13, 2017 | Online Exam Test Application Script 1.6 has SQL Injection via the exams.php sort parameter. | ||
| CVE-2017-17621 | Cri | 0.67 | 9.8 | 0.04 | Dec 13, 2017 | Multivendor Penny Auction Clone Script 1.0 has SQL Injection via the PATH_INFO to the /detail URI. | ||
| CVE-2017-17620 | Cri | 0.67 | 9.8 | 0.03 | Dec 13, 2017 | Lawyer Search Script 1.1 has SQL Injection via the /lawyer-list city parameter. | ||
| CVE-2017-17619 | Cri | 0.67 | 9.8 | 0.04 | Dec 13, 2017 | Laundry Booking Script 1.0 has SQL Injection via the /list city parameter. | ||
| CVE-2017-17618 | Cri | 0.67 | 9.8 | 0.03 | Dec 13, 2017 | Kickstarter Clone Script 2.0 has SQL Injection via the investcalc.php projid parameter. | ||
| CVE-2017-17617 | Cri | 0.67 | 9.8 | 0.03 | Dec 13, 2017 | Foodspotting Clone Script 1.0 has SQL Injection via the quicksearch.php q parameter. | ||
| CVE-2017-17616 | Cri | 0.67 | 9.8 | 0.03 | Dec 13, 2017 | Event Search Script 1.0 has SQL Injection via the /event-list city parameter. | ||
| CVE-2017-17614 | Cri | 0.67 | 9.8 | 0.03 | Dec 13, 2017 | Food Order Script 1.0 has SQL Injection via the /list city parameter. | ||
| CVE-2017-17613 | Cri | 0.67 | 9.8 | 0.03 | Dec 13, 2017 | Freelance Website Script 2.0.6 has SQL Injection via the jobdetails.php pr_id parameter or the searchbycat_list.php catid parameter. | ||
| CVE-2017-17612 | Cri | 0.67 | 9.8 | 0.04 | Dec 13, 2017 | Hot Scripts Clone 3.1 has SQL Injection via the /categories subctid or mctid parameter. | ||
| CVE-2017-17611 | Cri | 0.67 | 9.8 | 0.03 | Dec 13, 2017 | Doctor Search Script 1.0 has SQL Injection via the /list city parameter. | ||
| CVE-2017-17610 | Cri | 0.67 | 9.8 | 0.03 | Dec 13, 2017 | E-commerce MLM Software 1.0 has SQL Injection via the service_detail.php pid parameter, event_detail.php eventid parameter, or news_detail.php newid parameter. | ||
| CVE-2017-17609 | Cri | 0.67 | 9.8 | 0.03 | Dec 13, 2017 | Chartered Accountant Booking Script 1.0 has SQL Injection via the /service-list city parameter. |
- risk 0.67cvss 9.8epss 0.02
Secure E-commerce Script 2.0.1 has SQL Injection via the category.php searchmain or searchcat parameter, or the single_detail.php sid parameter.
- risk 0.67cvss 9.8epss 0.02
Responsive Realestate Script 3.2 has SQL Injection via the property-list tbud parameter.
- risk 0.67cvss 9.8epss 0.02
Readymade Video Sharing Script 3.2 has SQL Injection via the single-video-detail.php report_videos array parameter.
- risk 0.67cvss 9.8epss 0.03
Readymade PHP Classified Script 3.3 has SQL Injection via the /categories subctid or mctid parameter.
- risk 0.67cvss 9.8epss 0.03
Professional Service Script 1.0 has SQL Injection via the service-list city parameter.
- risk 0.67cvss 9.8epss 0.03
PHP Multivendor Ecommerce 1.0 has SQL Injection via the single_detail.php sid parameter, or the category.php searchcat or chid1 parameter.
- risk 0.67cvss 9.8epss 0.03
Opensource Classified Ads Script 3.2 has SQL Injection via the advance_result.php keyword parameter.
- risk 0.67cvss 9.8epss 0.04
Online Exam Test Application Script 1.6 has SQL Injection via the exams.php sort parameter.
- risk 0.67cvss 9.8epss 0.04
Multivendor Penny Auction Clone Script 1.0 has SQL Injection via the PATH_INFO to the /detail URI.
- risk 0.67cvss 9.8epss 0.03
Lawyer Search Script 1.1 has SQL Injection via the /lawyer-list city parameter.
- risk 0.67cvss 9.8epss 0.04
Laundry Booking Script 1.0 has SQL Injection via the /list city parameter.
- risk 0.67cvss 9.8epss 0.03
Kickstarter Clone Script 2.0 has SQL Injection via the investcalc.php projid parameter.
- risk 0.67cvss 9.8epss 0.03
Foodspotting Clone Script 1.0 has SQL Injection via the quicksearch.php q parameter.
- risk 0.67cvss 9.8epss 0.03
Event Search Script 1.0 has SQL Injection via the /event-list city parameter.
- risk 0.67cvss 9.8epss 0.03
Food Order Script 1.0 has SQL Injection via the /list city parameter.
- risk 0.67cvss 9.8epss 0.03
Freelance Website Script 2.0.6 has SQL Injection via the jobdetails.php pr_id parameter or the searchbycat_list.php catid parameter.
- risk 0.67cvss 9.8epss 0.04
Hot Scripts Clone 3.1 has SQL Injection via the /categories subctid or mctid parameter.
- risk 0.67cvss 9.8epss 0.03
Doctor Search Script 1.0 has SQL Injection via the /list city parameter.
- risk 0.67cvss 9.8epss 0.03
E-commerce MLM Software 1.0 has SQL Injection via the service_detail.php pid parameter, event_detail.php eventid parameter, or news_detail.php newid parameter.
- risk 0.67cvss 9.8epss 0.03
Chartered Accountant Booking Script 1.0 has SQL Injection via the /service-list city parameter.