CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Description
The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-108 · CAPEC-109 · CAPEC-110 · CAPEC-470 · CAPEC-66 · CAPEC-7
CVEs mapped to this weakness (10,236)
page 116 of 512| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2024-33787 | Hig | 0.53 | 8.2 | 0.00 | May 3, 2024 | Hengan Weighing Management Information Query Platform 2019-2021 53.25 was discovered to contain a SQL injection vulnerability via the tuser_Number parameter at search_user.aspx. | ||
| CVE-2024-33292 | Hig | 0.53 | 8.2 | 0.00 | May 1, 2024 | SQL Injection vulnerability in Realisation MGSD v.1.0 allows a remote attacker to obtain sensitive information via the id parameter. | ||
| CVE-2023-29432 | Hig | 0.53 | 8.2 | 0.01 | Dec 20, 2023 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Favethemes Houzez - Real Estate WordPress Theme.This issue affects Houzez - Real Estate WordPress Theme: from n/a before 2.8.3. | ||
| CVE-2023-40609 | Hig | 0.53 | 8.2 | 0.01 | Nov 6, 2023 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Aiyaz, maheshpatel Contact form 7 Custom validation allows SQL Injection.This issue affects Contact form 7 Custom validation: from n/a through 1.1.3. | ||
| CVE-2023-25800 | Hig | 0.53 | 8.1 | 0.01 | Nov 3, 2023 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Themeum Tutor LMS allows SQL Injection.This issue affects Tutor LMS: from n/a through 2.2.0. | ||
| CVE-2023-25700 | Hig | 0.53 | 8.2 | 0.01 | Nov 3, 2023 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Themeum Tutor LMS allows SQL Injection.This issue affects Tutor LMS: from n/a through 2.1.10. | ||
| CVE-2022-46818 | Hig | 0.53 | 8.2 | 0.01 | Nov 3, 2023 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Gopi Ramasamy Email posts to subscribers allows SQL Injection.This issue affects Email posts to subscribers: from n/a through 6.2. | ||
| CVE-2022-47445 | Hig | 0.53 | 8.2 | 0.01 | Nov 3, 2023 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Web-X Be POPIA Compliant be-popia-compliant allows SQL Injection.This issue affects Be POPIA Compliant: from n/a through 1.2.0. | ||
| CVE-2022-46808 | Hig | 0.53 | 8.2 | 0.01 | Nov 3, 2023 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Repute Infosystems ARMember armember-membership allows SQL Injection.This issue affects ARMember: from n/a through 3.4.11. | ||
| CVE-2022-45805 | Hig | 0.53 | 8.2 | 0.02 | Nov 3, 2023 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Paytm Paytm Payment Gateway paytm-payments allows SQL Injection.This issue affects Paytm Payment Gateway: from n/a through 2.7.3. | ||
| CVE-2023-41652 | Hig | 0.53 | 8.2 | 0.01 | Nov 3, 2023 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in David F. Carr RSVPMaker rsvpmaker allows SQL Injection.This issue affects RSVPMaker: from n/a through 10.6.6. | ||
| CVE-2022-45786 | Hig | 0.53 | 8.1 | 0.01 | Feb 4, 2023 | There are issues with the AGE drivers for Golang and Python that enable SQL injections to occur. This impacts AGE for PostgreSQL 11 & AGE for PostgreSQL 12, all versions up-to-and-including 1.1.0, when using those drivers. The fix is to update to the latest Golang and Python… | ||
| CVE-2022-35942 | Cri | 0.53 | 9.3 | 0.01 | Aug 12, 2022 | Improper input validation on the `contains` LoopBack filter may allow for arbitrary SQL injection. When the extended filter property `contains` is permitted to be interpreted by the Postgres connector, it is possible to inject arbitrary SQL which may affect the confidentiality… | ||
| CVE-2022-29305 | — | Hig | 0.53 | 8.1 | 0.01 | May 24, 2022 | imgurl v2.31 was discovered to contain a Blind SQL injection vulnerability via /upload/localhost. | |
| CVE-2019-12465 | — | Hig | 0.53 | 8.1 | 0.01 | Sep 9, 2019 | An issue was discovered in LibreNMS 1.50.1. A SQL injection flaw was identified in the ajax_rulesuggest.php file where the term parameter is used insecurely in a database query for showing columns of a table, as demonstrated by an ajax_rulesuggest.php?debug=1&term= request. | |
| CVE-2018-1756 | Hig | 0.53 | 7.5 | 0.11 | Sep 7, 2018 | IBM Security Identity Governance and Intelligence 5.2.3.2 and 5.2.4 is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements, which could allow the attacker to view, information in the back-end database. IBM X-Force ID: 148599. | ||
| CVE-2018-11231 | Hig | 0.53 | 8.1 | 0.09 | May 23, 2018 | In the Divido plugin for OpenCart, there is SQL injection. Attackers can use SQL injection to get some confidential information. | ||
| CVE-2018-1292 | Hig | 0.53 | 8.1 | 0.02 | Apr 20, 2018 | Within the 'getReportType' method in Apache Fineract 1.0.0, 0.6.0-incubating, 0.5.0-incubating, 0.4.0-incubating, a hacker could inject SQL to read/update data for which he doesn't have authorization for by way of the 'reportName' parameter. | ||
| CVE-2018-1291 | Hig | 0.53 | 8.1 | 0.02 | Apr 20, 2018 | Apache Fineract 1.0.0, 0.6.0-incubating, 0.5.0-incubating, 0.4.0-incubating exposes different REST end points to query domain specific entities with a Query Parameter 'orderBy' which are appended directly with SQL statements. A hacker/user can inject/draft the 'orderBy' query… | ||
| CVE-2018-8802 | Hig | 0.53 | 8.1 | 0.01 | Mar 26, 2018 | SQL injection vulnerability in the management interface in ePortal Manager allows remote attackers to execute arbitrary SQL commands via unspecified parameters. |
- risk 0.53cvss 8.2epss 0.00
Hengan Weighing Management Information Query Platform 2019-2021 53.25 was discovered to contain a SQL injection vulnerability via the tuser_Number parameter at search_user.aspx.
- risk 0.53cvss 8.2epss 0.00
SQL Injection vulnerability in Realisation MGSD v.1.0 allows a remote attacker to obtain sensitive information via the id parameter.
- risk 0.53cvss 8.2epss 0.01
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Favethemes Houzez - Real Estate WordPress Theme.This issue affects Houzez - Real Estate WordPress Theme: from n/a before 2.8.3.
- risk 0.53cvss 8.2epss 0.01
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Aiyaz, maheshpatel Contact form 7 Custom validation allows SQL Injection.This issue affects Contact form 7 Custom validation: from n/a through 1.1.3.
- risk 0.53cvss 8.1epss 0.01
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Themeum Tutor LMS allows SQL Injection.This issue affects Tutor LMS: from n/a through 2.2.0.
- risk 0.53cvss 8.2epss 0.01
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Themeum Tutor LMS allows SQL Injection.This issue affects Tutor LMS: from n/a through 2.1.10.
- risk 0.53cvss 8.2epss 0.01
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Gopi Ramasamy Email posts to subscribers allows SQL Injection.This issue affects Email posts to subscribers: from n/a through 6.2.
- risk 0.53cvss 8.2epss 0.01
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Web-X Be POPIA Compliant be-popia-compliant allows SQL Injection.This issue affects Be POPIA Compliant: from n/a through 1.2.0.
- risk 0.53cvss 8.2epss 0.01
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Repute Infosystems ARMember armember-membership allows SQL Injection.This issue affects ARMember: from n/a through 3.4.11.
- risk 0.53cvss 8.2epss 0.02
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Paytm Paytm Payment Gateway paytm-payments allows SQL Injection.This issue affects Paytm Payment Gateway: from n/a through 2.7.3.
- risk 0.53cvss 8.2epss 0.01
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in David F. Carr RSVPMaker rsvpmaker allows SQL Injection.This issue affects RSVPMaker: from n/a through 10.6.6.
- risk 0.53cvss 8.1epss 0.01
There are issues with the AGE drivers for Golang and Python that enable SQL injections to occur. This impacts AGE for PostgreSQL 11 & AGE for PostgreSQL 12, all versions up-to-and-including 1.1.0, when using those drivers. The fix is to update to the latest Golang and Python…
- risk 0.53cvss 9.3epss 0.01
Improper input validation on the `contains` LoopBack filter may allow for arbitrary SQL injection. When the extended filter property `contains` is permitted to be interpreted by the Postgres connector, it is possible to inject arbitrary SQL which may affect the confidentiality…
- risk 0.53cvss 8.1epss 0.01
imgurl v2.31 was discovered to contain a Blind SQL injection vulnerability via /upload/localhost.
- risk 0.53cvss 8.1epss 0.01
An issue was discovered in LibreNMS 1.50.1. A SQL injection flaw was identified in the ajax_rulesuggest.php file where the term parameter is used insecurely in a database query for showing columns of a table, as demonstrated by an ajax_rulesuggest.php?debug=1&term= request.
- risk 0.53cvss 7.5epss 0.11
IBM Security Identity Governance and Intelligence 5.2.3.2 and 5.2.4 is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements, which could allow the attacker to view, information in the back-end database. IBM X-Force ID: 148599.
- risk 0.53cvss 8.1epss 0.09
In the Divido plugin for OpenCart, there is SQL injection. Attackers can use SQL injection to get some confidential information.
- risk 0.53cvss 8.1epss 0.02
Within the 'getReportType' method in Apache Fineract 1.0.0, 0.6.0-incubating, 0.5.0-incubating, 0.4.0-incubating, a hacker could inject SQL to read/update data for which he doesn't have authorization for by way of the 'reportName' parameter.
- risk 0.53cvss 8.1epss 0.02
Apache Fineract 1.0.0, 0.6.0-incubating, 0.5.0-incubating, 0.4.0-incubating exposes different REST end points to query domain specific entities with a Query Parameter 'orderBy' which are appended directly with SQL statements. A hacker/user can inject/draft the 'orderBy' query…
- risk 0.53cvss 8.1epss 0.01
SQL injection vulnerability in the management interface in ePortal Manager allows remote attackers to execute arbitrary SQL commands via unspecified parameters.