VYPR

CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

BaseStableLikelihood: High

Description

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Hierarchy (View 1000)

Parents

Children

Related attack patterns (CAPEC)

CAPEC-108 · CAPEC-109 · CAPEC-110 · CAPEC-470 · CAPEC-66 · CAPEC-7

CVEs mapped to this weakness (10,236)

page 116 of 512
  • CVE-2024-33787HigMay 3, 2024
    risk 0.53cvss 8.2epss 0.00

    Hengan Weighing Management Information Query Platform 2019-2021 53.25 was discovered to contain a SQL injection vulnerability via the tuser_Number parameter at search_user.aspx.

  • CVE-2024-33292HigMay 1, 2024
    risk 0.53cvss 8.2epss 0.00

    SQL Injection vulnerability in Realisation MGSD v.1.0 allows a remote attacker to obtain sensitive information via the id parameter.

  • CVE-2023-29432HigDec 20, 2023
    risk 0.53cvss 8.2epss 0.01

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Favethemes Houzez - Real Estate WordPress Theme.This issue affects Houzez - Real Estate WordPress Theme: from n/a before 2.8.3.

  • CVE-2023-40609HigNov 6, 2023
    risk 0.53cvss 8.2epss 0.01

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Aiyaz, maheshpatel Contact form 7 Custom validation allows SQL Injection.This issue affects Contact form 7 Custom validation: from n/a through 1.1.3.

  • CVE-2023-25800HigNov 3, 2023
    risk 0.53cvss 8.1epss 0.01

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Themeum Tutor LMS allows SQL Injection.This issue affects Tutor LMS: from n/a through 2.2.0.

  • CVE-2023-25700HigNov 3, 2023
    risk 0.53cvss 8.2epss 0.01

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Themeum Tutor LMS allows SQL Injection.This issue affects Tutor LMS: from n/a through 2.1.10.

  • CVE-2022-46818HigNov 3, 2023
    risk 0.53cvss 8.2epss 0.01

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Gopi Ramasamy Email posts to subscribers allows SQL Injection.This issue affects Email posts to subscribers: from n/a through 6.2.

  • CVE-2022-47445HigNov 3, 2023
    risk 0.53cvss 8.2epss 0.01

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Web-X Be POPIA Compliant be-popia-compliant allows SQL Injection.This issue affects Be POPIA Compliant: from n/a through 1.2.0.

  • CVE-2022-46808HigNov 3, 2023
    risk 0.53cvss 8.2epss 0.01

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Repute Infosystems ARMember armember-membership allows SQL Injection.This issue affects ARMember: from n/a through 3.4.11.

  • CVE-2022-45805HigNov 3, 2023
    risk 0.53cvss 8.2epss 0.02

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Paytm Paytm Payment Gateway paytm-payments allows SQL Injection.This issue affects Paytm Payment Gateway: from n/a through 2.7.3.

  • CVE-2023-41652HigNov 3, 2023
    risk 0.53cvss 8.2epss 0.01

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in David F. Carr RSVPMaker rsvpmaker allows SQL Injection.This issue affects RSVPMaker: from n/a through 10.6.6.

  • CVE-2022-45786HigFeb 4, 2023
    risk 0.53cvss 8.1epss 0.01

    There are issues with the AGE drivers for Golang and Python that enable SQL injections to occur. This impacts AGE for PostgreSQL 11 & AGE for PostgreSQL 12, all versions up-to-and-including 1.1.0, when using those drivers. The fix is to update to the latest Golang and Python…

  • CVE-2022-35942CriAug 12, 2022
    risk 0.53cvss 9.3epss 0.01

    Improper input validation on the `contains` LoopBack filter may allow for arbitrary SQL injection. When the extended filter property `contains` is permitted to be interpreted by the Postgres connector, it is possible to inject arbitrary SQL which may affect the confidentiality…

  • CVE-2022-29305HigMay 24, 2022
    risk 0.53cvss 8.1epss 0.01

    imgurl v2.31 was discovered to contain a Blind SQL injection vulnerability via /upload/localhost.

  • CVE-2019-12465HigSep 9, 2019
    risk 0.53cvss 8.1epss 0.01

    An issue was discovered in LibreNMS 1.50.1. A SQL injection flaw was identified in the ajax_rulesuggest.php file where the term parameter is used insecurely in a database query for showing columns of a table, as demonstrated by an ajax_rulesuggest.php?debug=1&term= request.

  • CVE-2018-1756HigSep 7, 2018
    risk 0.53cvss 7.5epss 0.11

    IBM Security Identity Governance and Intelligence 5.2.3.2 and 5.2.4 is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements, which could allow the attacker to view, information in the back-end database. IBM X-Force ID: 148599.

  • CVE-2018-11231HigMay 23, 2018
    risk 0.53cvss 8.1epss 0.09

    In the Divido plugin for OpenCart, there is SQL injection. Attackers can use SQL injection to get some confidential information.

  • CVE-2018-1292HigApr 20, 2018
    risk 0.53cvss 8.1epss 0.02

    Within the 'getReportType' method in Apache Fineract 1.0.0, 0.6.0-incubating, 0.5.0-incubating, 0.4.0-incubating, a hacker could inject SQL to read/update data for which he doesn't have authorization for by way of the 'reportName' parameter.

  • CVE-2018-1291HigApr 20, 2018
    risk 0.53cvss 8.1epss 0.02

    Apache Fineract 1.0.0, 0.6.0-incubating, 0.5.0-incubating, 0.4.0-incubating exposes different REST end points to query domain specific entities with a Query Parameter 'orderBy' which are appended directly with SQL statements. A hacker/user can inject/draft the 'orderBy' query…

  • CVE-2018-8802HigMar 26, 2018
    risk 0.53cvss 8.1epss 0.01

    SQL injection vulnerability in the management interface in ePortal Manager allows remote attackers to execute arbitrary SQL commands via unspecified parameters.