VYPR

CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

BaseStableLikelihood: High

Description

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Hierarchy (View 1000)

Parents

Children

Related attack patterns (CAPEC)

CAPEC-108 · CAPEC-109 · CAPEC-110 · CAPEC-470 · CAPEC-66 · CAPEC-7

CVEs mapped to this weakness (10,236)

page 12 of 512
  • CVE-2017-17587CriDec 13, 2017
    risk 0.67cvss 9.8epss 0.03

    FS Indiamart Clone 1.0 has SQL Injection via the catcompany.php token parameter, buyleads-details.php id parameter, or company/index.php c parameter.

  • CVE-2017-17586CriDec 13, 2017
    risk 0.67cvss 9.8epss 0.03

    FS Olx Clone 1.0 has SQL Injection via the subpage.php scat parameter or the message.php pid parameter.

  • CVE-2017-17585CriDec 13, 2017
    risk 0.67cvss 9.8epss 0.03

    FS Monster Clone 1.0 has SQL Injection via the Employer_Details.php id parameter.

  • CVE-2017-17584CriDec 13, 2017
    risk 0.67cvss 9.8epss 0.03

    FS Makemytrip Clone 1.0 has SQL Injection via the show-flight-result.php fl_orig or fl_dest parameter.

  • CVE-2017-17583CriDec 13, 2017
    risk 0.67cvss 9.8epss 0.03

    FS Shutterstock Clone 1.0 has SQL Injection via the /Category keywords parameter.

  • CVE-2017-17582CriDec 13, 2017
    risk 0.67cvss 9.8epss 0.03

    FS Grubhub Clone 1.0 has SQL Injection via the /food keywords parameter.

  • CVE-2017-17581CriDec 13, 2017
    risk 0.67cvss 9.8epss 0.03

    FS Quibids Clone 1.0 has SQL Injection via the itechd.php productid parameter.

  • CVE-2017-17580CriDec 13, 2017
    risk 0.67cvss 9.8epss 0.03

    FS Linkedin Clone 1.0 has SQL Injection via the group.php grid parameter, profile.php fid parameter, or company_details.php id parameter.

  • CVE-2017-17579CriDec 13, 2017
    risk 0.67cvss 9.8epss 0.03

    FS Freelancer Clone 1.0 has SQL Injection via the profile.php u parameter.

  • CVE-2017-17578CriDec 13, 2017
    risk 0.67cvss 9.8epss 0.03

    FS Crowdfunding Script 1.0 has SQL Injection via the latest_news_details.php id parameter.

  • CVE-2017-17577CriDec 13, 2017
    risk 0.67cvss 9.8epss 0.03

    FS Trademe Clone 1.0 has SQL Injection via the search_item.php search parameter or the general_item_details.php id parameter.

  • CVE-2017-17576CriDec 13, 2017
    risk 0.67cvss 9.8epss 0.03

    FS Gigs Script 1.0 has SQL Injection via the browse-category.php cat parameter, browse-scategory.php sc parameter, or service-provider.php ser parameter.

  • CVE-2017-17575CriDec 13, 2017
    risk 0.67cvss 9.8epss 0.03

    FS Groupon Clone 1.0 has SQL Injection via the item_details.php id parameter or the vendor_details.php id parameter.

  • CVE-2017-17574CriDec 13, 2017
    risk 0.67cvss 9.8epss 0.03

    FS Care Clone 1.0 has SQL Injection via the searchJob.php jobType or jobFrequency parameter.

  • CVE-2017-17573CriDec 13, 2017
    risk 0.67cvss 9.8epss 0.03

    FS Ebay Clone 1.0 has SQL Injection via the product.php id parameter, or the search.php category_id or sub_category_id parameter.

  • CVE-2017-17572CriDec 13, 2017
    risk 0.67cvss 9.8epss 0.03

    FS Amazon Clone 1.0 has SQL Injection via the PATH_INFO to /VerAyari.

  • CVE-2017-17571CriDec 13, 2017
    risk 0.67cvss 9.8epss 0.03

    FS Foodpanda Clone 1.0 has SQL Injection via the /food keywords parameter.

  • CVE-2017-17570CriDec 13, 2017
    risk 0.67cvss 9.8epss 0.03

    FS Expedia Clone 1.0 has SQL Injection via the pages.php or content.php id parameter, or the show-flight-result.php fl_orig or fl_dest parameter.

  • CVE-2017-17111CriDec 11, 2017
    risk 0.67cvss 9.8epss 0.09

    Posty Readymade Classifieds Script 1.0 allows an attacker to inject SQL commands via a listings.php?catid= or ads-details.php?ID= request.

  • CVE-2017-17110CriDec 11, 2017
    risk 0.67cvss 9.8epss 0.09

    Techno Portfolio Management Panel 1.0 allows an attacker to inject SQL commands via a single.php?id= request.