CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Description
The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-108 · CAPEC-109 · CAPEC-110 · CAPEC-470 · CAPEC-66 · CAPEC-7
CVEs mapped to this weakness (10,236)
page 12 of 512| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2017-17587 | Cri | 0.67 | 9.8 | 0.03 | Dec 13, 2017 | FS Indiamart Clone 1.0 has SQL Injection via the catcompany.php token parameter, buyleads-details.php id parameter, or company/index.php c parameter. | ||
| CVE-2017-17586 | Cri | 0.67 | 9.8 | 0.03 | Dec 13, 2017 | FS Olx Clone 1.0 has SQL Injection via the subpage.php scat parameter or the message.php pid parameter. | ||
| CVE-2017-17585 | Cri | 0.67 | 9.8 | 0.03 | Dec 13, 2017 | FS Monster Clone 1.0 has SQL Injection via the Employer_Details.php id parameter. | ||
| CVE-2017-17584 | Cri | 0.67 | 9.8 | 0.03 | Dec 13, 2017 | FS Makemytrip Clone 1.0 has SQL Injection via the show-flight-result.php fl_orig or fl_dest parameter. | ||
| CVE-2017-17583 | Cri | 0.67 | 9.8 | 0.03 | Dec 13, 2017 | FS Shutterstock Clone 1.0 has SQL Injection via the /Category keywords parameter. | ||
| CVE-2017-17582 | Cri | 0.67 | 9.8 | 0.03 | Dec 13, 2017 | FS Grubhub Clone 1.0 has SQL Injection via the /food keywords parameter. | ||
| CVE-2017-17581 | Cri | 0.67 | 9.8 | 0.03 | Dec 13, 2017 | FS Quibids Clone 1.0 has SQL Injection via the itechd.php productid parameter. | ||
| CVE-2017-17580 | Cri | 0.67 | 9.8 | 0.03 | Dec 13, 2017 | FS Linkedin Clone 1.0 has SQL Injection via the group.php grid parameter, profile.php fid parameter, or company_details.php id parameter. | ||
| CVE-2017-17579 | Cri | 0.67 | 9.8 | 0.03 | Dec 13, 2017 | FS Freelancer Clone 1.0 has SQL Injection via the profile.php u parameter. | ||
| CVE-2017-17578 | Cri | 0.67 | 9.8 | 0.03 | Dec 13, 2017 | FS Crowdfunding Script 1.0 has SQL Injection via the latest_news_details.php id parameter. | ||
| CVE-2017-17577 | Cri | 0.67 | 9.8 | 0.03 | Dec 13, 2017 | FS Trademe Clone 1.0 has SQL Injection via the search_item.php search parameter or the general_item_details.php id parameter. | ||
| CVE-2017-17576 | Cri | 0.67 | 9.8 | 0.03 | Dec 13, 2017 | FS Gigs Script 1.0 has SQL Injection via the browse-category.php cat parameter, browse-scategory.php sc parameter, or service-provider.php ser parameter. | ||
| CVE-2017-17575 | Cri | 0.67 | 9.8 | 0.03 | Dec 13, 2017 | FS Groupon Clone 1.0 has SQL Injection via the item_details.php id parameter or the vendor_details.php id parameter. | ||
| CVE-2017-17574 | Cri | 0.67 | 9.8 | 0.03 | Dec 13, 2017 | FS Care Clone 1.0 has SQL Injection via the searchJob.php jobType or jobFrequency parameter. | ||
| CVE-2017-17573 | Cri | 0.67 | 9.8 | 0.03 | Dec 13, 2017 | FS Ebay Clone 1.0 has SQL Injection via the product.php id parameter, or the search.php category_id or sub_category_id parameter. | ||
| CVE-2017-17572 | Cri | 0.67 | 9.8 | 0.03 | Dec 13, 2017 | FS Amazon Clone 1.0 has SQL Injection via the PATH_INFO to /VerAyari. | ||
| CVE-2017-17571 | Cri | 0.67 | 9.8 | 0.03 | Dec 13, 2017 | FS Foodpanda Clone 1.0 has SQL Injection via the /food keywords parameter. | ||
| CVE-2017-17570 | Cri | 0.67 | 9.8 | 0.03 | Dec 13, 2017 | FS Expedia Clone 1.0 has SQL Injection via the pages.php or content.php id parameter, or the show-flight-result.php fl_orig or fl_dest parameter. | ||
| CVE-2017-17111 | Cri | 0.67 | 9.8 | 0.09 | Dec 11, 2017 | Posty Readymade Classifieds Script 1.0 allows an attacker to inject SQL commands via a listings.php?catid= or ads-details.php?ID= request. | ||
| CVE-2017-17110 | Cri | 0.67 | 9.8 | 0.09 | Dec 11, 2017 | Techno Portfolio Management Panel 1.0 allows an attacker to inject SQL commands via a single.php?id= request. |
- risk 0.67cvss 9.8epss 0.03
FS Indiamart Clone 1.0 has SQL Injection via the catcompany.php token parameter, buyleads-details.php id parameter, or company/index.php c parameter.
- risk 0.67cvss 9.8epss 0.03
FS Olx Clone 1.0 has SQL Injection via the subpage.php scat parameter or the message.php pid parameter.
- risk 0.67cvss 9.8epss 0.03
FS Monster Clone 1.0 has SQL Injection via the Employer_Details.php id parameter.
- risk 0.67cvss 9.8epss 0.03
FS Makemytrip Clone 1.0 has SQL Injection via the show-flight-result.php fl_orig or fl_dest parameter.
- risk 0.67cvss 9.8epss 0.03
FS Shutterstock Clone 1.0 has SQL Injection via the /Category keywords parameter.
- risk 0.67cvss 9.8epss 0.03
FS Grubhub Clone 1.0 has SQL Injection via the /food keywords parameter.
- risk 0.67cvss 9.8epss 0.03
FS Quibids Clone 1.0 has SQL Injection via the itechd.php productid parameter.
- risk 0.67cvss 9.8epss 0.03
FS Linkedin Clone 1.0 has SQL Injection via the group.php grid parameter, profile.php fid parameter, or company_details.php id parameter.
- risk 0.67cvss 9.8epss 0.03
FS Freelancer Clone 1.0 has SQL Injection via the profile.php u parameter.
- risk 0.67cvss 9.8epss 0.03
FS Crowdfunding Script 1.0 has SQL Injection via the latest_news_details.php id parameter.
- risk 0.67cvss 9.8epss 0.03
FS Trademe Clone 1.0 has SQL Injection via the search_item.php search parameter or the general_item_details.php id parameter.
- risk 0.67cvss 9.8epss 0.03
FS Gigs Script 1.0 has SQL Injection via the browse-category.php cat parameter, browse-scategory.php sc parameter, or service-provider.php ser parameter.
- risk 0.67cvss 9.8epss 0.03
FS Groupon Clone 1.0 has SQL Injection via the item_details.php id parameter or the vendor_details.php id parameter.
- risk 0.67cvss 9.8epss 0.03
FS Care Clone 1.0 has SQL Injection via the searchJob.php jobType or jobFrequency parameter.
- risk 0.67cvss 9.8epss 0.03
FS Ebay Clone 1.0 has SQL Injection via the product.php id parameter, or the search.php category_id or sub_category_id parameter.
- risk 0.67cvss 9.8epss 0.03
FS Amazon Clone 1.0 has SQL Injection via the PATH_INFO to /VerAyari.
- risk 0.67cvss 9.8epss 0.03
FS Foodpanda Clone 1.0 has SQL Injection via the /food keywords parameter.
- risk 0.67cvss 9.8epss 0.03
FS Expedia Clone 1.0 has SQL Injection via the pages.php or content.php id parameter, or the show-flight-result.php fl_orig or fl_dest parameter.
- risk 0.67cvss 9.8epss 0.09
Posty Readymade Classifieds Script 1.0 allows an attacker to inject SQL commands via a listings.php?catid= or ads-details.php?ID= request.
- risk 0.67cvss 9.8epss 0.09
Techno Portfolio Management Panel 1.0 allows an attacker to inject SQL commands via a single.php?id= request.