CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Description
The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-108 · CAPEC-109 · CAPEC-110 · CAPEC-470 · CAPEC-66 · CAPEC-7
CVEs mapped to this weakness (10,236)
page 124 of 512| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2023-2201 | Hig | 0.50 | 8.8 | 0.01 | Jun 2, 2023 | The Web Directory Free for WordPress is vulnerable to SQL Injection via the ‘post_id’ parameter in versions up to, and including, 1.6.8 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it… | ||
| CVE-2023-30850 | Hig | 0.50 | 8.8 | 0.01 | Apr 27, 2023 | Pimcore is an open source data and experience management platform. Prior to version 10.5.21, a SQL Injection vulnerability exists in the admin translations API. Users should update to version 10.5.21 to receive a patch or, as a workaround, or apply the patch manually. | ||
| CVE-2023-30849 | Hig | 0.50 | 8.8 | 0.01 | Apr 27, 2023 | Pimcore is an open source data and experience management platform. Prior to version 10.5.21, A SQL injection vulnerability exists in the translation export API. Users should update to version 10.5.21 to receive a patch or, as a workaround, or apply the patch manually. | ||
| CVE-2023-30848 | Hig | 0.50 | 8.8 | 0.01 | Apr 27, 2023 | Pimcore is an open source data and experience management platform. Prior to version 10.5.21, the admin search find API has a SQL injection vulnerability. Users should upgrade to version 10.5.21 to receive a patch or, as a workaround, apply the patch manually. | ||
| CVE-2023-2338 | Hig | 0.50 | 8.8 | 0.01 | Apr 27, 2023 | SQL Injection in GitHub repository pimcore/pimcore prior to 10.5.21. | ||
| CVE-2023-28329 | Hig | 0.50 | 8.8 | 0.01 | Mar 23, 2023 | Insufficient validation of profile field availability condition resulted in an SQL injection risk (by default only available to teachers and managers). | ||
| CVE-2023-22794 | — | Hig | 0.50 | 8.8 | 0.02 | Feb 9, 2023 | A vulnerability in ActiveRecord <6.0.6.1, v6.1.7.1 and v7.0.4.1 related to the sanitization of comments. If malicious user input is passed to either the `annotate` query method, the `optimizer_hints` query method, or through the QueryLogs interface which automatically adds… | |
| CVE-2022-42121 | — | Hig | 0.50 | 8.8 | 0.01 | Nov 15, 2022 | A SQL injection vulnerability in the Layout module in Liferay Portal 7.1.3 through 7.4.3.4, and Liferay DXP 7.1 before fix pack 27, 7.2 before fix pack 17, 7.3 before service pack 3, and 7.4 GA allows remote authenticated attackers to execute arbitrary SQL commands via a crafted… | |
| CVE-2022-31367 | Hig | 0.50 | 8.8 | 0.01 | Sep 27, 2022 | Strapi before 3.6.10 and 4.x before 4.1.10 mishandles hidden attributes within admin API responses. | ||
| CVE-2022-40043 | Hig | 0.50 | 8.8 | 0.01 | Sep 26, 2022 | Centreon v20.10.18 was discovered to contain a SQL injection vulnerability via the esc_name (Escalation Name) parameter at Configuration/Notifications/Escalations. | ||
| CVE-2022-26986 | Hig | 0.50 | 7.2 | 0.04 | Apr 5, 2022 | SQL Injection in ImpressCMS 1.4.3 and earlier allows remote attackers to inject into the code in unintended way, this allows an attacker to read and modify the sensitive information from the database used by the application. If misconfigured, an attacker can even upload a… | ||
| CVE-2021-36625 | — | Hig | 0.50 | 8.8 | 0.01 | Mar 31, 2022 | An SQL Injection vulnerability exists in Dolibarr ERP/CRM 13.0.2 (fixed version is 14.0.0) via a POST request to the country_id parameter in an UPDATE statement. | |
| CVE-2022-0983 | — | Hig | 0.50 | 8.8 | 0.01 | Mar 25, 2022 | An SQL injection risk was identified in Badges code relating to configuring criteria. Access to the relevant capability was limited to teachers and managers by default. | |
| CVE-2022-1064 | Hig | 0.50 | 8.8 | 0.01 | Mar 25, 2022 | SQL injection through marking blog comments on bulk as spam in GitHub repository forkcms/forkcms prior to 5.11.1. | ||
| CVE-2022-0258 | Hig | 0.50 | 8.8 | 0.02 | Jan 17, 2022 | pimcore is vulnerable to Improper Neutralization of Special Elements used in an SQL Command | ||
| CVE-2021-21380 | Hig | 0.50 | 7.7 | 0.01 | Mar 23, 2021 | XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In affected versions of XWiki Platform (and only those with the Ratings API installed), the Rating Script Service expose an API to perform SQL requests without escaping the… | ||
| CVE-2020-35700 | — | Hig | 0.50 | 8.8 | 0.02 | Feb 8, 2021 | A second-order SQL injection issue in Widgets/TopDevicesController.php (aka the Top Devices dashboard widget) of LibreNMS before 21.1.0 allows remote authenticated attackers to execute arbitrary SQL commands via the sort_order parameter against the /ajax/form/widget-settings… | |
| CVE-2020-14443 | — | Hig | 0.50 | 8.8 | 0.01 | Jun 18, 2020 | A SQL injection vulnerability in accountancy/customer/card.php in Dolibarr 11.0.3 allows remote authenticated users to execute arbitrary SQL commands via the id parameter. | |
| CVE-2020-1937 | — | Hig | 0.50 | 8.8 | 0.03 | Feb 24, 2020 | Kylin has some restful apis which will concatenate SQLs with the user input string, a user is likely to be able to run malicious database queries. | |
| CVE-2012-4383 | Hig | 0.50 | 8.8 | 0.01 | Jan 29, 2020 | contao prior to 2.11.4 has a sql injection vulnerability |
- risk 0.50cvss 8.8epss 0.01
The Web Directory Free for WordPress is vulnerable to SQL Injection via the ‘post_id’ parameter in versions up to, and including, 1.6.8 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it…
- risk 0.50cvss 8.8epss 0.01
Pimcore is an open source data and experience management platform. Prior to version 10.5.21, a SQL Injection vulnerability exists in the admin translations API. Users should update to version 10.5.21 to receive a patch or, as a workaround, or apply the patch manually.
- risk 0.50cvss 8.8epss 0.01
Pimcore is an open source data and experience management platform. Prior to version 10.5.21, A SQL injection vulnerability exists in the translation export API. Users should update to version 10.5.21 to receive a patch or, as a workaround, or apply the patch manually.
- risk 0.50cvss 8.8epss 0.01
Pimcore is an open source data and experience management platform. Prior to version 10.5.21, the admin search find API has a SQL injection vulnerability. Users should upgrade to version 10.5.21 to receive a patch or, as a workaround, apply the patch manually.
- risk 0.50cvss 8.8epss 0.01
SQL Injection in GitHub repository pimcore/pimcore prior to 10.5.21.
- risk 0.50cvss 8.8epss 0.01
Insufficient validation of profile field availability condition resulted in an SQL injection risk (by default only available to teachers and managers).
- risk 0.50cvss 8.8epss 0.02
A vulnerability in ActiveRecord <6.0.6.1, v6.1.7.1 and v7.0.4.1 related to the sanitization of comments. If malicious user input is passed to either the `annotate` query method, the `optimizer_hints` query method, or through the QueryLogs interface which automatically adds…
- risk 0.50cvss 8.8epss 0.01
A SQL injection vulnerability in the Layout module in Liferay Portal 7.1.3 through 7.4.3.4, and Liferay DXP 7.1 before fix pack 27, 7.2 before fix pack 17, 7.3 before service pack 3, and 7.4 GA allows remote authenticated attackers to execute arbitrary SQL commands via a crafted…
- risk 0.50cvss 8.8epss 0.01
Strapi before 3.6.10 and 4.x before 4.1.10 mishandles hidden attributes within admin API responses.
- risk 0.50cvss 8.8epss 0.01
Centreon v20.10.18 was discovered to contain a SQL injection vulnerability via the esc_name (Escalation Name) parameter at Configuration/Notifications/Escalations.
- risk 0.50cvss 7.2epss 0.04
SQL Injection in ImpressCMS 1.4.3 and earlier allows remote attackers to inject into the code in unintended way, this allows an attacker to read and modify the sensitive information from the database used by the application. If misconfigured, an attacker can even upload a…
- risk 0.50cvss 8.8epss 0.01
An SQL Injection vulnerability exists in Dolibarr ERP/CRM 13.0.2 (fixed version is 14.0.0) via a POST request to the country_id parameter in an UPDATE statement.
- risk 0.50cvss 8.8epss 0.01
An SQL injection risk was identified in Badges code relating to configuring criteria. Access to the relevant capability was limited to teachers and managers by default.
- risk 0.50cvss 8.8epss 0.01
SQL injection through marking blog comments on bulk as spam in GitHub repository forkcms/forkcms prior to 5.11.1.
- risk 0.50cvss 8.8epss 0.02
pimcore is vulnerable to Improper Neutralization of Special Elements used in an SQL Command
- risk 0.50cvss 7.7epss 0.01
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In affected versions of XWiki Platform (and only those with the Ratings API installed), the Rating Script Service expose an API to perform SQL requests without escaping the…
- risk 0.50cvss 8.8epss 0.02
A second-order SQL injection issue in Widgets/TopDevicesController.php (aka the Top Devices dashboard widget) of LibreNMS before 21.1.0 allows remote authenticated attackers to execute arbitrary SQL commands via the sort_order parameter against the /ajax/form/widget-settings…
- risk 0.50cvss 8.8epss 0.01
A SQL injection vulnerability in accountancy/customer/card.php in Dolibarr 11.0.3 allows remote authenticated users to execute arbitrary SQL commands via the id parameter.
- risk 0.50cvss 8.8epss 0.03
Kylin has some restful apis which will concatenate SQLs with the user input string, a user is likely to be able to run malicious database queries.
- risk 0.50cvss 8.8epss 0.01
contao prior to 2.11.4 has a sql injection vulnerability