VYPR

CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

BaseStableLikelihood: High

Description

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Hierarchy (View 1000)

Parents

Children

Related attack patterns (CAPEC)

CAPEC-108 · CAPEC-109 · CAPEC-110 · CAPEC-470 · CAPEC-66 · CAPEC-7

CVEs mapped to this weakness (10,236)

page 124 of 512
  • CVE-2023-2201HigJun 2, 2023
    risk 0.50cvss 8.8epss 0.01

    The Web Directory Free for WordPress is vulnerable to SQL Injection via the ‘post_id’ parameter in versions up to, and including, 1.6.8 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it…

  • CVE-2023-30850HigApr 27, 2023
    risk 0.50cvss 8.8epss 0.01

    Pimcore is an open source data and experience management platform. Prior to version 10.5.21, a SQL Injection vulnerability exists in the admin translations API. Users should update to version 10.5.21 to receive a patch or, as a workaround, or apply the patch manually.

  • CVE-2023-30849HigApr 27, 2023
    risk 0.50cvss 8.8epss 0.01

    Pimcore is an open source data and experience management platform. Prior to version 10.5.21, A SQL injection vulnerability exists in the translation export API. Users should update to version 10.5.21 to receive a patch or, as a workaround, or apply the patch manually.

  • CVE-2023-30848HigApr 27, 2023
    risk 0.50cvss 8.8epss 0.01

    Pimcore is an open source data and experience management platform. Prior to version 10.5.21, the admin search find API has a SQL injection vulnerability. Users should upgrade to version 10.5.21 to receive a patch or, as a workaround, apply the patch manually.

  • CVE-2023-2338HigApr 27, 2023
    risk 0.50cvss 8.8epss 0.01

    SQL Injection in GitHub repository pimcore/pimcore prior to 10.5.21.

  • CVE-2023-28329HigMar 23, 2023
    risk 0.50cvss 8.8epss 0.01

    Insufficient validation of profile field availability condition resulted in an SQL injection risk (by default only available to teachers and managers).

  • CVE-2023-22794HigFeb 9, 2023
    risk 0.50cvss 8.8epss 0.02

    A vulnerability in ActiveRecord <6.0.6.1, v6.1.7.1 and v7.0.4.1 related to the sanitization of comments. If malicious user input is passed to either the `annotate` query method, the `optimizer_hints` query method, or through the QueryLogs interface which automatically adds…

  • CVE-2022-42121HigNov 15, 2022
    risk 0.50cvss 8.8epss 0.01

    A SQL injection vulnerability in the Layout module in Liferay Portal 7.1.3 through 7.4.3.4, and Liferay DXP 7.1 before fix pack 27, 7.2 before fix pack 17, 7.3 before service pack 3, and 7.4 GA allows remote authenticated attackers to execute arbitrary SQL commands via a crafted…

  • CVE-2022-31367HigSep 27, 2022
    risk 0.50cvss 8.8epss 0.01

    Strapi before 3.6.10 and 4.x before 4.1.10 mishandles hidden attributes within admin API responses.

  • CVE-2022-40043HigSep 26, 2022
    risk 0.50cvss 8.8epss 0.01

    Centreon v20.10.18 was discovered to contain a SQL injection vulnerability via the esc_name (Escalation Name) parameter at Configuration/Notifications/Escalations.

  • CVE-2022-26986HigApr 5, 2022
    risk 0.50cvss 7.2epss 0.04

    SQL Injection in ImpressCMS 1.4.3 and earlier allows remote attackers to inject into the code in unintended way, this allows an attacker to read and modify the sensitive information from the database used by the application. If misconfigured, an attacker can even upload a…

  • CVE-2021-36625HigMar 31, 2022
    risk 0.50cvss 8.8epss 0.01

    An SQL Injection vulnerability exists in Dolibarr ERP/CRM 13.0.2 (fixed version is 14.0.0) via a POST request to the country_id parameter in an UPDATE statement.

  • CVE-2022-0983HigMar 25, 2022
    risk 0.50cvss 8.8epss 0.01

    An SQL injection risk was identified in Badges code relating to configuring criteria. Access to the relevant capability was limited to teachers and managers by default.

  • CVE-2022-1064HigMar 25, 2022
    risk 0.50cvss 8.8epss 0.01

    SQL injection through marking blog comments on bulk as spam in GitHub repository forkcms/forkcms prior to 5.11.1.

  • CVE-2022-0258HigJan 17, 2022
    risk 0.50cvss 8.8epss 0.02

    pimcore is vulnerable to Improper Neutralization of Special Elements used in an SQL Command

  • CVE-2021-21380HigMar 23, 2021
    risk 0.50cvss 7.7epss 0.01

    XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In affected versions of XWiki Platform (and only those with the Ratings API installed), the Rating Script Service expose an API to perform SQL requests without escaping the…

  • CVE-2020-35700HigFeb 8, 2021
    risk 0.50cvss 8.8epss 0.02

    A second-order SQL injection issue in Widgets/TopDevicesController.php (aka the Top Devices dashboard widget) of LibreNMS before 21.1.0 allows remote authenticated attackers to execute arbitrary SQL commands via the sort_order parameter against the /ajax/form/widget-settings…

  • CVE-2020-14443HigJun 18, 2020
    risk 0.50cvss 8.8epss 0.01

    A SQL injection vulnerability in accountancy/customer/card.php in Dolibarr 11.0.3 allows remote authenticated users to execute arbitrary SQL commands via the id parameter.

  • CVE-2020-1937HigFeb 24, 2020
    risk 0.50cvss 8.8epss 0.03

    Kylin has some restful apis which will concatenate SQLs with the user input string, a user is likely to be able to run malicious database queries.

  • CVE-2012-4383HigJan 29, 2020
    risk 0.50cvss 8.8epss 0.01

    contao prior to 2.11.4 has a sql injection vulnerability