CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Description
The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-108 · CAPEC-109 · CAPEC-110 · CAPEC-470 · CAPEC-66 · CAPEC-7
CVEs mapped to this weakness (10,236)
page 13 of 512| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2015-3934 | Cri | 0.67 | 9.8 | 0.03 | Nov 21, 2017 | Multiple SQL injection vulnerabilities in Fiyo CMS 2.0_1.9.1 allow remote attackers to execute arbitrary SQL commands via the (1) id parameter to apps/app_article/controller/rating.php or (2) user parameter to user/login. | ||
| CVE-2015-3933 | Cri | 0.67 | 9.8 | 0.04 | Nov 8, 2017 | Multiple SQL injection vulnerabilities in inc/lib/User.class.php in MetalGenix GeniXCMS before 0.0.3-patch allow remote attackers to execute arbitrary SQL commands via the (1) email parameter or (2) userid parameter to register.php. | ||
| CVE-2017-16543 | Cri | 0.67 | 9.8 | 0.06 | Nov 5, 2017 | Zoho ManageEngine Applications Manager 13 before build 13500 allows SQL injection via GraphicalView.do, as demonstrated by a crafted viewProps yCanvas field or viewid parameter. | ||
| CVE-2017-15993 | Cri | 0.67 | 9.8 | 0.03 | Oct 31, 2017 | Zomato Clone Script allows SQL Injection via the restaurant-menu.php resid parameter. | ||
| CVE-2017-15992 | Cri | 0.67 | 9.8 | 0.03 | Oct 31, 2017 | Website Broker Script allows SQL Injection via the 'status_id' Parameter to status_list.php. | ||
| CVE-2017-15991 | Cri | 0.67 | 9.8 | 0.03 | Oct 31, 2017 | Vastal I-Tech Agent Zone (aka The Real Estate Script) allows SQL Injection in searchCommercial.php via the property_type, city, or posted_by parameter, or searchResidential.php via the property_type, city, or bedroom parameter, a different vulnerability than CVE-2008-3951,… | ||
| CVE-2017-15989 | Cri | 0.67 | 9.8 | 0.03 | Oct 31, 2017 | Online Exam Test Application allows SQL Injection via the resources.php sort parameter in a category action. | ||
| CVE-2017-15988 | Cri | 0.67 | 9.8 | 0.03 | Oct 31, 2017 | Nice PHP FAQ Script allows SQL Injection via the index.php nice_theme parameter, a different vulnerability than CVE-2008-6525. | ||
| CVE-2017-15987 | Cri | 0.67 | 9.8 | 0.02 | Oct 31, 2017 | Fake Magazine Cover Script allows SQL Injection via the rate.php value parameter or the content.php id parameter. | ||
| CVE-2017-15986 | Cri | 0.67 | 9.8 | 0.03 | Oct 31, 2017 | CPA Lead Reward Script allows SQL Injection via the username parameter. | ||
| CVE-2017-15985 | Cri | 0.67 | 9.8 | 0.03 | Oct 31, 2017 | Basic B2B Script allows SQL Injection via the product_view1.php pid or id parameter. | ||
| CVE-2017-15984 | Cri | 0.67 | 9.8 | 0.03 | Oct 31, 2017 | Creative Management System (CMS) Lite 1.4 allows SQL Injection via the S parameter to index.php. | ||
| CVE-2017-15983 | Cri | 0.67 | 9.8 | 0.03 | Oct 31, 2017 | MyMagazine Magazine & Blog CMS 1.0 allows SQL Injection via the id parameter to admin/admin_process.php for form editing. | ||
| CVE-2017-15982 | Cri | 0.67 | 9.8 | 0.03 | Oct 31, 2017 | Dynamic News Magazine & Blog CMS 1.0 allows SQL Injection via the id parameter to admin/admin_process.php for form editing. | ||
| CVE-2017-15981 | Cri | 0.67 | 9.8 | 0.03 | Oct 31, 2017 | Responsive Newspaper Magazine & Blog CMS 1.0 allows SQL Injection via the id parameter to admin/admin_process.php for form editing. | ||
| CVE-2017-15980 | Cri | 0.67 | 9.8 | 0.03 | Oct 31, 2017 | US Zip Codes Database Script 1.0 allows SQL Injection via the state parameter. | ||
| CVE-2017-15979 | Cri | 0.67 | 9.8 | 0.03 | Oct 31, 2017 | Shareet - Photo Sharing Social Network 1.0 allows SQL Injection via the photo parameter. | ||
| CVE-2017-15978 | Cri | 0.67 | 9.8 | 0.03 | Oct 31, 2017 | AROX School ERP PHP Script 1.0 allows SQL Injection via the office_admin/ id parameter. | ||
| CVE-2017-15977 | Cri | 0.67 | 9.8 | 0.03 | Oct 31, 2017 | Protected Links - Expiring Download Links 1.0 allows SQL Injection via the username parameter. | ||
| CVE-2017-15976 | Cri | 0.67 | 9.8 | 0.03 | Oct 29, 2017 | ZeeBuddy 2x allows SQL Injection via the admin/editadgroup.php groupid parameter, a different vulnerability than CVE-2008-3604. |
- risk 0.67cvss 9.8epss 0.03
Multiple SQL injection vulnerabilities in Fiyo CMS 2.0_1.9.1 allow remote attackers to execute arbitrary SQL commands via the (1) id parameter to apps/app_article/controller/rating.php or (2) user parameter to user/login.
- risk 0.67cvss 9.8epss 0.04
Multiple SQL injection vulnerabilities in inc/lib/User.class.php in MetalGenix GeniXCMS before 0.0.3-patch allow remote attackers to execute arbitrary SQL commands via the (1) email parameter or (2) userid parameter to register.php.
- risk 0.67cvss 9.8epss 0.06
Zoho ManageEngine Applications Manager 13 before build 13500 allows SQL injection via GraphicalView.do, as demonstrated by a crafted viewProps yCanvas field or viewid parameter.
- risk 0.67cvss 9.8epss 0.03
Zomato Clone Script allows SQL Injection via the restaurant-menu.php resid parameter.
- risk 0.67cvss 9.8epss 0.03
Website Broker Script allows SQL Injection via the 'status_id' Parameter to status_list.php.
- risk 0.67cvss 9.8epss 0.03
Vastal I-Tech Agent Zone (aka The Real Estate Script) allows SQL Injection in searchCommercial.php via the property_type, city, or posted_by parameter, or searchResidential.php via the property_type, city, or bedroom parameter, a different vulnerability than CVE-2008-3951,…
- risk 0.67cvss 9.8epss 0.03
Online Exam Test Application allows SQL Injection via the resources.php sort parameter in a category action.
- risk 0.67cvss 9.8epss 0.03
Nice PHP FAQ Script allows SQL Injection via the index.php nice_theme parameter, a different vulnerability than CVE-2008-6525.
- risk 0.67cvss 9.8epss 0.02
Fake Magazine Cover Script allows SQL Injection via the rate.php value parameter or the content.php id parameter.
- risk 0.67cvss 9.8epss 0.03
CPA Lead Reward Script allows SQL Injection via the username parameter.
- risk 0.67cvss 9.8epss 0.03
Basic B2B Script allows SQL Injection via the product_view1.php pid or id parameter.
- risk 0.67cvss 9.8epss 0.03
Creative Management System (CMS) Lite 1.4 allows SQL Injection via the S parameter to index.php.
- risk 0.67cvss 9.8epss 0.03
MyMagazine Magazine & Blog CMS 1.0 allows SQL Injection via the id parameter to admin/admin_process.php for form editing.
- risk 0.67cvss 9.8epss 0.03
Dynamic News Magazine & Blog CMS 1.0 allows SQL Injection via the id parameter to admin/admin_process.php for form editing.
- risk 0.67cvss 9.8epss 0.03
Responsive Newspaper Magazine & Blog CMS 1.0 allows SQL Injection via the id parameter to admin/admin_process.php for form editing.
- risk 0.67cvss 9.8epss 0.03
US Zip Codes Database Script 1.0 allows SQL Injection via the state parameter.
- risk 0.67cvss 9.8epss 0.03
Shareet - Photo Sharing Social Network 1.0 allows SQL Injection via the photo parameter.
- risk 0.67cvss 9.8epss 0.03
AROX School ERP PHP Script 1.0 allows SQL Injection via the office_admin/ id parameter.
- risk 0.67cvss 9.8epss 0.03
Protected Links - Expiring Download Links 1.0 allows SQL Injection via the username parameter.
- risk 0.67cvss 9.8epss 0.03
ZeeBuddy 2x allows SQL Injection via the admin/editadgroup.php groupid parameter, a different vulnerability than CVE-2008-3604.