VYPR

CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

BaseStableLikelihood: High

Description

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Hierarchy (View 1000)

Parents

Children

Related attack patterns (CAPEC)

CAPEC-108 · CAPEC-109 · CAPEC-110 · CAPEC-470 · CAPEC-66 · CAPEC-7

CVEs mapped to this weakness (10,236)

page 139 of 512
  • CVE-2024-47334HigOct 9, 2024
    risk 0.49cvss 7.6epss 0.00

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Zoho Flow Zoho Flow zoho-flow allows SQL Injection.This issue affects Zoho Flow: from n/a through <= 2.7.1.

  • CVE-2024-47335HigOct 7, 2024
    risk 0.49cvss 7.6epss 0.00

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Bit Apps Bit Form bit-form allows SQL Injection.This issue affects Bit Form: from n/a through <= 2.13.11.

  • CVE-2024-46382HigSep 19, 2024
    risk 0.49cvss 7.5epss 0.01

    A SQL injection vulnerability in linlinjava litemall 1.8.0 allows a remote attacker to obtain sensitive information via the goodsId, goodsSn, and name parameters in AdminOrderController.java.

  • CVE-2024-43969HigSep 17, 2024
    risk 0.49cvss 7.6epss 0.00

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Spiffy Plugins Spiffy Calendar allows SQL Injection.This issue affects Spiffy Calendar: from n/a through 4.9.12.

  • CVE-2024-28297HigAug 2, 2024
    risk 0.49cvss 7.5epss 0.00

    SQL injection vulnerability in AzureSoft MyHorus 4.3.5 allows authenticated users to execute arbitrary SQL commands via unspecified vectors.

  • CVE-2024-5753HigJul 5, 2024
    risk 0.49cvss 7.5epss 0.01

    vanna-ai/vanna version v0.3.4 is vulnerable to SQL injection in some file-critical functions such as `pg_read_file()`. This vulnerability allows unauthenticated remote users to read arbitrary local files on the victim server, including sensitive files like `/etc/passwd`, by…

  • CVE-2024-35630HigJun 3, 2024
    risk 0.49cvss 7.6epss 0.00

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in LJ Apps WP TripAdvisor Review Slider allows Blind SQL Injection.This issue affects WP TripAdvisor Review Slider: from n/a through 12.6.

  • CVE-2024-33450HigMay 28, 2024
    risk 0.49cvss 7.5epss 0.00

    SQL Injection in Finereport v.8.0 allows a remote attacker to obtain sensitive information

  • CVE-2023-3942HigMay 21, 2024
    risk 0.49cvss 7.5epss 0.01

    An 'SQL Injection' vulnerability, due to improper neutralization of special elements used in SQL commands, exists in ZKTeco-based OEM devices. This vulnerability allows an attacker to, in some cases, impersonate another user or perform unauthorized actions. In other instances,…

  • CVE-2024-34386HigMay 6, 2024
    risk 0.49cvss 7.6epss 0.01

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Lucian Apostol Auto Affiliate Links.This issue affects Auto Affiliate Links: from n/a through 6.4.3.1.

  • CVE-2024-33911HigMay 2, 2024
    risk 0.49cvss 7.6epss 0.01

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Weblizar School Management Pro.This issue affects School Management Pro: from n/a through 10.3.4.

  • CVE-2024-32602HigApr 18, 2024
    risk 0.49cvss 7.6epss 0.01

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in OnTheGoSystems WooCommerce Multilingual & Multicurrency.This issue affects WooCommerce Multilingual & Multicurrency: from n/a through 5.3.3.1.

  • CVE-2024-32551HigApr 18, 2024
    risk 0.49cvss 7.6epss 0.00

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Smartypants SP Project & Document Manager.This issue affects SP Project & Document Manager : from n/a through 4.71.

  • CVE-2024-32135HigApr 15, 2024
    risk 0.49cvss 7.6epss 0.01

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WPZest Disable Comments | WPZest.This issue affects Disable Comments | WPZest: from n/a through 1.51.

  • CVE-2024-32134HigApr 15, 2024
    risk 0.49cvss 7.6epss 0.01

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Nasirahmed Forms to Zapier, Integromat, IFTTT, Workato, Automate.Io, elastic.Io, Built.Io, APIANT, Webhook.This issue affects Forms to Zapier, Integromat, IFTTT, Workato,…

  • CVE-2024-32132HigApr 15, 2024
    risk 0.49cvss 7.6epss 0.01

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Codeboxr Team CBX Bookmark & Favorite.This issue affects CBX Bookmark & Favorite: from n/a through 1.7.20.

  • CVE-2024-32098HigApr 15, 2024
    risk 0.49cvss 7.6epss 0.01

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Page Visit Counter Advanced Page Visit Counter.This issue affects Advanced Page Visit Counter: from n/a through 8.0.6.

  • CVE-2024-32087HigApr 15, 2024
    risk 0.49cvss 7.6epss 0.01

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in ExportFeed.Com Product Feed on WooCommerce for Google.This issue affects Product Feed on WooCommerce for Google: from n/a through 3.5.7.

  • CVE-2024-31356HigApr 10, 2024
    risk 0.49cvss 7.6epss 0.01

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Solwin Infotech User Activity Log.This issue affects User Activity Log: from n/a through 1.8.

  • CVE-2024-31260HigApr 7, 2024
    risk 0.49cvss 7.6epss 0.01

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WisdmLabs Edwiser Bridge.This issue affects Edwiser Bridge: from n/a through 3.0.2.