CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Description
The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-108 · CAPEC-109 · CAPEC-110 · CAPEC-470 · CAPEC-66 · CAPEC-7
CVEs mapped to this weakness (10,236)
page 14 of 512| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2017-15975 | Cri | 0.67 | 9.8 | 0.03 | Oct 29, 2017 | Vastal I-Tech Dating Zone 0.9.9 allows SQL Injection via the 'product_id' to add_to_cart.php, a different vulnerability than CVE-2008-4461. | ||
| CVE-2017-15974 | Cri | 0.67 | 9.8 | 0.04 | Oct 29, 2017 | tPanel 2009 allows SQL injection for Authentication Bypass via 'or 1=1 or ''=' to login.php. | ||
| CVE-2017-15973 | Cri | 0.67 | 9.8 | 0.03 | Oct 29, 2017 | Sokial Social Network Script 1.0 allows SQL Injection via the id parameter to admin/members_view.php. | ||
| CVE-2017-15972 | Cri | 0.67 | 9.8 | 0.03 | Oct 29, 2017 | SoftDatepro Dating Social Network 1.3 allows SQL Injection via the viewprofile.php profid parameter, the viewmessage.php sender_id parameter, or the /admin Email field, a related issue to CVE-2017-15971. | ||
| CVE-2017-15971 | Cri | 0.67 | 9.8 | 0.02 | Oct 29, 2017 | Same Sex Dating Software Pro 1.0 allows SQL Injection via the viewprofile.php profid parameter, the viewmessage.php sender_id parameter, or the /admin Email field, a related issue to CVE-2017-15972. | ||
| CVE-2017-15970 | Cri | 0.67 | 9.8 | 0.02 | Oct 29, 2017 | PHP CityPortal 2.0 allows SQL Injection via the nid parameter to index.php in a page=news action, or the cat parameter. | ||
| CVE-2017-15969 | Cri | 0.67 | 9.8 | 0.02 | Oct 29, 2017 | PG All Share Video 1.0 allows SQL Injection via the PATH_INFO to search/tag, friends/index, users/profile, or video_catalog/category. | ||
| CVE-2017-15968 | Cri | 0.67 | 9.8 | 0.02 | Oct 29, 2017 | MyBuilder Clone 1.0 allows SQL Injection via the phpsqlsearch_genxml.php subcategory parameter. | ||
| CVE-2017-15967 | Cri | 0.67 | 9.8 | 0.02 | Oct 29, 2017 | Mailing List Manager Pro 3.0 allows SQL Injection via the edit parameter to admin/users in a sort=login action, or the edit parameter to admin/template. | ||
| CVE-2017-15966 | Cri | 0.67 | 9.8 | 0.03 | Oct 29, 2017 | The Zh YandexMap (aka com_zhyandexmap) component 6.1.1.0 for Joomla! allows SQL Injection via the placemarklistid parameter to index.php. | ||
| CVE-2017-15965 | Cri | 0.67 | 9.8 | 0.03 | Oct 29, 2017 | The NS Download Shop (aka com_ns_downloadshop) component 2.2.6 for Joomla! allows SQL Injection via the id parameter in an invoice.create action. | ||
| CVE-2017-15964 | Cri | 0.67 | 9.8 | 0.02 | Oct 29, 2017 | Job Board Script Software allows SQL Injection via the PATH_INFO to a /job-details URI. | ||
| CVE-2017-15963 | Cri | 0.67 | 9.8 | 0.02 | Oct 29, 2017 | iTech Gigs Script 1.21 allows SQL Injection via the browse-scategory.php sc parameter or the service-provider.php ser parameter. | ||
| CVE-2017-15961 | Cri | 0.67 | 9.8 | 0.02 | Oct 29, 2017 | iProject Management System 1.0 allows SQL Injection via the ID parameter to index.php. | ||
| CVE-2017-15960 | Cri | 0.67 | 9.8 | 0.02 | Oct 29, 2017 | Article Directory Script 3.0 allows SQL Injection via the id parameter to author.php or category.php. | ||
| CVE-2017-15959 | Cri | 0.67 | 9.8 | 0.02 | Oct 29, 2017 | Adult Script Pro 2.2.4 allows SQL Injection via the PATH_INFO to a /download URI, a different vulnerability than CVE-2007-6576. | ||
| CVE-2017-15958 | Cri | 0.67 | 9.8 | 0.02 | Oct 29, 2017 | D-Park Pro Domain Parking Script 1.0 allows SQL Injection via the username to admin/loginform.php. | ||
| CVE-2014-2023 | Cri | 0.67 | 9.8 | 0.04 | Oct 26, 2017 | Multiple SQL injection vulnerabilities in the Tapatalk plugin 4.9.0 and earlier and 5.x through 5.2.1 for vBulletin allow remote attackers to execute arbitrary SQL commands via a crafted xmlrpc API request to (1) unsubscribe_forum.php or (2) unsubscribe_topic.php in… | ||
| CVE-2017-15081 | Cri | 0.67 | 9.8 | 0.02 | Oct 24, 2017 | In PHPSUGAR PHP Melody CMS 2.6.1, SQL Injection exists via the playlist parameter to playlists.php. | ||
| CVE-2017-15579 | Cri | 0.67 | 9.8 | 0.01 | Oct 18, 2017 | In PHPSUGAR PHP Melody before 2.7.3, SQL Injection exists via an aa_pages_per_page cookie in a playlist action to watch.php. |
- risk 0.67cvss 9.8epss 0.03
Vastal I-Tech Dating Zone 0.9.9 allows SQL Injection via the 'product_id' to add_to_cart.php, a different vulnerability than CVE-2008-4461.
- risk 0.67cvss 9.8epss 0.04
tPanel 2009 allows SQL injection for Authentication Bypass via 'or 1=1 or ''=' to login.php.
- risk 0.67cvss 9.8epss 0.03
Sokial Social Network Script 1.0 allows SQL Injection via the id parameter to admin/members_view.php.
- risk 0.67cvss 9.8epss 0.03
SoftDatepro Dating Social Network 1.3 allows SQL Injection via the viewprofile.php profid parameter, the viewmessage.php sender_id parameter, or the /admin Email field, a related issue to CVE-2017-15971.
- risk 0.67cvss 9.8epss 0.02
Same Sex Dating Software Pro 1.0 allows SQL Injection via the viewprofile.php profid parameter, the viewmessage.php sender_id parameter, or the /admin Email field, a related issue to CVE-2017-15972.
- risk 0.67cvss 9.8epss 0.02
PHP CityPortal 2.0 allows SQL Injection via the nid parameter to index.php in a page=news action, or the cat parameter.
- risk 0.67cvss 9.8epss 0.02
PG All Share Video 1.0 allows SQL Injection via the PATH_INFO to search/tag, friends/index, users/profile, or video_catalog/category.
- risk 0.67cvss 9.8epss 0.02
MyBuilder Clone 1.0 allows SQL Injection via the phpsqlsearch_genxml.php subcategory parameter.
- risk 0.67cvss 9.8epss 0.02
Mailing List Manager Pro 3.0 allows SQL Injection via the edit parameter to admin/users in a sort=login action, or the edit parameter to admin/template.
- risk 0.67cvss 9.8epss 0.03
The Zh YandexMap (aka com_zhyandexmap) component 6.1.1.0 for Joomla! allows SQL Injection via the placemarklistid parameter to index.php.
- risk 0.67cvss 9.8epss 0.03
The NS Download Shop (aka com_ns_downloadshop) component 2.2.6 for Joomla! allows SQL Injection via the id parameter in an invoice.create action.
- risk 0.67cvss 9.8epss 0.02
Job Board Script Software allows SQL Injection via the PATH_INFO to a /job-details URI.
- risk 0.67cvss 9.8epss 0.02
iTech Gigs Script 1.21 allows SQL Injection via the browse-scategory.php sc parameter or the service-provider.php ser parameter.
- risk 0.67cvss 9.8epss 0.02
iProject Management System 1.0 allows SQL Injection via the ID parameter to index.php.
- risk 0.67cvss 9.8epss 0.02
Article Directory Script 3.0 allows SQL Injection via the id parameter to author.php or category.php.
- risk 0.67cvss 9.8epss 0.02
Adult Script Pro 2.2.4 allows SQL Injection via the PATH_INFO to a /download URI, a different vulnerability than CVE-2007-6576.
- risk 0.67cvss 9.8epss 0.02
D-Park Pro Domain Parking Script 1.0 allows SQL Injection via the username to admin/loginform.php.
- risk 0.67cvss 9.8epss 0.04
Multiple SQL injection vulnerabilities in the Tapatalk plugin 4.9.0 and earlier and 5.x through 5.2.1 for vBulletin allow remote attackers to execute arbitrary SQL commands via a crafted xmlrpc API request to (1) unsubscribe_forum.php or (2) unsubscribe_topic.php in…
- risk 0.67cvss 9.8epss 0.02
In PHPSUGAR PHP Melody CMS 2.6.1, SQL Injection exists via the playlist parameter to playlists.php.
- risk 0.67cvss 9.8epss 0.01
In PHPSUGAR PHP Melody before 2.7.3, SQL Injection exists via an aa_pages_per_page cookie in a playlist action to watch.php.