CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Description
The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-108 · CAPEC-109 · CAPEC-110 · CAPEC-470 · CAPEC-66 · CAPEC-7
CVEs mapped to this weakness (10,236)
page 143 of 512| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2023-40215 | Hig | 0.49 | 7.6 | 0.01 | Nov 4, 2023 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Demonisblack demon image annotation allows SQL Injection.This issue affects demon image annotation: from n/a through 5.1. | ||
| CVE-2023-32741 | Hig | 0.49 | 7.6 | 0.01 | Nov 4, 2023 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in IT Path Solutions PVT LTD Contact Form to Any API allows SQL Injection.This issue affects Contact Form to Any API: from n/a through 1.1.2. | ||
| CVE-2023-34179 | Hig | 0.49 | 7.6 | 0.01 | Nov 3, 2023 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Groundhogg Inc. Groundhogg allows SQL Injection.This issue affects Groundhogg: from n/a through 2.7.11. | ||
| CVE-2023-32508 | Hig | 0.49 | 7.6 | 0.01 | Nov 3, 2023 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Rolf van Gelder Order Your Posts Manually allows SQL Injection.This issue affects Order Your Posts Manually: from n/a through 2.2.5. | ||
| CVE-2023-32121 | Hig | 0.49 | 7.6 | 0.01 | Nov 3, 2023 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Highfivery LLC Zero Spam for WordPress allows SQL Injection.This issue affects Zero Spam for WordPress: from n/a through 5.4.4. | ||
| CVE-2023-37966 | Hig | 0.49 | 7.6 | 0.01 | Oct 31, 2023 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Solwin Infotech User Activity Log user-activity-log allows SQL Injection.This issue affects User Activity Log: from n/a through 1.6.2. | ||
| CVE-2023-36508 | Hig | 0.49 | 7.6 | 0.01 | Oct 31, 2023 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in BestWebSoft Contact Form to DB by BestWebSoft – Messages Database Plugin For WordPress contact-form-to-db allows SQL Injection.This issue affects Contact Form to DB by… | ||
| CVE-2023-35879 | Hig | 0.49 | 7.6 | 0.01 | Oct 31, 2023 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WooCommerce Product Vendors allows SQL Injection.This issue affects Product Vendors: from n/a through 2.1.78. | ||
| CVE-2023-33927 | Hig | 0.49 | 7.6 | 0.01 | Oct 31, 2023 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Themeisle Multiple Page Generator Plugin – MPG multiple-pages-generator-by-porthas allows SQL Injection.This issue affects Multiple Page Generator Plugin – MPG: from n/a… | ||
| CVE-2023-31717 | Hig | 0.49 | 7.5 | 0.02 | Sep 22, 2023 | A SQL Injection attack in FUXA <= 1.1.12 allows exfiltration of confidential information from the database. | ||
| CVE-2023-40771 | Hig | 0.49 | 7.5 | 0.01 | Sep 1, 2023 | SQL injection vulnerability in DataEase v.1.18.9 allows a remote attacker to obtain sensitive information via a crafted string outside of the blacklist function. | ||
| CVE-2023-34603 | Hig | 0.49 | 7.5 | 0.01 | Jun 19, 2023 | JeecgBoot up to v 3.5.1 was discovered to contain a SQL injection vulnerability via the component queryFilterTableDictInfo at org.jeecg.modules.api.controller.SystemApiController. | ||
| CVE-2022-41892 | Hig | 0.49 | 8.6 | 0.01 | Nov 11, 2022 | Arches is a web platform for creating, managing, & visualizing geospatial data. Versions prior to 6.1.2, 6.2.1, and 7.1.2 are vulnerable to SQL Injection. With a carefully crafted web request, it's possible to execute certain unwanted sql statements against the database. This… | ||
| CVE-2021-36898 | Hig | 0.49 | 7.5 | 0.01 | Oct 28, 2022 | Auth. SQL Injection (SQLi) vulnerability in Quiz And Survey Master plugin <= 7.3.4 on WordPress. | ||
| CVE-2021-46385 | Hig | 0.49 | 7.5 | 0.02 | Jan 26, 2022 | https://gitee.com/mingSoft/MCMS MCMS <=5.2.5 is affected by: SQL Injection. The impact is: obtain sensitive information (remote). The component is: net.mingsoft.mdiy.action.FormDataAction#queryData. The attack vector is: 0 or sleep(3). ¶¶ MCMS has a sql injection vulnerability… | ||
| CVE-2021-46383 | Hig | 0.49 | 7.5 | 0.02 | Jan 26, 2022 | https://gitee.com/mingSoft/MCMS MCMS <=5.2.5 is affected by: SQL Injection. The impact is: obtain sensitive information (remote). The component is: net.mingsoft.mdiy.action.web.DictAction#list. The attack vector is: 0 or sleep(3). ¶¶ MCMS has a sql injection vulnerability… | ||
| CVE-2021-23352 | — | Hig | 0.49 | 8.6 | 0.02 | Mar 9, 2021 | This affects the package madge before 4.0.1. It is possible to specify a custom Graphviz path via the graphVizPath option parameter which when the .image(), .svg() or .dot() functions are called, is executed by the childprocess.exec function. | |
| CVE-2019-19209 | — | Hig | 0.49 | 7.5 | 0.02 | Mar 16, 2020 | Dolibarr ERP/CRM before 10.0.3 allows SQL Injection. | |
| CVE-2020-3719 | Hig | 0.49 | 7.5 | 0.03 | Jan 29, 2020 | Magento versions 2.3.3 and earlier, 2.2.10 and earlier, 1.14.4.3 and earlier, and 1.9.4.3 and earlier have an sql injection vulnerability. Successful exploitation could lead to sensitive information disclosure. | ||
| CVE-2018-0404 | Hig | 0.49 | 7.5 | 0.01 | Oct 5, 2018 | A vulnerability in the web framework code for Cisco RV180W Wireless-N Multifunction VPN Router and Small Business RV Series RV220W Wireless Network Security Firewall could allow an unauthenticated, remote attacker to execute arbitrary SQL queries. The attacker could retrieve… |
- risk 0.49cvss 7.6epss 0.01
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Demonisblack demon image annotation allows SQL Injection.This issue affects demon image annotation: from n/a through 5.1.
- risk 0.49cvss 7.6epss 0.01
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in IT Path Solutions PVT LTD Contact Form to Any API allows SQL Injection.This issue affects Contact Form to Any API: from n/a through 1.1.2.
- risk 0.49cvss 7.6epss 0.01
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Groundhogg Inc. Groundhogg allows SQL Injection.This issue affects Groundhogg: from n/a through 2.7.11.
- risk 0.49cvss 7.6epss 0.01
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Rolf van Gelder Order Your Posts Manually allows SQL Injection.This issue affects Order Your Posts Manually: from n/a through 2.2.5.
- risk 0.49cvss 7.6epss 0.01
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Highfivery LLC Zero Spam for WordPress allows SQL Injection.This issue affects Zero Spam for WordPress: from n/a through 5.4.4.
- risk 0.49cvss 7.6epss 0.01
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Solwin Infotech User Activity Log user-activity-log allows SQL Injection.This issue affects User Activity Log: from n/a through 1.6.2.
- risk 0.49cvss 7.6epss 0.01
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in BestWebSoft Contact Form to DB by BestWebSoft – Messages Database Plugin For WordPress contact-form-to-db allows SQL Injection.This issue affects Contact Form to DB by…
- risk 0.49cvss 7.6epss 0.01
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WooCommerce Product Vendors allows SQL Injection.This issue affects Product Vendors: from n/a through 2.1.78.
- risk 0.49cvss 7.6epss 0.01
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Themeisle Multiple Page Generator Plugin – MPG multiple-pages-generator-by-porthas allows SQL Injection.This issue affects Multiple Page Generator Plugin – MPG: from n/a…
- risk 0.49cvss 7.5epss 0.02
A SQL Injection attack in FUXA <= 1.1.12 allows exfiltration of confidential information from the database.
- risk 0.49cvss 7.5epss 0.01
SQL injection vulnerability in DataEase v.1.18.9 allows a remote attacker to obtain sensitive information via a crafted string outside of the blacklist function.
- risk 0.49cvss 7.5epss 0.01
JeecgBoot up to v 3.5.1 was discovered to contain a SQL injection vulnerability via the component queryFilterTableDictInfo at org.jeecg.modules.api.controller.SystemApiController.
- risk 0.49cvss 8.6epss 0.01
Arches is a web platform for creating, managing, & visualizing geospatial data. Versions prior to 6.1.2, 6.2.1, and 7.1.2 are vulnerable to SQL Injection. With a carefully crafted web request, it's possible to execute certain unwanted sql statements against the database. This…
- risk 0.49cvss 7.5epss 0.01
Auth. SQL Injection (SQLi) vulnerability in Quiz And Survey Master plugin <= 7.3.4 on WordPress.
- risk 0.49cvss 7.5epss 0.02
https://gitee.com/mingSoft/MCMS MCMS <=5.2.5 is affected by: SQL Injection. The impact is: obtain sensitive information (remote). The component is: net.mingsoft.mdiy.action.FormDataAction#queryData. The attack vector is: 0 or sleep(3). ¶¶ MCMS has a sql injection vulnerability…
- risk 0.49cvss 7.5epss 0.02
https://gitee.com/mingSoft/MCMS MCMS <=5.2.5 is affected by: SQL Injection. The impact is: obtain sensitive information (remote). The component is: net.mingsoft.mdiy.action.web.DictAction#list. The attack vector is: 0 or sleep(3). ¶¶ MCMS has a sql injection vulnerability…
- risk 0.49cvss 8.6epss 0.02
This affects the package madge before 4.0.1. It is possible to specify a custom Graphviz path via the graphVizPath option parameter which when the .image(), .svg() or .dot() functions are called, is executed by the childprocess.exec function.
- risk 0.49cvss 7.5epss 0.02
Dolibarr ERP/CRM before 10.0.3 allows SQL Injection.
- risk 0.49cvss 7.5epss 0.03
Magento versions 2.3.3 and earlier, 2.2.10 and earlier, 1.14.4.3 and earlier, and 1.9.4.3 and earlier have an sql injection vulnerability. Successful exploitation could lead to sensitive information disclosure.
- risk 0.49cvss 7.5epss 0.01
A vulnerability in the web framework code for Cisco RV180W Wireless-N Multifunction VPN Router and Small Business RV Series RV220W Wireless Network Security Firewall could allow an unauthenticated, remote attacker to execute arbitrary SQL queries. The attacker could retrieve…