CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Description
The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-108 · CAPEC-109 · CAPEC-110 · CAPEC-470 · CAPEC-66 · CAPEC-7
CVEs mapped to this weakness (10,236)
page 15 of 512| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2015-2147 | Cri | 0.67 | 9.8 | 0.02 | Oct 6, 2017 | Multiple SQL injection vulnerabilities in Issuetracker phpBugTracker before 1.7.0 allow remote attackers to execute arbitrary SQL commands via unspecified parameters. | ||
| CVE-2017-6089 | Cri | 0.67 | 9.8 | 0.03 | Oct 3, 2017 | SQL injection vulnerability in PhpCollab 2.5.1 and earlier allows remote attackers to execute arbitrary SQL commands via the (1) project or id parameters to topics/deletetopics.php; the (2) id parameter to bookmarks/deletebookmarks.php; or the (3) id parameter to… | ||
| CVE-2017-14738 | Cri | 0.67 | 9.8 | 0.03 | Sep 30, 2017 | FileRun (version 2017.09.18 and below) suffers from a remote SQL injection vulnerability due to a failure to sanitize input in the metafield parameter inside the metasearch module (under the search function). | ||
| CVE-2017-14507 | Cri | 0.67 | 9.8 | 0.05 | Sep 29, 2017 | Multiple SQL injection vulnerabilities in the Content Timeline plugin 4.4.2 for WordPress allow remote attackers to execute arbitrary SQL commands via the (1) timeline parameter in content_timeline_class.php; or the id parameter to (2) pages/content_timeline_edit.php or (3)… | ||
| CVE-2017-14703 | Cri | 0.67 | 9.8 | 0.02 | Sep 26, 2017 | SQL injection vulnerability in Cash Back Comparison Script 1.0 allows remote attackers to execute arbitrary SQL commands via the PATH_INFO to search/. | ||
| CVE-2017-12930 | Cri | 0.67 | 9.8 | 0.03 | Sep 21, 2017 | SQL Injection in the admin interface in TecnoVISION DLX Spot Player4 version >1.5.10 allows remote unauthenticated users to access the web interface as administrator via a crafted password. | ||
| CVE-2015-4073 | Cri | 0.67 | 9.8 | 0.04 | Sep 20, 2017 | Multiple SQL injection vulnerabilities in the Helpdesk Pro plugin before 1.4.0 for Joomla! allow remote attackers to execute arbitrary SQL commands via the (1) ticket_code or (2) email parameter or (3) remote authenticated users to execute arbitrary SQL commands via the… | ||
| CVE-2015-3313 | Cri | 0.67 | 9.8 | 0.08 | Sep 7, 2017 | SQL injection vulnerability in WordPress Community Events plugin before 1.4. | ||
| CVE-2017-9834 | Cri | 0.67 | 9.8 | 0.04 | Sep 7, 2017 | SQL injection vulnerability in the WatuPRO plugin before 5.5.3.7 for WordPress allows remote attackers to execute arbitrary SQL commands via the watupro_questions parameter in a watupro_submit action to wp-admin/admin-ajax.php. | ||
| CVE-2014-9558 | Cri | 0.67 | 9.8 | 0.04 | Aug 28, 2017 | Multiple SQL injection vulnerabilities in SmartCMS v.2. | ||
| CVE-2017-11385 | Cri | 0.67 | 9.8 | 0.39 | Aug 2, 2017 | SQL Injection in Trend Micro Control Manager 6.0 causes Remote Code Execution when executing opcode 0x6b1b due to lack of proper user input validation in cmdHandlerStatusMonitor.dll. Formerly ZDI-CAN-4545. | ||
| CVE-2017-11384 | Cri | 0.67 | 9.8 | 0.39 | Aug 2, 2017 | SQL Injection in Trend Micro Control Manager 6.0 causes Remote Code Execution when executing opcode 0x3b21 due to lack of proper user input validation in mdHandlerLicenseManager.dll. Formerly ZDI-CAN-4561. | ||
| CVE-2017-11383 | Cri | 0.67 | 9.8 | 0.39 | Aug 2, 2017 | SQL Injection in Trend Micro Control Manager 6.0 causes Remote Code Execution when executing opcode 0x1b07 due to lack of proper user input validation in cmdHandlerTVCSCommander.dll. Formerly ZDI-CAN-4560. | ||
| CVE-2017-11494 | Cri | 0.67 | 9.8 | 0.04 | Aug 2, 2017 | SQL injection vulnerability in SOL.Connect ISET-mpp meter 1.2.4.2 and earlier allows remote attackers to execute arbitrary SQL commands via the user parameter in a login action. | ||
| CVE-2015-2798 | Cri | 0.67 | 9.8 | 0.03 | Jul 25, 2017 | SQL injection vulnerability in Joomla! Component Contact Form Maker 1.0.1 allows remote attackers to execute arbitrary SQL commands via the id parameter. | ||
| CVE-2017-11471 | Cri | 0.67 | 9.8 | 0.01 | Jul 20, 2017 | IDERA Uptime Monitor 7.8 has SQL injection in /gadgets/definitions/uptime.CapacityWhatIfGadget/getmetrics.php via the element parameter. | ||
| CVE-2017-11470 | Cri | 0.67 | 9.8 | 0.01 | Jul 20, 2017 | IDERA Uptime Monitor 7.8 has SQL injection in /gadgets/definitions/uptime.CapacityWhatifGadget/getxenmetrics.php via the element parameter. | ||
| CVE-2017-10682 | Cri | 0.67 | 9.8 | 0.08 | Jun 29, 2017 | SQL injection vulnerability in the administrative backend in Piwigo through 2.9.1 allows remote users to execute arbitrary SQL commands via the cat_false or cat_true parameter in the comments or status page to cat_options.php. | ||
| CVE-2017-9730 | Cri | 0.67 | 9.8 | 0.02 | Jun 19, 2017 | SQL injection vulnerability in rdr.php in nuevoMailer version 6.0 and earlier allows remote attackers to execute arbitrary SQL commands via the "r" parameter. | ||
| CVE-2015-7346 | Cri | 0.67 | 9.8 | 0.04 | Jun 7, 2017 | SQL injection vulnerability in ZCMS 1.1. |
- risk 0.67cvss 9.8epss 0.02
Multiple SQL injection vulnerabilities in Issuetracker phpBugTracker before 1.7.0 allow remote attackers to execute arbitrary SQL commands via unspecified parameters.
- risk 0.67cvss 9.8epss 0.03
SQL injection vulnerability in PhpCollab 2.5.1 and earlier allows remote attackers to execute arbitrary SQL commands via the (1) project or id parameters to topics/deletetopics.php; the (2) id parameter to bookmarks/deletebookmarks.php; or the (3) id parameter to…
- risk 0.67cvss 9.8epss 0.03
FileRun (version 2017.09.18 and below) suffers from a remote SQL injection vulnerability due to a failure to sanitize input in the metafield parameter inside the metasearch module (under the search function).
- risk 0.67cvss 9.8epss 0.05
Multiple SQL injection vulnerabilities in the Content Timeline plugin 4.4.2 for WordPress allow remote attackers to execute arbitrary SQL commands via the (1) timeline parameter in content_timeline_class.php; or the id parameter to (2) pages/content_timeline_edit.php or (3)…
- risk 0.67cvss 9.8epss 0.02
SQL injection vulnerability in Cash Back Comparison Script 1.0 allows remote attackers to execute arbitrary SQL commands via the PATH_INFO to search/.
- risk 0.67cvss 9.8epss 0.03
SQL Injection in the admin interface in TecnoVISION DLX Spot Player4 version >1.5.10 allows remote unauthenticated users to access the web interface as administrator via a crafted password.
- risk 0.67cvss 9.8epss 0.04
Multiple SQL injection vulnerabilities in the Helpdesk Pro plugin before 1.4.0 for Joomla! allow remote attackers to execute arbitrary SQL commands via the (1) ticket_code or (2) email parameter or (3) remote authenticated users to execute arbitrary SQL commands via the…
- risk 0.67cvss 9.8epss 0.08
SQL injection vulnerability in WordPress Community Events plugin before 1.4.
- risk 0.67cvss 9.8epss 0.04
SQL injection vulnerability in the WatuPRO plugin before 5.5.3.7 for WordPress allows remote attackers to execute arbitrary SQL commands via the watupro_questions parameter in a watupro_submit action to wp-admin/admin-ajax.php.
- risk 0.67cvss 9.8epss 0.04
Multiple SQL injection vulnerabilities in SmartCMS v.2.
- risk 0.67cvss 9.8epss 0.39
SQL Injection in Trend Micro Control Manager 6.0 causes Remote Code Execution when executing opcode 0x6b1b due to lack of proper user input validation in cmdHandlerStatusMonitor.dll. Formerly ZDI-CAN-4545.
- risk 0.67cvss 9.8epss 0.39
SQL Injection in Trend Micro Control Manager 6.0 causes Remote Code Execution when executing opcode 0x3b21 due to lack of proper user input validation in mdHandlerLicenseManager.dll. Formerly ZDI-CAN-4561.
- risk 0.67cvss 9.8epss 0.39
SQL Injection in Trend Micro Control Manager 6.0 causes Remote Code Execution when executing opcode 0x1b07 due to lack of proper user input validation in cmdHandlerTVCSCommander.dll. Formerly ZDI-CAN-4560.
- risk 0.67cvss 9.8epss 0.04
SQL injection vulnerability in SOL.Connect ISET-mpp meter 1.2.4.2 and earlier allows remote attackers to execute arbitrary SQL commands via the user parameter in a login action.
- risk 0.67cvss 9.8epss 0.03
SQL injection vulnerability in Joomla! Component Contact Form Maker 1.0.1 allows remote attackers to execute arbitrary SQL commands via the id parameter.
- risk 0.67cvss 9.8epss 0.01
IDERA Uptime Monitor 7.8 has SQL injection in /gadgets/definitions/uptime.CapacityWhatIfGadget/getmetrics.php via the element parameter.
- risk 0.67cvss 9.8epss 0.01
IDERA Uptime Monitor 7.8 has SQL injection in /gadgets/definitions/uptime.CapacityWhatifGadget/getxenmetrics.php via the element parameter.
- risk 0.67cvss 9.8epss 0.08
SQL injection vulnerability in the administrative backend in Piwigo through 2.9.1 allows remote users to execute arbitrary SQL commands via the cat_false or cat_true parameter in the comments or status page to cat_options.php.
- risk 0.67cvss 9.8epss 0.02
SQL injection vulnerability in rdr.php in nuevoMailer version 6.0 and earlier allows remote attackers to execute arbitrary SQL commands via the "r" parameter.
- risk 0.67cvss 9.8epss 0.04
SQL injection vulnerability in ZCMS 1.1.