VYPR

CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

BaseStableLikelihood: High

Description

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Hierarchy (View 1000)

Parents

Children

Related attack patterns (CAPEC)

CAPEC-108 · CAPEC-109 · CAPEC-110 · CAPEC-470 · CAPEC-66 · CAPEC-7

CVEs mapped to this weakness (10,236)

page 15 of 512
  • CVE-2015-2147CriOct 6, 2017
    risk 0.67cvss 9.8epss 0.02

    Multiple SQL injection vulnerabilities in Issuetracker phpBugTracker before 1.7.0 allow remote attackers to execute arbitrary SQL commands via unspecified parameters.

  • CVE-2017-6089CriOct 3, 2017
    risk 0.67cvss 9.8epss 0.03

    SQL injection vulnerability in PhpCollab 2.5.1 and earlier allows remote attackers to execute arbitrary SQL commands via the (1) project or id parameters to topics/deletetopics.php; the (2) id parameter to bookmarks/deletebookmarks.php; or the (3) id parameter to…

  • CVE-2017-14738CriSep 30, 2017
    risk 0.67cvss 9.8epss 0.03

    FileRun (version 2017.09.18 and below) suffers from a remote SQL injection vulnerability due to a failure to sanitize input in the metafield parameter inside the metasearch module (under the search function).

  • CVE-2017-14507CriSep 29, 2017
    risk 0.67cvss 9.8epss 0.05

    Multiple SQL injection vulnerabilities in the Content Timeline plugin 4.4.2 for WordPress allow remote attackers to execute arbitrary SQL commands via the (1) timeline parameter in content_timeline_class.php; or the id parameter to (2) pages/content_timeline_edit.php or (3)…

  • CVE-2017-14703CriSep 26, 2017
    risk 0.67cvss 9.8epss 0.02

    SQL injection vulnerability in Cash Back Comparison Script 1.0 allows remote attackers to execute arbitrary SQL commands via the PATH_INFO to search/.

  • CVE-2017-12930CriSep 21, 2017
    risk 0.67cvss 9.8epss 0.03

    SQL Injection in the admin interface in TecnoVISION DLX Spot Player4 version >1.5.10 allows remote unauthenticated users to access the web interface as administrator via a crafted password.

  • CVE-2015-4073CriSep 20, 2017
    risk 0.67cvss 9.8epss 0.04

    Multiple SQL injection vulnerabilities in the Helpdesk Pro plugin before 1.4.0 for Joomla! allow remote attackers to execute arbitrary SQL commands via the (1) ticket_code or (2) email parameter or (3) remote authenticated users to execute arbitrary SQL commands via the…

  • CVE-2015-3313CriSep 7, 2017
    risk 0.67cvss 9.8epss 0.08

    SQL injection vulnerability in WordPress Community Events plugin before 1.4.

  • CVE-2017-9834CriSep 7, 2017
    risk 0.67cvss 9.8epss 0.04

    SQL injection vulnerability in the WatuPRO plugin before 5.5.3.7 for WordPress allows remote attackers to execute arbitrary SQL commands via the watupro_questions parameter in a watupro_submit action to wp-admin/admin-ajax.php.

  • CVE-2014-9558CriAug 28, 2017
    risk 0.67cvss 9.8epss 0.04

    Multiple SQL injection vulnerabilities in SmartCMS v.2.

  • CVE-2017-11385CriAug 2, 2017
    risk 0.67cvss 9.8epss 0.39

    SQL Injection in Trend Micro Control Manager 6.0 causes Remote Code Execution when executing opcode 0x6b1b due to lack of proper user input validation in cmdHandlerStatusMonitor.dll. Formerly ZDI-CAN-4545.

  • CVE-2017-11384CriAug 2, 2017
    risk 0.67cvss 9.8epss 0.39

    SQL Injection in Trend Micro Control Manager 6.0 causes Remote Code Execution when executing opcode 0x3b21 due to lack of proper user input validation in mdHandlerLicenseManager.dll. Formerly ZDI-CAN-4561.

  • CVE-2017-11383CriAug 2, 2017
    risk 0.67cvss 9.8epss 0.39

    SQL Injection in Trend Micro Control Manager 6.0 causes Remote Code Execution when executing opcode 0x1b07 due to lack of proper user input validation in cmdHandlerTVCSCommander.dll. Formerly ZDI-CAN-4560.

  • CVE-2017-11494CriAug 2, 2017
    risk 0.67cvss 9.8epss 0.04

    SQL injection vulnerability in SOL.Connect ISET-mpp meter 1.2.4.2 and earlier allows remote attackers to execute arbitrary SQL commands via the user parameter in a login action.

  • CVE-2015-2798CriJul 25, 2017
    risk 0.67cvss 9.8epss 0.03

    SQL injection vulnerability in Joomla! Component Contact Form Maker 1.0.1 allows remote attackers to execute arbitrary SQL commands via the id parameter.

  • CVE-2017-11471CriJul 20, 2017
    risk 0.67cvss 9.8epss 0.01

    IDERA Uptime Monitor 7.8 has SQL injection in /gadgets/definitions/uptime.CapacityWhatIfGadget/getmetrics.php via the element parameter.

  • CVE-2017-11470CriJul 20, 2017
    risk 0.67cvss 9.8epss 0.01

    IDERA Uptime Monitor 7.8 has SQL injection in /gadgets/definitions/uptime.CapacityWhatifGadget/getxenmetrics.php via the element parameter.

  • CVE-2017-10682CriJun 29, 2017
    risk 0.67cvss 9.8epss 0.08

    SQL injection vulnerability in the administrative backend in Piwigo through 2.9.1 allows remote users to execute arbitrary SQL commands via the cat_false or cat_true parameter in the comments or status page to cat_options.php.

  • CVE-2017-9730CriJun 19, 2017
    risk 0.67cvss 9.8epss 0.02

    SQL injection vulnerability in rdr.php in nuevoMailer version 6.0 and earlier allows remote attackers to execute arbitrary SQL commands via the "r" parameter.

  • CVE-2015-7346CriJun 7, 2017
    risk 0.67cvss 9.8epss 0.04

    SQL injection vulnerability in ZCMS 1.1.