CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Description
The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-108 · CAPEC-109 · CAPEC-110 · CAPEC-470 · CAPEC-66 · CAPEC-7
CVEs mapped to this weakness (8,799)
page 19 of 440| CVE | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2024-47926 | Cri | 0.64 | 9.8 | 0.00 | Dec 30, 2024 | Tecnick TCExam – CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') | |
| CVE-2024-8950 | Cri | 0.64 | 9.9 | 0.00 | Dec 25, 2024 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Arne Informatics Piramit Automation allows Blind SQL Injection.This issue affects Piramit Automation: before 27.09.2024. | |
| CVE-2024-10244 | Cri | 0.64 | 9.8 | 0.00 | Dec 19, 2024 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in ISDO Software Web Software allows SQL Injection.This issue affects Web Software: before 3.6. | |
| CVE-2024-8972 | Cri | 0.64 | 9.8 | 0.00 | Dec 17, 2024 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Mobil365 Informatics Saha365 App allows SQL Injection.This issue affects Saha365 App: before 30.09.2024. | |
| CVE-2024-55586 | Cri | 0.64 | 9.8 | 0.00 | Dec 10, 2024 | Nette Database through 3.2.4 allows SQL injection in certain situations involving an untrusted filter that is directly passed to the where method. NOTE: the vendor's position is that this is intended behavior. | |
| CVE-2024-8259 | Cri | 0.64 | 9.8 | 0.00 | Dec 9, 2024 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Eryaz Information Technologies NatraCar B2B Dealer Management Program allows SQL Injection.This issue affects NatraCar B2B Dealer Management Program: through 09.12.2024. NOTE: The vendor was contacted and it was learned that the product is not supported. | |
| CVE-2024-52335 | Cri | 0.64 | 9.8 | 0.01 | Dec 6, 2024 | A vulnerability has been identified in syngo.plaza VB30E (All versions < VB30E_HF05). The affected application do not properly sanitize input data before sending it to the SQL server. This could allow an attacker with access to the application could use this vulnerability to execute malicious SQL commands to compromise the whole database. | |
| CVE-2024-41579 | Cri | 0.64 | 9.8 | 0.03 | Dec 5, 2024 | DTStack Taier 1.4.0 allows remote attackers to specify the jobName parameter in the console listNames function to cause a SQL injection vulnerability | |
| CVE-2024-50942 | Cri | 0.64 | 9.8 | 0.00 | Nov 26, 2024 | qiwen-file v1.4.0 was discovered to contain a SQL injection vulnerability via the component /mapper/NoticeMapper.xml. | |
| CVE-2024-50724 | Cri | 0.64 | 9.8 | 0.00 | Nov 15, 2024 | KASO v9.0 was discovered to contain a SQL injection vulnerability via the person_id parameter at /cardcase/editcard.jsp. | |
| CVE-2024-48465 | Cri | 0.64 | 9.8 | 0.00 | Oct 28, 2024 | The MRBS version 1.5.0 has an SQL injection vulnerability in the edit_entry_handler.php file, specifically in the rooms%5B%5D parameter | |
| CVE-2024-9982 | Cri | 0.64 | 9.8 | 0.02 | Oct 15, 2024 | AIM LINE Marketing Platform from Esi Technology does not properly validate a specific query parameter. When the LINE Campaign Module is enabled, unauthenticated remote attackers can inject arbitrary FetchXml commands to read, modify, and delete database content. | |
| CVE-2024-9972 | Cri | 0.64 | 9.8 | 0.01 | Oct 15, 2024 | Property Management System from ChanGate has a SQL Injection vulnerability, allowing unauthenticated remote attackers to inject arbitrary SQL commands to read, modify, and delete database contents. | |
| CVE-2024-46532 | Cri | 0.64 | 9.8 | 0.04 | Oct 11, 2024 | SQL Injection vulnerability in OpenHIS v.1.0 allows an attacker to execute arbitrary code via the refund function in the PayController.class.php component. | |
| CVE-2024-45918 | Cri | 0.64 | 9.8 | 0.00 | Oct 8, 2024 | Fujian Kelixin Communication Command and Dispatch Platform <=7.6.6.4391 is vulnerable to SQL Injection via /client/get_gis_fence.php. | |
| CVE-2024-8161 | Cri | 0.64 | 9.8 | 0.01 | Aug 26, 2024 | SQL injection vulnerability in ATISolutions CIGES affecting versions lower than 2.15.5. This vulnerability allows a remote attacker to send a specially crafted SQL query to the /modules/ajaxServiciosCentro.php point in the idCentro parameter and retrieve all the information stored in the database. | |
| CVE-2024-33872 | Cri | 0.64 | 9.8 | 0.00 | Aug 20, 2024 | Keyfactor Command 10.5.x before 10.5.1 and 11.5.x before 11.5.1 allows SQL Injection which could result in code execution and escalation of privileges. | |
| CVE-2024-6457 | Cri | 0.64 | 9.8 | 0.08 | Jul 16, 2024 | The HUSKY – Products Filter Professional for WooCommerce plugin for WordPress is vulnerable to time-based SQL Injection via the ‘woof_author’ parameter in all versions up to, and including, 1.3.6 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | |
| CVE-2024-3604 | Cri | 0.64 | 9.9 | 0.01 | Jul 9, 2024 | The OSM – OpenStreetMap plugin for WordPress is vulnerable to SQL Injection via the 'tagged_filter' attribute of the 'osm_map_v3' shortcode in all versions up to, and including, 6.0.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | |
| CVE-2024-27709 | Cri | 0.64 | 9.8 | 0.01 | Jul 5, 2024 | SQL Injection vulnerability in Eskooly Web Product v.3.0 allows a remote attacker to execute arbitrary code via the searchby parameter of the allstudents.php component and the id parameter of the requestmanager.php component. |
- risk 0.64cvss 9.8epss 0.00
Tecnick TCExam – CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
- risk 0.64cvss 9.9epss 0.00
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Arne Informatics Piramit Automation allows Blind SQL Injection.This issue affects Piramit Automation: before 27.09.2024.
- risk 0.64cvss 9.8epss 0.00
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in ISDO Software Web Software allows SQL Injection.This issue affects Web Software: before 3.6.
- risk 0.64cvss 9.8epss 0.00
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Mobil365 Informatics Saha365 App allows SQL Injection.This issue affects Saha365 App: before 30.09.2024.
- risk 0.64cvss 9.8epss 0.00
Nette Database through 3.2.4 allows SQL injection in certain situations involving an untrusted filter that is directly passed to the where method. NOTE: the vendor's position is that this is intended behavior.
- risk 0.64cvss 9.8epss 0.00
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Eryaz Information Technologies NatraCar B2B Dealer Management Program allows SQL Injection.This issue affects NatraCar B2B Dealer Management Program: through 09.12.2024. NOTE: The vendor was contacted and it was learned that the product is not supported.
- risk 0.64cvss 9.8epss 0.01
A vulnerability has been identified in syngo.plaza VB30E (All versions < VB30E_HF05). The affected application do not properly sanitize input data before sending it to the SQL server. This could allow an attacker with access to the application could use this vulnerability to execute malicious SQL commands to compromise the whole database.
- risk 0.64cvss 9.8epss 0.03
DTStack Taier 1.4.0 allows remote attackers to specify the jobName parameter in the console listNames function to cause a SQL injection vulnerability
- risk 0.64cvss 9.8epss 0.00
qiwen-file v1.4.0 was discovered to contain a SQL injection vulnerability via the component /mapper/NoticeMapper.xml.
- risk 0.64cvss 9.8epss 0.00
KASO v9.0 was discovered to contain a SQL injection vulnerability via the person_id parameter at /cardcase/editcard.jsp.
- risk 0.64cvss 9.8epss 0.00
The MRBS version 1.5.0 has an SQL injection vulnerability in the edit_entry_handler.php file, specifically in the rooms%5B%5D parameter
- risk 0.64cvss 9.8epss 0.02
AIM LINE Marketing Platform from Esi Technology does not properly validate a specific query parameter. When the LINE Campaign Module is enabled, unauthenticated remote attackers can inject arbitrary FetchXml commands to read, modify, and delete database content.
- risk 0.64cvss 9.8epss 0.01
Property Management System from ChanGate has a SQL Injection vulnerability, allowing unauthenticated remote attackers to inject arbitrary SQL commands to read, modify, and delete database contents.
- risk 0.64cvss 9.8epss 0.04
SQL Injection vulnerability in OpenHIS v.1.0 allows an attacker to execute arbitrary code via the refund function in the PayController.class.php component.
- risk 0.64cvss 9.8epss 0.00
Fujian Kelixin Communication Command and Dispatch Platform <=7.6.6.4391 is vulnerable to SQL Injection via /client/get_gis_fence.php.
- risk 0.64cvss 9.8epss 0.01
SQL injection vulnerability in ATISolutions CIGES affecting versions lower than 2.15.5. This vulnerability allows a remote attacker to send a specially crafted SQL query to the /modules/ajaxServiciosCentro.php point in the idCentro parameter and retrieve all the information stored in the database.
- risk 0.64cvss 9.8epss 0.00
Keyfactor Command 10.5.x before 10.5.1 and 11.5.x before 11.5.1 allows SQL Injection which could result in code execution and escalation of privileges.
- risk 0.64cvss 9.8epss 0.08
The HUSKY – Products Filter Professional for WooCommerce plugin for WordPress is vulnerable to time-based SQL Injection via the ‘woof_author’ parameter in all versions up to, and including, 1.3.6 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
- risk 0.64cvss 9.9epss 0.01
The OSM – OpenStreetMap plugin for WordPress is vulnerable to SQL Injection via the 'tagged_filter' attribute of the 'osm_map_v3' shortcode in all versions up to, and including, 6.0.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
- risk 0.64cvss 9.8epss 0.01
SQL Injection vulnerability in Eskooly Web Product v.3.0 allows a remote attacker to execute arbitrary code via the searchby parameter of the allstudents.php component and the id parameter of the requestmanager.php component.