VYPR

CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

BaseStableLikelihood: High

Description

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Hierarchy (View 1000)

Parents

Children

Related attack patterns (CAPEC)

CAPEC-108 · CAPEC-109 · CAPEC-110 · CAPEC-470 · CAPEC-66 · CAPEC-7

CVEs mapped to this weakness (10,236)

page 214 of 512
  • CVE-2025-1116HigFeb 8, 2025
    risk 0.47cvss 7.3epss 0.00

    A vulnerability, which was classified as critical, has been found in Dreamvention Live AJAX Search Free up to 1.0.6 on OpenCart. Affected by this issue is the function searchresults/search of the file /?route=extension/live_search/module/live_search.searchresults. The…

  • CVE-2024-57238HigFeb 3, 2025
    risk 0.47cvss 7.3epss 0.00

    Prolink 4G LTE Mobile Wi-Fi DL-7203E V4.0.0B05 is vulnerable to SQL Injection in in the /reqproc/proc_get endpoint. The vulnerability allows an attacker to manipulate SQL queries by injecting malicious SQL code into the order_by parameter.

  • CVE-2025-0579HigJan 20, 2025
    risk 0.47cvss 7.3epss 0.00

    A vulnerability was found in Shiprocket Module 3/4 on OpenCart. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file /index.php?route=extension/shiprocket/module/restapi of the component REST API Module. The manipulation of the…

  • CVE-2024-45757HigDec 3, 2024
    risk 0.47cvss 7.2epss 0.00

    An issue was discovered in Centreon centreon-bam 24.04, 23.10, 23.04, and 22.10. SQL injection can occur in the user-settings form. Exploitation is only accessible to authenticated users with high-privileged access.

  • CVE-2024-45756HigNov 25, 2024
    risk 0.47cvss 7.2epss 0.00

    An issue was discovered in Centreon centreon-open-tickets 24.10.x before 24.10.0, 24.04.x before 24.04.2, 23.10.x before 23.10.1, 23.04.x before 23.04.3, and 22.10.x before 22.10.2. SQL injection can occur in the form to create a ticket. Exploitation is only accessible to…

  • CVE-2024-9887HigNov 16, 2024
    risk 0.47cvss 7.2epss 0.00

    The Login using WordPress Users ( WP as SAML IDP ) plugin for WordPress is vulnerable to time-based SQL Injection via the ‘id’ parameter in all versions up to, and including, 1.15.6 due to insufficient escaping on the user supplied parameter and lack of sufficient…

  • CVE-2024-45794HigNov 7, 2024
    risk 0.47cvss 8.3epss 0.01

    devtron is an open source tool integration platform for Kubernetes. In affected versions an authenticated user (with minimum permission) could utilize and exploit SQL Injection to allow the execution of malicious SQL queries via CreateUser API (/orchestrator/user). This issue…

  • CVE-2024-43436HigNov 7, 2024
    risk 0.47cvss 7.2epss 0.01

    A SQL injection risk flaw was found in the XMLDB editor tool available to site administrators.

  • CVE-2024-48230HigOct 25, 2024
    risk 0.47cvss 7.2epss 0.00

    funadmin 5.0.2 is vulnerable to SQL Injection via the parentField parameter in the index method of \backend\controller\auth\Auth.php.

  • CVE-2024-48229HigOct 25, 2024
    risk 0.47cvss 7.2epss 0.00

    funadmin 5.0.2 has a SQL injection vulnerability in the Curd one click command mode plugin.

  • CVE-2024-48226HigOct 25, 2024
    risk 0.47cvss 7.2epss 0.01

    Funadmin 5.0.2 is vulnerable to SQL Injection in curd/table/savefield.

  • CVE-2024-48223HigOct 25, 2024
    risk 0.47cvss 7.2epss 0.01

    Funadmin v5.0.2 has a SQL injection vulnerability in /curd/table/fieldlist.

  • CVE-2024-48222HigOct 25, 2024
    risk 0.47cvss 7.2epss 0.01

    Funadmin v5.0.2 has a SQL injection vulnerability in /curd/table/edit.

  • CVE-2024-48218HigOct 25, 2024
    risk 0.47cvss 7.2epss 0.01

    Funadmin v5.0.2 has a SQL injection vulnerability in /curd/table/list.

  • CVE-2024-48231HigOct 21, 2024
    risk 0.47cvss 7.2epss 0.00

    Funadmin 5.0.2 is vulnerable to SQL Injection via the selectFields parameter in the index method of \backend\controller\auth\Auth.php.

  • CVE-2023-3419HigAug 17, 2024
    risk 0.47cvss 7.2epss 0.01

    The tagDiv Opt-In Builder plugin is vulnerable to Blind SQL Injection via the 'couponId' parameter of the 'recreate_stripe_subscription' REST API endpoint in versions up to, and including, 1.4.4 due to insufficient escaping on the user supplied parameter and lack of sufficient…

  • CVE-2023-3416HigAug 17, 2024
    risk 0.47cvss 7.2epss 0.01

    The tagDiv Opt-In Builder plugin is vulnerable to Blind SQL Injection via the 'subscriptionCouponId' parameter via the 'create_stripe_subscription' REST API endpoint in versions up to, and including, 1.4.4 due to insufficient escaping on the user supplied parameter and lack of…

  • CVE-2024-7101HigJul 25, 2024
    risk 0.47cvss 7.3epss 0.00

    A vulnerability, which was classified as critical, has been found in ForIP Tecnologia Administração PABX 1.x. This issue affects some unknown processing of the file /login of the component Authentication Form. The manipulation of the argument usuario leads to sql injection.…

  • CVE-2024-6003HigJun 14, 2024
    risk 0.47cvss 7.3epss 0.01

    A vulnerability was found in Guangdong Baolun Electronics IP Network Broadcasting Service Platform 2.0. It has been classified as critical. Affected is an unknown function of the file /api/v2/maps. The manipulation of the argument orderColumn leads to sql injection. It is…

  • CVE-2024-4902HigJun 7, 2024
    risk 0.47cvss 7.2epss 0.01

    The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to time-based SQL Injection via the ‘course_id’ parameter in all versions up to, and including, 2.7.1 due to insufficient escaping on the user supplied parameter and lack of sufficient…