VYPR

CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

BaseStableLikelihood: High

Description

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Hierarchy (View 1000)

Parents

Children

Related attack patterns (CAPEC)

CAPEC-108 · CAPEC-109 · CAPEC-110 · CAPEC-470 · CAPEC-66 · CAPEC-7

CVEs mapped to this weakness (10,236)

page 234 of 512
  • CVE-2024-21272HigOct 15, 2024
    risk 0.42cvss 7.5epss 0.01

    Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/Python). Supported versions that are affected are 9.0.0 and prior. Difficult to exploit vulnerability allows low privileged attacker with network access via multiple protocols to compromise…

  • CVE-2024-8484HigSep 25, 2024
    risk 0.42cvss 7.5epss 0.04

    The REST API TO MiniProgram plugin for WordPress is vulnerable to SQL Injection via the 'order' parameter of the /wp-json/watch-life-net/v1/comment/getcomments REST API endpoint in all versions up to, and including, 4.7.1 due to insufficient escaping on the user supplied…

  • CVE-2023-50718MedMay 14, 2024
    risk 0.42cvss 6.5epss 0.01

    NocoDB is software for building databases as spreadsheets. Prior to version 0.202.10, an authenticated attacker with create access could conduct a SQL Injection attack on MySQL DB using unescaped `table_name`. This vulnerability may result in leakage of sensitive data in the…

  • CVE-2024-2871MedApr 9, 2024
    risk 0.42cvss 6.4epss 0.00

    The Media Library Assistant plugin for WordPress is vulnerable to SQL Injection via the plugin's shortcode(s) in all versions up to, and including, 3.13 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. …

  • CVE-2024-0608MedMar 29, 2024
    risk 0.42cvss 6.5epss 0.01

    The WP ERP | Complete HR solution with recruitment & job listings | WooCommerce CRM & Accounting plugin for WordPress is vulnerable to union-based SQL Injection via the 'email' parameter in all versions up to, and including, 1.13.1 due to insufficient escaping on the user…

  • CVE-2023-47438MedMar 27, 2024
    risk 0.42cvss 6.5epss 0.00

    SQL Injection vulnerability in Reportico Till 8.1.0 allows attackers to obtain sensitive information or other system information via the project parameter.

  • CVE-2024-2453MedMar 21, 2024
    risk 0.42cvss 6.4epss 0.00

    There is an SQL injection vulnerability in Advantech WebAccess/SCADA software that allows an authenticated attacker to remotely inject SQL code in the database. Successful exploitation of this vulnerability could allow an attacker to read or modify data on the remote database.

  • CVE-2024-29031HigMar 21, 2024
    risk 0.42cvss 7.5epss 0.01

    Meshery is an open source, cloud native manager that enables the design and management of Kubernetes-based infrastructure and applications. A SQL injection vulnerability in Meshery prior to version 0.7.17 allows a remote attacker to obtain sensitive information via the `order`…

  • CVE-2024-1982MedFeb 29, 2024
    risk 0.42cvss 6.5epss 0.01

    The Migration, Backup, Staging – WPvivid plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the get_restore_progress() and restore() functions in all versions up to, and including, 0.9.68. This makes it possible for unauthenticated…

  • CVE-2024-21747HigJan 8, 2024
    risk 0.42cvss 7.6epss 0.01

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in weDevs WP ERP | Complete HR solution with recruitment & job listings | WooCommerce CRM & Accounting.This issue affects WP ERP | Complete HR solution with recruitment & job…

  • CVE-2023-38519HigDec 20, 2023
    risk 0.42cvss 7.6epss 0.01

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in MainWP MainWP Dashboard – WordPress Manager for Multiple Websites Maintenance.This issue affects MainWP Dashboard – WordPress Manager for Multiple Websites Maintenance: from…

  • CVE-2022-47420MedNov 6, 2023
    risk 0.42cvss 6.4epss 0.00

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Online ADA Accessibility Suite by Online ADA allows SQL Injection.This issue affects Accessibility Suite by Online ADA: from n/a through 4.12.

  • CVE-2023-5252MedOct 30, 2023
    risk 0.42cvss 6.4epss 0.00

    The FareHarbor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via shortcodes in versions up to, and including, 3.6.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with…

  • CVE-2023-43794MedOct 17, 2023
    risk 0.42cvss 6.5epss 0.01

    Nocodb is an open source Airtable alternative. Affected versions of nocodb contain a SQL injection vulnerability, that allows an authenticated attacker with creator access to query the underlying database. By supplying a specially crafted payload to the given an attacker can…

  • CVE-2023-43667HigOct 16, 2023
    risk 0.42cvss 7.5epss 0.01

    Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') vulnerability in Apache InLong.This issue affects Apache InLong: from 1.4.0 through 1.8.0, the attacker can create misleading or false log records, making it harder to audit and…

  • CVE-2023-41886HigSep 15, 2023
    risk 0.42cvss 7.5epss 0.01

    OpenRefine is a powerful free, open source tool for working with messy data. Prior to version 3.7.5, an arbitrary file read vulnerability allows any unauthenticated user to read a file on a server. Version 3.7.5 fixes this issue.

  • CVE-2023-36189HigJul 6, 2023
    risk 0.42cvss 7.5epss 0.01

    SQL injection vulnerability in langchain before v0.0.247 allows a remote attacker to obtain sensitive information via the SQLDatabaseChain component.

  • CVE-2023-34602HigJun 19, 2023
    risk 0.42cvss 7.5epss 0.01

    JeecgBoot up to v 3.5.1 was discovered to contain a SQL injection vulnerability via the component queryTableDictItemsByCode at org.jeecg.modules.api.controller.SystemApiController.

  • CVE-2023-33945MedMay 24, 2023
    risk 0.42cvss 6.4epss 0.01

    SQL injection vulnerability in the upgrade process for SQL Server in Liferay Portal 7.3.1 through 7.4.3.17, and Liferay DXP 7.3 before update 6, and 7.4 before update 18 allows attackers to execute arbitrary SQL commands via the name of a database table's primary key index. This…

  • CVE-2022-47605MedApr 12, 2023
    risk 0.42cvss 6.4epss 0.01

    Auth. SQL Injection') vulnerability in Kunal Nagar Custom 404 Pro plugin <= 3.7.0 versions.