VYPR

CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

BaseStableLikelihood: High

Description

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Hierarchy (View 1000)

Parents

Children

Related attack patterns (CAPEC)

CAPEC-108 · CAPEC-109 · CAPEC-110 · CAPEC-470 · CAPEC-66 · CAPEC-7

CVEs mapped to this weakness (10,236)

page 24 of 512
  • CVE-2025-0929CriJan 31, 2025
    risk 0.64cvss 9.8epss 0.01

    SQL injection vulnerability in TeamCal Neo, version 3.8.2. This could allow an attacker to retrieve, update and delete all database information by injecting a malicious SQL statement via the ‘abs’ parameter in ‘/teamcal/src/index.php’.

  • CVE-2023-37777CriJan 22, 2025
    risk 0.64cvss 9.8epss 0.00

    A SQL injection vulnerability exists in Synnefo Internet Management Software (IMS) version 2023 and earlier. This vulnerability occurs due to improper input validation in a specific API endpoint parameter allowing an attacker to manipulate SQL queries via crafted input.…

  • CVE-2025-0455CriJan 16, 2025
    risk 0.64cvss 9.8epss 0.01

    The airPASS from NetVision Information has a SQL Injection vulnerability, allowing unauthenticated remote attackers to inject arbitrary SQL commands to read, modify, and delete database contents.

  • CVE-2024-47926CriDec 30, 2024
    risk 0.64cvss 9.8epss 0.01

    Tecnick TCExam – CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

  • CVE-2024-8950CriDec 25, 2024
    risk 0.64cvss 9.9epss 0.01

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Arne Informatics Piramit Automation allows Blind SQL Injection. This issue affects Piramit Automation: before 27.09.2024.

  • CVE-2024-10244CriDec 19, 2024
    risk 0.64cvss 9.8epss 0.01

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in ISDO Software Web Software allows SQL Injection. This issue affects Web Software: before 3.6.

  • CVE-2024-8972CriDec 17, 2024
    risk 0.64cvss 9.8epss 0.00

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Mobil365 Informatics Saha365 App allows SQL Injection. This issue affects Saha365 App: before 30.09.2024.

  • CVE-2024-8259CriDec 9, 2024
    risk 0.64cvss 9.8epss 0.00

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Eryaz Information Technologies NatraCar B2B Dealer Management Program allows SQL Injection. This issue affects NatraCar B2B Dealer Management Program: through 09.12.2024. …

  • CVE-2024-52335CriDec 6, 2024
    risk 0.64cvss 9.8epss 0.01

    A vulnerability has been identified in syngo.plaza VB30E (All versions < VB30E_HF05). The affected application do not properly sanitize input data before sending it to the SQL server. This could allow an attacker with access to the application could use this vulnerability to…

  • CVE-2024-41579CriDec 5, 2024
    risk 0.64cvss 9.8epss 0.01

    DTStack Taier 1.4.0 allows remote attackers to specify the jobName parameter in the console listNames function to cause a SQL injection vulnerability

  • CVE-2024-50942CriNov 26, 2024
    risk 0.64cvss 9.8epss 0.01

    qiwen-file v1.4.0 was discovered to contain a SQL injection vulnerability via the component /mapper/NoticeMapper.xml.

  • CVE-2024-50724CriNov 15, 2024
    risk 0.64cvss 9.8epss 0.00

    KASO v9.0 was discovered to contain a SQL injection vulnerability via the person_id parameter at /cardcase/editcard.jsp.

  • CVE-2024-48465CriOct 28, 2024
    risk 0.64cvss 9.8epss 0.00

    The MRBS version 1.5.0 has an SQL injection vulnerability in the edit_entry_handler.php file, specifically in the rooms%5B%5D parameter

  • CVE-2024-9982CriOct 15, 2024
    risk 0.64cvss 9.8epss 0.01

    AIM LINE Marketing Platform from Esi Technology does not properly validate a specific query parameter. When the LINE Campaign Module is enabled, unauthenticated remote attackers can inject arbitrary FetchXml commands to read, modify, and delete database content.

  • CVE-2024-9972CriOct 15, 2024
    risk 0.64cvss 9.8epss 0.01

    Property Management System from ChanGate has a SQL Injection vulnerability, allowing unauthenticated remote attackers to inject arbitrary SQL commands to read, modify, and delete database contents.

  • CVE-2024-46532CriOct 11, 2024
    risk 0.64cvss 9.8epss 0.01

    SQL Injection vulnerability in OpenHIS v.1.0 allows an attacker to execute arbitrary code via the refund function in the PayController.class.php component.

  • CVE-2024-45918CriOct 8, 2024
    risk 0.64cvss 9.8epss 0.00

    Fujian Kelixin Communication Command and Dispatch Platform <=7.6.6.4391 is vulnerable to SQL Injection via /client/get_gis_fence.php.

  • CVE-2024-8607CriSep 27, 2024
    risk 0.64cvss 9.8epss 0.00

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Oceanic Software ValeApp allows SQL Injection. This issue affects ValeApp: before v2.0.0.

  • CVE-2024-6401CriSep 16, 2024
    risk 0.64cvss 9.8epss 0.00

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in SFS Consulting InsureE GL allows SQL Injection. This issue affects InsureE GL: before 4.6.2.

  • CVE-2024-7078CriSep 4, 2024
    risk 0.64cvss 9.8epss 0.00

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Semtek Informatics Software Consulting Inc. Semtek Sempos allows SQL Injection. This issue affects Semtek Sempos: through 31072024.