CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Description
The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-108 · CAPEC-109 · CAPEC-110 · CAPEC-470 · CAPEC-66 · CAPEC-7
CVEs mapped to this weakness (8,799)
page 27 of 440| CVE | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2017-3221 | Cri | 0.64 | 9.8 | 0.02 | Jul 22, 2017 | Blind SQL injection in Inmarsat AmosConnect 8 login form allows remote attackers to access user credentials, including user names and passwords. | |
| CVE-2017-11474 | Cri | 0.64 | 9.8 | 0.00 | Jul 20, 2017 | GLPI before 9.1.5.1 has SQL Injection in the $crit variable in inc/computer_softwareversion.class.php, exploitable via ajax/common.tabs.php. | |
| CVE-2017-11445 | Cri | 0.64 | 9.8 | 0.00 | Jul 19, 2017 | Subrion CMS before 4.1.6 has a SQL injection vulnerability in /front/actions.php via the $_POST array. | |
| CVE-2017-11419 | Cri | 0.64 | 9.8 | 0.00 | Jul 18, 2017 | Fiyo CMS 2.0.7 has SQL injection in /apps/app_article/controller/editor.php via $_POST['id'] and $_POST['art_title']. | |
| CVE-2017-11418 | Cri | 0.64 | 9.8 | 0.00 | Jul 18, 2017 | Fiyo CMS 2.0.7 has SQL injection in dapur/apps/app_article/controller/article_list.php via $_GET['cat'], $_GET['user'], $_GET['level'], and $_GET['iSortCol_'.$i]. | |
| CVE-2017-11417 | Cri | 0.64 | 9.8 | 0.00 | Jul 18, 2017 | Fiyo CMS 2.0.7 has SQL injection in dapur/apps/app_article/controller/article_status.php via $_GET['id']. | |
| CVE-2017-11416 | Cri | 0.64 | 9.8 | 0.00 | Jul 18, 2017 | Fiyo CMS 2.0.7 has SQL injection in /apps/app_comment/controller/insert.php via the name parameter. | |
| CVE-2017-11415 | Cri | 0.64 | 9.8 | 0.00 | Jul 18, 2017 | Fiyo CMS 2.0.7 has SQL injection in dapur/apps/app_article/sys_article.php via $_POST['parent_id'], $_POST['desc'], $_POST['keys'], and $_POST['level']. | |
| CVE-2017-11414 | Cri | 0.64 | 9.8 | 0.00 | Jul 18, 2017 | Fiyo CMS 2.0.7 has SQL injection in dapur/apps/app_comment/sys_comment.php via $_POST['comment'], $_POST['name'], $_POST['web'], $_POST['email'], $_POST['status'], $_POST['id'], and $_REQUEST['id']. | |
| CVE-2017-11413 | Cri | 0.64 | 9.8 | 0.00 | Jul 18, 2017 | Fiyo CMS 2.0.7 has SQL injection in dapur/apps/app_article/controller/comment_status.php via $_GET['id']. | |
| CVE-2017-11412 | Cri | 0.64 | 9.8 | 0.00 | Jul 18, 2017 | Fiyo CMS 2.0.7 has SQL injection in dapur/apps/app_comment/controller/comment_status.php via $_GET['id']. | |
| CVE-2017-11354 | Cri | 0.64 | 9.8 | 0.00 | Jul 17, 2017 | Fiyo CMS v2.0.7 has an SQL injection vulnerability in dapur/apps/app_article/sys_article.php via the name parameter in editing or adding a tag name. | |
| CVE-2017-11329 | Cri | 0.64 | 9.8 | 0.00 | Jul 17, 2017 | GLPI before 9.1.5 allows SQL injection via an ajax/getDropdownValue.php request with an entity_restrict parameter that is not a list of integers. | |
| CVE-2017-1000060 | Cri | 0.64 | 9.8 | 0.07 | Jul 17, 2017 | EyesOfNetwork (EON) 5.1 Unauthenticated SQL Injection in eonweb leading to remote root | |
| CVE-2017-1000004 | Cri | 0.64 | 9.8 | 0.02 | Jul 17, 2017 | ATutor version 2.2.1 and earlier are vulnerable to a SQL injection in the Assignment Dropbox, BasicLTI, Blog Post, Blog, Group Course Email, Course Alumni, Course Enrolment, Group Membership, Course unenrolment, Course Enrolment List Search, Glossary, Social Group Member Search, Social Friend Search, Social Group Search, File Comment, Gradebook Test Title, User Group Membership, Inbox/Sent Items, Sent Messages, Links, Photo Album, Poll, Social Application, Social Profile, Test, Content Menu, Auto-Login, and Gradebook components resulting in information disclosure, database modification, or potential code execution. | |
| CVE-2017-11174 | Cri | 0.64 | 9.8 | 0.00 | Jul 12, 2017 | In install/page_dbsettings.php in the Core distribution of XOOPS 2.5.8.1, unfiltered data passed to CREATE and ALTER SQL queries caused SQL Injection in the database settings page, related to use of GBK in CHARACTER SET and COLLATE clauses. | |
| CVE-2017-1175 | Cri | 0.64 | 9.8 | 0.01 | Jul 5, 2017 | IBM Maximo Asset Management 7.1, 7.5, and 7.6 is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements, which could allow the attacker to view, add, modify or delete information in the back-end database. IBM X-Force ID: 123297. | |
| CVE-2017-1269 | Cri | 0.64 | 9.8 | 0.01 | Jul 5, 2017 | IBM Security Guardium 10.0 and 10.1 is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements, which could allow the attacker to view, add, modify or delete information in the back-end database. IBM X-force ID: 124744 | |
| CVE-2017-9848 | Cri | 0.64 | 9.8 | 0.00 | Jun 24, 2017 | SQL injection vulnerability in C_InfoService.asmx in WebServices in Easysite 7.0 could allow remote attackers to execute arbitrary SQL commands via an XML document containing a crafted ArticleIDs element within a GetArticleHitsArray element. | |
| CVE-2017-6050 | Cri | 0.64 | 9.8 | 0.01 | Jun 21, 2017 | A SQL Injection issue was discovered in Ecava IntegraXor Versions 5.2.1231.0 and prior. The application fails to properly validate user input, which may allow for an unauthenticated attacker to remotely execute arbitrary code in the form of SQL queries. |
- risk 0.64cvss 9.8epss 0.02
Blind SQL injection in Inmarsat AmosConnect 8 login form allows remote attackers to access user credentials, including user names and passwords.
- risk 0.64cvss 9.8epss 0.00
GLPI before 9.1.5.1 has SQL Injection in the $crit variable in inc/computer_softwareversion.class.php, exploitable via ajax/common.tabs.php.
- risk 0.64cvss 9.8epss 0.00
Subrion CMS before 4.1.6 has a SQL injection vulnerability in /front/actions.php via the $_POST array.
- risk 0.64cvss 9.8epss 0.00
Fiyo CMS 2.0.7 has SQL injection in /apps/app_article/controller/editor.php via $_POST['id'] and $_POST['art_title'].
- risk 0.64cvss 9.8epss 0.00
Fiyo CMS 2.0.7 has SQL injection in dapur/apps/app_article/controller/article_list.php via $_GET['cat'], $_GET['user'], $_GET['level'], and $_GET['iSortCol_'.$i].
- risk 0.64cvss 9.8epss 0.00
Fiyo CMS 2.0.7 has SQL injection in dapur/apps/app_article/controller/article_status.php via $_GET['id'].
- risk 0.64cvss 9.8epss 0.00
Fiyo CMS 2.0.7 has SQL injection in /apps/app_comment/controller/insert.php via the name parameter.
- risk 0.64cvss 9.8epss 0.00
Fiyo CMS 2.0.7 has SQL injection in dapur/apps/app_article/sys_article.php via $_POST['parent_id'], $_POST['desc'], $_POST['keys'], and $_POST['level'].
- risk 0.64cvss 9.8epss 0.00
Fiyo CMS 2.0.7 has SQL injection in dapur/apps/app_comment/sys_comment.php via $_POST['comment'], $_POST['name'], $_POST['web'], $_POST['email'], $_POST['status'], $_POST['id'], and $_REQUEST['id'].
- risk 0.64cvss 9.8epss 0.00
Fiyo CMS 2.0.7 has SQL injection in dapur/apps/app_article/controller/comment_status.php via $_GET['id'].
- risk 0.64cvss 9.8epss 0.00
Fiyo CMS 2.0.7 has SQL injection in dapur/apps/app_comment/controller/comment_status.php via $_GET['id'].
- risk 0.64cvss 9.8epss 0.00
Fiyo CMS v2.0.7 has an SQL injection vulnerability in dapur/apps/app_article/sys_article.php via the name parameter in editing or adding a tag name.
- risk 0.64cvss 9.8epss 0.00
GLPI before 9.1.5 allows SQL injection via an ajax/getDropdownValue.php request with an entity_restrict parameter that is not a list of integers.
- risk 0.64cvss 9.8epss 0.07
EyesOfNetwork (EON) 5.1 Unauthenticated SQL Injection in eonweb leading to remote root
- risk 0.64cvss 9.8epss 0.02
ATutor version 2.2.1 and earlier are vulnerable to a SQL injection in the Assignment Dropbox, BasicLTI, Blog Post, Blog, Group Course Email, Course Alumni, Course Enrolment, Group Membership, Course unenrolment, Course Enrolment List Search, Glossary, Social Group Member Search, Social Friend Search, Social Group Search, File Comment, Gradebook Test Title, User Group Membership, Inbox/Sent Items, Sent Messages, Links, Photo Album, Poll, Social Application, Social Profile, Test, Content Menu, Auto-Login, and Gradebook components resulting in information disclosure, database modification, or potential code execution.
- risk 0.64cvss 9.8epss 0.00
In install/page_dbsettings.php in the Core distribution of XOOPS 2.5.8.1, unfiltered data passed to CREATE and ALTER SQL queries caused SQL Injection in the database settings page, related to use of GBK in CHARACTER SET and COLLATE clauses.
- risk 0.64cvss 9.8epss 0.01
IBM Maximo Asset Management 7.1, 7.5, and 7.6 is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements, which could allow the attacker to view, add, modify or delete information in the back-end database. IBM X-Force ID: 123297.
- risk 0.64cvss 9.8epss 0.01
IBM Security Guardium 10.0 and 10.1 is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements, which could allow the attacker to view, add, modify or delete information in the back-end database. IBM X-force ID: 124744
- risk 0.64cvss 9.8epss 0.00
SQL injection vulnerability in C_InfoService.asmx in WebServices in Easysite 7.0 could allow remote attackers to execute arbitrary SQL commands via an XML document containing a crafted ArticleIDs element within a GetArticleHitsArray element.
- risk 0.64cvss 9.8epss 0.01
A SQL Injection issue was discovered in Ecava IntegraXor Versions 5.2.1231.0 and prior. The application fails to properly validate user input, which may allow for an unauthenticated attacker to remotely execute arbitrary code in the form of SQL queries.