CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

BaseStableLikelihood: High

Description

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Hierarchy (View 1000)

Parents

CWE-943

Children

CWE-564

Related attack patterns (CAPEC)

CAPEC-108 · CAPEC-109 · CAPEC-110 · CAPEC-470 · CAPEC-66 · CAPEC-7

CVEs mapped to this weakness (8,888)

page 272 of 445

CVE	Vendor / Product	Risk	CVSS	EPSS	Published	Description
CVE-2010-3212	Seagullproject.org Seagull	0.03	—	0.01	Sep 3, 2010	SQL injection vulnerability in index.php in Seagull 0.6.7 and earlier allows remote attackers to execute arbitrary SQL commands via the frmQuestion parameter in a retrieve action, in conjunction with a user/password PATH_INFO.
CVE-2010-3211	Jextn Com Jefaqpro	0.03	—	0.00	Sep 3, 2010	Multiple SQL injection vulnerabilities in the JE FAQ Pro (com_jefaqpro) component 1.5.0 for Joomla! allow remote attackers to execute arbitrary SQL commands via category categorylist operations with (1) the catid parameter or (2) the catid parameter in a lists action.
CVE-2010-3207	Galeriashqip Galeriashqip	0.03	—	0.01	Sep 3, 2010	SQL injection vulnerability in index.php in GaleriaSHQIP 1.0, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the album_id parameter. NOTE: some of these details are obtained from third party information.
CVE-2009-4992	Script Shop24 Lm Starmail Paidmail	0.03	—	0.01	Aug 25, 2010	SQL injection vulnerability in paidbanner.php in LM Starmail Paidmail 2.0 allows remote attackers to execute arbitrary SQL commands via the ID parameter.
CVE-2009-4985	Websitesrus Accessories Me PHP Affiliate Script	0.03	—	0.01	Aug 25, 2010	SQL injection vulnerability in browse.php in Accessories Me PHP Affiliate Script 1.4 allows remote attackers to execute arbitrary SQL commands via the Go parameter.
CVE-2009-4982	Irokez Irokez CMS	0.03	—	0.00	Aug 25, 2010	SQL injection vulnerability in the select function in Irokez CMS 0.7.1, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the PATH_INFO to the default URI.
CVE-2010-3029	Phpkick Phpkick	0.03	—	0.00	Aug 16, 2010	SQL injection vulnerability in statistics.php in PHPKick 0.8 allows remote attackers to execute arbitrary SQL commands via the gameday parameter in an overview action.
CVE-2010-3027	Tycoon Baseball Script	0.03	—	0.01	Aug 16, 2010	SQL injection vulnerability in index.php in Tycoon Baseball Script 1.0.9 allows remote attackers to execute arbitrary SQL commands via the game_id parameter in a game_player action.
CVE-2010-2933	Av Scripts Av Arcade	0.03	—	0.00	Aug 5, 2010	SQL injection vulnerability in AV Scripts AV Arcade 3 allows remote attackers to execute arbitrary SQL commands via the ava_code cookie to the "main page," related to index.php and the login task.
CVE-2010-2926	Solucija Snews	0.03	—	0.00	Jul 30, 2010	SQL injection vulnerability in index.php in sNews 1.7 allows remote attackers to execute arbitrary SQL commands via the category parameter.
CVE-2010-2925	Openfreeway Freeway	0.03	—	0.00	Jul 30, 2010	SQL injection vulnerability in index.php in Freeway CMS 1.4.3.210 allows remote attackers to execute arbitrary SQL commands via the ecPath parameter.
CVE-2010-2924	Silvercover Mylinksdump Plugin	0.03	—	0.01	Jul 30, 2010	SQL injection vulnerability in myLDlinker.php in the myLinksDump Plugin 1.2 for WordPress allows remote attackers to execute arbitrary SQL commands via the url parameter. NOTE: some of these details are obtained from third party information.
CVE-2010-2923	Prasanna Com Youtube	0.03	—	0.00	Jul 30, 2010	SQL injection vulnerability in the YouTube (com_youtube) component 1.5 for Joomla! allows remote attackers to execute arbitrary SQL commands via the id_cate parameter to index.php.
CVE-2010-2922	Ali Kenan Aky Blog	0.03	—	0.01	Jul 30, 2010	SQL injection vulnerability in default.asp in AKY Blog allows remote attackers to execute arbitrary SQL commands via the id parameter.
CVE-2010-2921	Photoindochina Com Golfcourseguide	0.03	—	0.00	Jul 30, 2010	SQL injection vulnerability in the Golf Course Guide (com_golfcourseguide) component 0.9.6.0 beta and 1 beta for Joomla! allows remote attackers to execute arbitrary SQL commands via the id parameter in a golfcourses action to index.php.
CVE-2010-2919	Joomlaxt Com Staticxt	0.03	—	0.00	Jul 30, 2010	SQL injection vulnerability in the StaticXT (com_staticxt) component for Joomla! allows remote attackers to execute arbitrary SQL commands via the id parameter to index.php.
CVE-2010-2916	Aj Square Aj Hyip	0.03	—	0.01	Jul 30, 2010	SQL injection vulnerability in news.php in AJ Square AJ HYIP MERIDIAN allows remote attackers to execute arbitrary SQL commands via the id parameter.
CVE-2010-2915	Aj Square Aj Hyip	0.03	—	0.01	Jul 30, 2010	SQL injection vulnerability in welcome.php in AJ Square AJ HYIP PRIME allows remote attackers to execute arbitrary SQL commands via the id parameter.
CVE-2010-2912	Kayako Esupport	0.03	—	0.00	Jul 28, 2010	SQL injection vulnerability in index.php in Kayako eSupport 3.70.02 allows remote attackers to execute arbitrary SQL commands via the _a parameter in a downloads action.
CVE-2010-2911	Kayako Esupport	0.03	—	0.01	Jul 28, 2010	SQL injection vulnerability in index.php in Kayako eSupport 3.70.02 allows remote attackers to execute arbitrary SQL commands via the newsid parameter in a viewnews action.

CVE-2010-3212Sep 3, 2010
Seagullproject.org
Seagull
risk 0.03cvss —epss 0.01
SQL injection vulnerability in index.php in Seagull 0.6.7 and earlier allows remote attackers to execute arbitrary SQL commands via the frmQuestion parameter in a retrieve action, in conjunction with a user/password PATH_INFO.
CVE-2010-3211Sep 3, 2010
Jextn
Com Jefaqpro
risk 0.03cvss —epss 0.00
Multiple SQL injection vulnerabilities in the JE FAQ Pro (com_jefaqpro) component 1.5.0 for Joomla! allow remote attackers to execute arbitrary SQL commands via category categorylist operations with (1) the catid parameter or (2) the catid parameter in a lists action.
CVE-2010-3207Sep 3, 2010
Galeriashqip
Galeriashqip
risk 0.03cvss —epss 0.01
SQL injection vulnerability in index.php in GaleriaSHQIP 1.0, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the album_id parameter. NOTE: some of these details are obtained from third party information.
CVE-2009-4992Aug 25, 2010
Script Shop24
Lm Starmail Paidmail
risk 0.03cvss —epss 0.01
SQL injection vulnerability in paidbanner.php in LM Starmail Paidmail 2.0 allows remote attackers to execute arbitrary SQL commands via the ID parameter.
CVE-2009-4985Aug 25, 2010
Websitesrus
Accessories Me PHP Affiliate Script
risk 0.03cvss —epss 0.01
SQL injection vulnerability in browse.php in Accessories Me PHP Affiliate Script 1.4 allows remote attackers to execute arbitrary SQL commands via the Go parameter.
CVE-2009-4982Aug 25, 2010
Irokez
Irokez CMS
risk 0.03cvss —epss 0.00
SQL injection vulnerability in the select function in Irokez CMS 0.7.1, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the PATH_INFO to the default URI.
CVE-2010-3029Aug 16, 2010
Phpkick
Phpkick
risk 0.03cvss —epss 0.00
SQL injection vulnerability in statistics.php in PHPKick 0.8 allows remote attackers to execute arbitrary SQL commands via the gameday parameter in an overview action.
CVE-2010-3027Aug 16, 2010
Tycoon
Baseball Script
risk 0.03cvss —epss 0.01
SQL injection vulnerability in index.php in Tycoon Baseball Script 1.0.9 allows remote attackers to execute arbitrary SQL commands via the game_id parameter in a game_player action.
CVE-2010-2933Aug 5, 2010
Av Scripts
Av Arcade
risk 0.03cvss —epss 0.00
SQL injection vulnerability in AV Scripts AV Arcade 3 allows remote attackers to execute arbitrary SQL commands via the ava_code cookie to the "main page," related to index.php and the login task.
CVE-2010-2926Jul 30, 2010
Solucija
Snews
risk 0.03cvss —epss 0.00
SQL injection vulnerability in index.php in sNews 1.7 allows remote attackers to execute arbitrary SQL commands via the category parameter.
CVE-2010-2925Jul 30, 2010
Openfreeway
Freeway
risk 0.03cvss —epss 0.00
SQL injection vulnerability in index.php in Freeway CMS 1.4.3.210 allows remote attackers to execute arbitrary SQL commands via the ecPath parameter.
CVE-2010-2924Jul 30, 2010
Silvercover
Mylinksdump Plugin
risk 0.03cvss —epss 0.01
SQL injection vulnerability in myLDlinker.php in the myLinksDump Plugin 1.2 for WordPress allows remote attackers to execute arbitrary SQL commands via the url parameter. NOTE: some of these details are obtained from third party information.
CVE-2010-2923Jul 30, 2010
Prasanna
Com Youtube
risk 0.03cvss —epss 0.00
SQL injection vulnerability in the YouTube (com_youtube) component 1.5 for Joomla! allows remote attackers to execute arbitrary SQL commands via the id_cate parameter to index.php.
CVE-2010-2922Jul 30, 2010
Ali Kenan
Aky Blog
risk 0.03cvss —epss 0.01
SQL injection vulnerability in default.asp in AKY Blog allows remote attackers to execute arbitrary SQL commands via the id parameter.
CVE-2010-2921Jul 30, 2010
Photoindochina
Com Golfcourseguide
risk 0.03cvss —epss 0.00
SQL injection vulnerability in the Golf Course Guide (com_golfcourseguide) component 0.9.6.0 beta and 1 beta for Joomla! allows remote attackers to execute arbitrary SQL commands via the id parameter in a golfcourses action to index.php.
CVE-2010-2919Jul 30, 2010
Joomlaxt
Com Staticxt
risk 0.03cvss —epss 0.00
SQL injection vulnerability in the StaticXT (com_staticxt) component for Joomla! allows remote attackers to execute arbitrary SQL commands via the id parameter to index.php.
CVE-2010-2916Jul 30, 2010
Aj Square
Aj Hyip
risk 0.03cvss —epss 0.01
SQL injection vulnerability in news.php in AJ Square AJ HYIP MERIDIAN allows remote attackers to execute arbitrary SQL commands via the id parameter.
CVE-2010-2915Jul 30, 2010
Aj Square
Aj Hyip
risk 0.03cvss —epss 0.01
SQL injection vulnerability in welcome.php in AJ Square AJ HYIP PRIME allows remote attackers to execute arbitrary SQL commands via the id parameter.
CVE-2010-2912Jul 28, 2010
Kayako
Esupport
risk 0.03cvss —epss 0.00
SQL injection vulnerability in index.php in Kayako eSupport 3.70.02 allows remote attackers to execute arbitrary SQL commands via the _a parameter in a downloads action.
CVE-2010-2911Jul 28, 2010
Kayako
Esupport
risk 0.03cvss —epss 0.01
SQL injection vulnerability in index.php in Kayako eSupport 3.70.02 allows remote attackers to execute arbitrary SQL commands via the newsid parameter in a viewnews action.