CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

BaseStableLikelihood: High

Description

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Hierarchy (View 1000)

Parents

CWE-943

Children

CWE-564

Related attack patterns (CAPEC)

CAPEC-108 · CAPEC-109 · CAPEC-110 · CAPEC-470 · CAPEC-66 · CAPEC-7

CVEs mapped to this weakness (8,888)

page 273 of 445

CVE	Vendor / Product	Risk	CVSS	EPSS	Published	Description
CVE-2010-2910	Alexred Com Oziogallery	0.03	—	0.00	Jul 28, 2010	SQL injection vulnerability in the Ozio Gallery (com_oziogallery) component for Joomla! allows remote attackers to execute arbitrary SQL commands via the Itemid parameter to index.php.
CVE-2010-2909	Toughtomato Com Ttvideo	0.03	—	0.01	Jul 28, 2010	SQL injection vulnerability in ttvideo.php in the TTVideo (com_ttvideo) component 1.0 for Joomla! allows remote attackers to execute arbitrary SQL commands via the cid parameter in a video action to index.php.
CVE-2010-2908	Joomdle Com Joomdle	0.03	—	0.00	Jul 28, 2010	SQL injection vulnerability in the Joomdle (com_joomdle) component 0.24 and earlier for Joomla! allows remote attackers to execute arbitrary SQL commands via the course_id parameter in a detail action to index.php.
CVE-2010-2907	Huruhelpdesk Com Huruhelpdesk	0.03	—	0.00	Jul 28, 2010	SQL injection vulnerability in the Huru Helpdesk (com_huruhelpdesk) component for Joomla! allows remote attackers to execute arbitrary SQL commands via the cid[0] parameter in a detail action to index.php.
CVE-2010-2906	Brotherscripts Scripts Directory	0.03	—	0.00	Jul 28, 2010	SQL injection vulnerability in articlesdetails.php in ScriptsFeed and BrotherScripts (BS) Scripts Directory allows remote attackers to execute arbitrary SQL commands via the id parameter, a different vector than CVE-2010-2905.
CVE-2010-2905	Brotherscripts Scripts Directory	0.03	—	0.00	Jul 28, 2010	SQL injection vulnerability in info.php in ScriptsFeed and BrotherScripts (BS) Scripts Directory allows remote attackers to execute arbitrary SQL commands via the id parameter.
CVE-2009-4973	Sweetphp Totalcalendar	0.03	—	0.01	Jul 28, 2010	SQL injection vulnerability in rss.php in TotalCalendar 2.4 allows remote attackers to execute arbitrary SQL commands via the selectedCal parameter in a SwitchCal action.
CVE-2009-4958	Emophp Emo Breeder Manager	0.03	—	0.00	Jul 28, 2010	SQL injection vulnerability in video.php in EMO Breeder Manager (aka EMO Breader Manager) allows remote attackers to execute arbitrary SQL commands via the idd parameter.
CVE-2010-2853	Iscripts Visualcaster	0.03	—	0.01	Jul 25, 2010	SQL injection vulnerability in flashPlayer/playVideo.php in iScripts VisualCaster allows remote attackers to execute arbitrary SQL commands via the product_id parameter.
CVE-2010-2847	Gonzalo Maser Com Artforms	0.03	—	0.00	Jul 25, 2010	Multiple SQL injection vulnerabilities in the InterJoomla ArtForms (com_artforms) component 2.1b7.2 RC2 for Joomla! allow remote attackers to execute arbitrary SQL commands via the viewform parameter in a (1) ferforms or (2) tferforms action to index.php, and the (3) id parameter in a vferforms action to index.php.
CVE-2010-2845	Schlu.net Com Quickfaq	0.03	—	0.00	Jul 25, 2010	SQL injection vulnerability in the QuickFAQ (com_quickfaq) component 1.0.3 for Joomla! allows remote attackers to execute arbitrary SQL commands via the Itemid parameter in a category action to index.php.
CVE-2009-4940	Zeuscart Zeuscart	0.03	—	0.00	Jul 22, 2010	SQL injection vulnerability in index.php in Zeus Cart 2.3 and earlier allows remote attackers to execute arbitrary SQL commands via the maincatid parameter in a showmaincatlanding action.
CVE-2009-4936	Spirate Small Pirate	0.03	—	0.02	Jul 22, 2010	Multiple SQL injection vulnerabilities in Small Pirate (SPirate) 2.1 allow remote attackers to execute arbitrary SQL commands via (1) the id parameter to the default URI in an rss .xml action, or the id parameter to (2) pag1.php, (3) pag1-guest.php, (4) rss-comment_post.php (aka rss-coment_post.php), or (5) rss-pic-comment.php.
CVE-2010-2721	Rightinpoint Lyrics Engine	0.03	—	0.01	Jul 13, 2010	SQL injection vulnerability in index.php in RightInPoint Lyrics Script 3.0 allows remote attackers to execute arbitrary SQL commands via the artist_id parameter in an addalbum action.
CVE-2010-2720	Phpaa Phpaacms	0.03	—	0.00	Jul 13, 2010	SQL injection vulnerability in list.php in phpaaCms 0.3.1 UTF-8, and possibly other versions, allows remote attackers to execute arbitrary SQL commands via the id parameter. NOTE: some of these details are obtained from third party information.
CVE-2010-2719	Phpaa Phpaacms	0.03	—	0.00	Jul 13, 2010	SQL injection vulnerability in show.php in phpaaCms 0.3.1 UTF-8, and possibly other versions, allows remote attackers to execute arbitrary SQL commands via the id parameter.
CVE-2010-2716	Rich Kavanagh Psnews	0.03	—	0.00	Jul 13, 2010	Multiple SQL injection vulnerabilities in PsNews 1.3 allow remote attackers to execute arbitrary SQL commands via the id parameter to (1) ndetail.php and (2) print.php.
CVE-2010-2714	Tcwonline Tcw PHP Album	0.03	—	0.00	Jul 13, 2010	SQL injection vulnerability in photos/index.php in TCW PHP Album 1.0 allows remote attackers to execute arbitrary SQL commands via the album parameter.
CVE-2010-2699	Edgephp Clickbank Affiliate Marketplace Script	0.03	—	0.00	Jul 12, 2010	SQL injection vulnerability in index.php in Edge PHP Clickbank Affiliate Marketplace Script (CBQuick) allows remote attackers to execute arbitrary SQL commands via the search parameter.
CVE-2010-2696	Sijio Community Software	0.03	—	0.00	Jul 12, 2010	SQL injection vulnerability in gallery/index.php in Sijio Community Software allows remote attackers to execute arbitrary SQL commands via the parent parameter.

CVE-2010-2910Jul 28, 2010
Alexred
Com Oziogallery
risk 0.03cvss —epss 0.00
SQL injection vulnerability in the Ozio Gallery (com_oziogallery) component for Joomla! allows remote attackers to execute arbitrary SQL commands via the Itemid parameter to index.php.
CVE-2010-2909Jul 28, 2010
Toughtomato
Com Ttvideo
risk 0.03cvss —epss 0.01
SQL injection vulnerability in ttvideo.php in the TTVideo (com_ttvideo) component 1.0 for Joomla! allows remote attackers to execute arbitrary SQL commands via the cid parameter in a video action to index.php.
CVE-2010-2908Jul 28, 2010
Joomdle
Com Joomdle
risk 0.03cvss —epss 0.00
SQL injection vulnerability in the Joomdle (com_joomdle) component 0.24 and earlier for Joomla! allows remote attackers to execute arbitrary SQL commands via the course_id parameter in a detail action to index.php.
CVE-2010-2907Jul 28, 2010
Huruhelpdesk
Com Huruhelpdesk
risk 0.03cvss —epss 0.00
SQL injection vulnerability in the Huru Helpdesk (com_huruhelpdesk) component for Joomla! allows remote attackers to execute arbitrary SQL commands via the cid[0] parameter in a detail action to index.php.
CVE-2010-2906Jul 28, 2010
Brotherscripts
Scripts Directory
risk 0.03cvss —epss 0.00
SQL injection vulnerability in articlesdetails.php in ScriptsFeed and BrotherScripts (BS) Scripts Directory allows remote attackers to execute arbitrary SQL commands via the id parameter, a different vector than CVE-2010-2905.
CVE-2010-2905Jul 28, 2010
Brotherscripts
Scripts Directory
risk 0.03cvss —epss 0.00
SQL injection vulnerability in info.php in ScriptsFeed and BrotherScripts (BS) Scripts Directory allows remote attackers to execute arbitrary SQL commands via the id parameter.
CVE-2009-4973Jul 28, 2010
Sweetphp
Totalcalendar
risk 0.03cvss —epss 0.01
SQL injection vulnerability in rss.php in TotalCalendar 2.4 allows remote attackers to execute arbitrary SQL commands via the selectedCal parameter in a SwitchCal action.
CVE-2009-4958Jul 28, 2010
Emophp
Emo Breeder Manager
risk 0.03cvss —epss 0.00
SQL injection vulnerability in video.php in EMO Breeder Manager (aka EMO Breader Manager) allows remote attackers to execute arbitrary SQL commands via the idd parameter.
CVE-2010-2853Jul 25, 2010
Iscripts
Visualcaster
risk 0.03cvss —epss 0.01
SQL injection vulnerability in flashPlayer/playVideo.php in iScripts VisualCaster allows remote attackers to execute arbitrary SQL commands via the product_id parameter.
CVE-2010-2847Jul 25, 2010
Gonzalo Maser
Com Artforms
risk 0.03cvss —epss 0.00
Multiple SQL injection vulnerabilities in the InterJoomla ArtForms (com_artforms) component 2.1b7.2 RC2 for Joomla! allow remote attackers to execute arbitrary SQL commands via the viewform parameter in a (1) ferforms or (2) tferforms action to index.php, and the (3) id parameter in a vferforms action to index.php.
CVE-2010-2845Jul 25, 2010
Schlu.net
Com Quickfaq
risk 0.03cvss —epss 0.00
SQL injection vulnerability in the QuickFAQ (com_quickfaq) component 1.0.3 for Joomla! allows remote attackers to execute arbitrary SQL commands via the Itemid parameter in a category action to index.php.
CVE-2009-4940Jul 22, 2010
Zeuscart
Zeuscart
risk 0.03cvss —epss 0.00
SQL injection vulnerability in index.php in Zeus Cart 2.3 and earlier allows remote attackers to execute arbitrary SQL commands via the maincatid parameter in a showmaincatlanding action.
CVE-2009-4936Jul 22, 2010
Spirate
Small Pirate
risk 0.03cvss —epss 0.02
Multiple SQL injection vulnerabilities in Small Pirate (SPirate) 2.1 allow remote attackers to execute arbitrary SQL commands via (1) the id parameter to the default URI in an rss .xml action, or the id parameter to (2) pag1.php, (3) pag1-guest.php, (4) rss-comment_post.php (aka rss-coment_post.php), or (5) rss-pic-comment.php.
CVE-2010-2721Jul 13, 2010
Rightinpoint
Lyrics Engine
risk 0.03cvss —epss 0.01
SQL injection vulnerability in index.php in RightInPoint Lyrics Script 3.0 allows remote attackers to execute arbitrary SQL commands via the artist_id parameter in an addalbum action.
CVE-2010-2720Jul 13, 2010
Phpaa
Phpaacms
risk 0.03cvss —epss 0.00
SQL injection vulnerability in list.php in phpaaCms 0.3.1 UTF-8, and possibly other versions, allows remote attackers to execute arbitrary SQL commands via the id parameter. NOTE: some of these details are obtained from third party information.
CVE-2010-2719Jul 13, 2010
Phpaa
Phpaacms
risk 0.03cvss —epss 0.00
SQL injection vulnerability in show.php in phpaaCms 0.3.1 UTF-8, and possibly other versions, allows remote attackers to execute arbitrary SQL commands via the id parameter.
CVE-2010-2716Jul 13, 2010
Rich Kavanagh
Psnews
risk 0.03cvss —epss 0.00
Multiple SQL injection vulnerabilities in PsNews 1.3 allow remote attackers to execute arbitrary SQL commands via the id parameter to (1) ndetail.php and (2) print.php.
CVE-2010-2714Jul 13, 2010
Tcwonline
Tcw PHP Album
risk 0.03cvss —epss 0.00
SQL injection vulnerability in photos/index.php in TCW PHP Album 1.0 allows remote attackers to execute arbitrary SQL commands via the album parameter.
CVE-2010-2699Jul 12, 2010
Edgephp
Clickbank Affiliate Marketplace Script
risk 0.03cvss —epss 0.00
SQL injection vulnerability in index.php in Edge PHP Clickbank Affiliate Marketplace Script (CBQuick) allows remote attackers to execute arbitrary SQL commands via the search parameter.
CVE-2010-2696Jul 12, 2010
Sijio
Community Software
risk 0.03cvss —epss 0.00
SQL injection vulnerability in gallery/index.php in Sijio Community Software allows remote attackers to execute arbitrary SQL commands via the parent parameter.