CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

BaseStableLikelihood: High

Description

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Hierarchy (View 1000)

Parents

CWE-943

Children

CWE-564

Related attack patterns (CAPEC)

CAPEC-108 · CAPEC-109 · CAPEC-110 · CAPEC-470 · CAPEC-66 · CAPEC-7

CVEs mapped to this weakness (8,888)

page 274 of 445

CVE	Vendor / Product	Risk	CVSS	EPSS	Published	Description
CVE-2010-2694	Redcomponent Com Redshop	0.03	—	0.00	Jul 12, 2010	SQL injection vulnerability in the redSHOP Component (com_redshop) 1.0 for Joomla! allows remote attackers to execute arbitrary SQL commands via the pid parameter to index.php.
CVE-2010-2691	2daybiz Custom T Shirt Design Script	0.03	—	0.02	Jul 12, 2010	Multiple SQL injection vulnerabilities in 2daybiz Custom T-Shirt Design Script allow remote attackers to execute arbitrary SQL commands via the (1) sbid parameter to products_details.php, (2) pid parameter to products/products.php, and (3) designid parameter to designview.php.
CVE-2010-2690	Jooforge Com Gamesbox	0.03	—	0.00	Jul 12, 2010	SQL injection vulnerability in the JOOFORGE Gamesbox (com_gamesbox) component 1.0.2, and possibly earlier, for Joomla! allows remote attackers to execute arbitrary SQL commands via the id parameter in a consoles action to index.php.
CVE-2010-2689	Internetdm Webdm CMS	0.03	—	0.00	Jul 12, 2010	SQL injection vulnerability in cont_form.php in Internet DM WebDM CMS allows remote attackers to execute arbitrary SQL commands via the cf_id parameter.
CVE-2010-2688	Site2nite Boat Classifieds	0.03	—	0.02	Jul 12, 2010	SQL injection vulnerability in detail.asp in Site2Nite Boat Classifieds allows remote attackers to execute arbitrary SQL commands via the ID parameter.
CVE-2010-2687	Site2nite Boat Classifieds	0.03	—	0.03	Jul 12, 2010	SQL injection vulnerability in printdetail.asp in Site2Nite Boat Classifieds allows remote attackers to execute arbitrary SQL commands via the Id parameter.
CVE-2010-2684	Customerparadigm Pagedirector CMS	0.03	—	0.01	Jul 12, 2010	SQL injection vulnerability in index.php in Customer Paradigm PageDirector CMS allows remote attackers to execute arbitrary SQL commands via the id parameter.
CVE-2010-2683	Customerparadigm Pagedirector CMS	0.03	—	0.00	Jul 12, 2010	SQL injection vulnerability in result.php in Customer Paradigm PageDirector CMS allows remote attackers to execute arbitrary SQL commands via the sub_catid parameter.
CVE-2009-4935	Esoftpro Online Guestbook Pro	0.03	—	0.00	Jul 12, 2010	SQL injection vulnerability in ogp_show.php in Online Guestbook Pro allows remote attackers to execute arbitrary SQL commands via the display parameter.
CVE-2009-4933	Winterwebs Ezwebitor	0.03	—	0.00	Jul 12, 2010	Multiple SQL injection vulnerabilities in login.php in EZ Webitor allow remote attackers to execute arbitrary SQL commands via the (1) txtUserId (Username) and (2) txtPassword (Password) parameters. NOTE: some of these details are obtained from third party information.
CVE-2009-4925	Creasito Creasito E Commerce Content Manager	0.03	—	0.01	Jul 12, 2010	Multiple SQL injection vulnerabilities in Portale e-commerce Creasito (aka creasito e-commerce content manager) 1.3.16, when magic_quotes_gpc is disabled, allow remote attackers to execute arbitrary SQL commands via the username parameter to (1) admin/checkuser.php and (2) checkuser.php.
CVE-2010-2679	Joomla Joomla!	0.03	—	0.00	Jul 8, 2010	SQL injection vulnerability in the Weblinks (com_weblinks) component in Joomla! allows remote attackers to execute arbitrary SQL commands via the id parameter in a view action to index.php.
CVE-2010-2674	Alanzard Tsoka\	0.03	—	0.00	Jul 8, 2010	SQL injection vulnerability in index.php in TSOKA:CMS 1.1, 1.9, and 2.0 allows remote attackers to execute arbitrary SQL commands via the id parameter in an articolo action.
CVE-2010-2673	Devana Devana	0.03	—	0.01	Jul 8, 2010	SQL injection vulnerability in profile_view.php in Devana 1.6.6 and earlier allows remote attackers to execute arbitrary SQL commands via the id parameter.
CVE-2010-2670	Brotherscripts Recipe Website	0.03	—	0.00	Jul 8, 2010	SQL injection vulnerability in recipedetail.php in BrotherScripts Recipe Website allows remote attackers to execute arbitrary SQL commands via the id parameter.
CVE-2010-1327	Tornadostore Tornadostore	0.03	—	0.00	Jul 6, 2010	Multiple SQL injection vulnerabilities in TornadoStore 1.4.3 and earlier allow remote attackers to execute arbitrary SQL commands via (1) the marca parameter to precios.php3 or (2) the where parameter in a delivery_courier action to control/abm_list.php3.
CVE-2010-2624	Iscripts Easysnaps	0.03	—	0.00	Jul 2, 2010	Multiple SQL injection vulnerabilities in iScripts EasySnaps 2.0 allow remote attackers to execute arbitrary SQL commands via the (1) comment parameter to add_comments.php, (2) values parameter to tags_details.php, or (3) begin parameter to greetings.php.
CVE-2010-2623	Internetdm Bed And Breakfast	0.03	—	0.00	Jul 2, 2010	SQL injection vulnerability in pages.php in Internet DM Specialist Bed and Breakfast allows remote attackers to execute arbitrary SQL commands via the pp_id parameter.
CVE-2010-2622	Joomanager Joomanager	0.03	—	0.00	Jul 2, 2010	SQL injection vulnerability in the Joomanager component, possibly 1.1.1, for Joomla! allows remote attackers to execute arbitrary SQL commands via the catid parameter to index.php.
CVE-2010-2616	Paul Mcenery PHP Bible Search	0.03	—	0.00	Jul 2, 2010	SQL injection vulnerability in bible.php in PHP Bible Search, probably 0.99, allows remote attackers to execute arbitrary SQL commands via the chapter parameter.

CVE-2010-2694Jul 12, 2010
Redcomponent
Com Redshop
risk 0.03cvss —epss 0.00
SQL injection vulnerability in the redSHOP Component (com_redshop) 1.0 for Joomla! allows remote attackers to execute arbitrary SQL commands via the pid parameter to index.php.
CVE-2010-2691Jul 12, 2010
2daybiz
Custom T Shirt Design Script
risk 0.03cvss —epss 0.02
Multiple SQL injection vulnerabilities in 2daybiz Custom T-Shirt Design Script allow remote attackers to execute arbitrary SQL commands via the (1) sbid parameter to products_details.php, (2) pid parameter to products/products.php, and (3) designid parameter to designview.php.
CVE-2010-2690Jul 12, 2010
Jooforge
Com Gamesbox
risk 0.03cvss —epss 0.00
SQL injection vulnerability in the JOOFORGE Gamesbox (com_gamesbox) component 1.0.2, and possibly earlier, for Joomla! allows remote attackers to execute arbitrary SQL commands via the id parameter in a consoles action to index.php.
CVE-2010-2689Jul 12, 2010
Internetdm
Webdm CMS
risk 0.03cvss —epss 0.00
SQL injection vulnerability in cont_form.php in Internet DM WebDM CMS allows remote attackers to execute arbitrary SQL commands via the cf_id parameter.
CVE-2010-2688Jul 12, 2010
Site2nite
Boat Classifieds
risk 0.03cvss —epss 0.02
SQL injection vulnerability in detail.asp in Site2Nite Boat Classifieds allows remote attackers to execute arbitrary SQL commands via the ID parameter.
CVE-2010-2687Jul 12, 2010
Site2nite
Boat Classifieds
risk 0.03cvss —epss 0.03
SQL injection vulnerability in printdetail.asp in Site2Nite Boat Classifieds allows remote attackers to execute arbitrary SQL commands via the Id parameter.
CVE-2010-2684Jul 12, 2010
Customerparadigm
Pagedirector CMS
risk 0.03cvss —epss 0.01
SQL injection vulnerability in index.php in Customer Paradigm PageDirector CMS allows remote attackers to execute arbitrary SQL commands via the id parameter.
CVE-2010-2683Jul 12, 2010
Customerparadigm
Pagedirector CMS
risk 0.03cvss —epss 0.00
SQL injection vulnerability in result.php in Customer Paradigm PageDirector CMS allows remote attackers to execute arbitrary SQL commands via the sub_catid parameter.
CVE-2009-4935Jul 12, 2010
Esoftpro
Online Guestbook Pro
risk 0.03cvss —epss 0.00
SQL injection vulnerability in ogp_show.php in Online Guestbook Pro allows remote attackers to execute arbitrary SQL commands via the display parameter.
CVE-2009-4933Jul 12, 2010
Winterwebs
Ezwebitor
risk 0.03cvss —epss 0.00
Multiple SQL injection vulnerabilities in login.php in EZ Webitor allow remote attackers to execute arbitrary SQL commands via the (1) txtUserId (Username) and (2) txtPassword (Password) parameters. NOTE: some of these details are obtained from third party information.
CVE-2009-4925Jul 12, 2010
Creasito
Creasito E Commerce Content Manager
risk 0.03cvss —epss 0.01
Multiple SQL injection vulnerabilities in Portale e-commerce Creasito (aka creasito e-commerce content manager) 1.3.16, when magic_quotes_gpc is disabled, allow remote attackers to execute arbitrary SQL commands via the username parameter to (1) admin/checkuser.php and (2) checkuser.php.
CVE-2010-2679Jul 8, 2010
Joomla
Joomla!
risk 0.03cvss —epss 0.00
SQL injection vulnerability in the Weblinks (com_weblinks) component in Joomla! allows remote attackers to execute arbitrary SQL commands via the id parameter in a view action to index.php.
CVE-2010-2674Jul 8, 2010
Alanzard
Tsoka\
risk 0.03cvss —epss 0.00
SQL injection vulnerability in index.php in TSOKA:CMS 1.1, 1.9, and 2.0 allows remote attackers to execute arbitrary SQL commands via the id parameter in an articolo action.
CVE-2010-2673Jul 8, 2010
Devana
Devana
risk 0.03cvss —epss 0.01
SQL injection vulnerability in profile_view.php in Devana 1.6.6 and earlier allows remote attackers to execute arbitrary SQL commands via the id parameter.
CVE-2010-2670Jul 8, 2010
Brotherscripts
Recipe Website
risk 0.03cvss —epss 0.00
SQL injection vulnerability in recipedetail.php in BrotherScripts Recipe Website allows remote attackers to execute arbitrary SQL commands via the id parameter.
CVE-2010-1327Jul 6, 2010
Tornadostore
Tornadostore
risk 0.03cvss —epss 0.00
Multiple SQL injection vulnerabilities in TornadoStore 1.4.3 and earlier allow remote attackers to execute arbitrary SQL commands via (1) the marca parameter to precios.php3 or (2) the where parameter in a delivery_courier action to control/abm_list.php3.
CVE-2010-2624Jul 2, 2010
Iscripts
Easysnaps
risk 0.03cvss —epss 0.00
Multiple SQL injection vulnerabilities in iScripts EasySnaps 2.0 allow remote attackers to execute arbitrary SQL commands via the (1) comment parameter to add_comments.php, (2) values parameter to tags_details.php, or (3) begin parameter to greetings.php.
CVE-2010-2623Jul 2, 2010
Internetdm
Bed And Breakfast
risk 0.03cvss —epss 0.00
SQL injection vulnerability in pages.php in Internet DM Specialist Bed and Breakfast allows remote attackers to execute arbitrary SQL commands via the pp_id parameter.
CVE-2010-2622Jul 2, 2010
Joomanager
Joomanager
risk 0.03cvss —epss 0.00
SQL injection vulnerability in the Joomanager component, possibly 1.1.1, for Joomla! allows remote attackers to execute arbitrary SQL commands via the catid parameter to index.php.
CVE-2010-2616Jul 2, 2010
Paul Mcenery
PHP Bible Search
risk 0.03cvss —epss 0.00
SQL injection vulnerability in bible.php in PHP Bible Search, probably 0.99, allows remote attackers to execute arbitrary SQL commands via the chapter parameter.