CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

BaseStableLikelihood: High

Description

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Hierarchy (View 1000)

Parents

CWE-943

Children

CWE-564

Related attack patterns (CAPEC)

CAPEC-108 · CAPEC-109 · CAPEC-110 · CAPEC-470 · CAPEC-66 · CAPEC-7

CVEs mapped to this weakness (8,887)

page 276 of 445

CVE	Vendor / Product	Risk	CVSS	EPSS	Published	Description
CVE-2010-2319	Idevspot Textads	0.03	—	0.00	Jun 17, 2010	SQL injection vulnerability in index.php in IDevSpot TextAds 2.08 allows remote attackers to execute arbitrary SQL commands via the page parameter.
CVE-2010-2317	Wmsdesign Wmscms	0.03	—	0.00	Jun 17, 2010	Multiple SQL injection vulnerabilities in WmsCms 2.0 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) search, (2) sbr, (3) pid, (4) sbl, and (5) FilePath parameters to default.asp; and the (6) sbr, (7) pr, and (8) psPrice parameters to printpage.asp.
CVE-2010-2312	Hauntmax Haunted House Directory Listing CMS	0.03	—	0.00	Jun 16, 2010	SQL injection vulnerability in index.php in HauntmAx Haunted House Directory Listing CMS allows remote attackers to execute arbitrary SQL commands via the state parameter in a listings action.
CVE-2009-4892	Webjump Webjump\!	0.03	—	0.01	Jun 11, 2010	SQL injection vulnerability in Content Management System WEBjump! allows remote attackers to execute arbitrary SQL commands via the id parameter to (1) portfolio_genre.php and (2) news_id.php.
CVE-2009-4889	Basti2web Book Panel	0.03	—	0.01	Jun 11, 2010	SQL injection vulnerability in books.php in the Book Panel (book_panel) module for PHP-Fusion allows remote attackers to execute arbitrary SQL commands via the bookid parameter.
CVE-2009-4883	Todd Rogers Phprecipebook	0.03	—	0.01	Jun 11, 2010	SQL injection vulnerability in index.php in PHPRecipeBook 2.24 and 2.39 allows remote attackers to execute arbitrary SQL commands via the (1) base_id or (2) course_id parameter in a search action.
CVE-2010-1931	Cubecart Cubecart	0.03	—	0.02	Jun 10, 2010	SQL injection vulnerability in includes/content/cart.inc.php in CubeCart PHP Shopping cart 4.3.4 through 4.3.9 allows remote attackers to execute arbitrary SQL commands via the shipKey parameter to index.php.
CVE-2010-2257	Payperviewvideosoftware Pay Per Minute Video Chat Script	0.03	—	0.00	Jun 9, 2010	SQL injection vulnerability in index_ie.php in Pay Per Minute Video Chat Script 2.0 and 2.1 allows remote attackers to execute arbitrary SQL commands via the page parameter.
CVE-2010-2255	Tamlyncreative Com Bfsurvey Profree	0.03	—	0.00	Jun 9, 2010	SQL injection vulnerability in the BF Survey Pro (com_bfsurvey_pro) component before 1.3.1, BF Survey Pro Free (com_bfsurvey_profree) component 1.2.6, and BF Survey Basic component before 1.2 for Joomla! allows remote attackers to execute arbitrary SQL commands via the catid parameter to index.php. NOTE: some of these details are obtained from third party information.
CVE-2010-2254	Shape5 Bridge Of Hope Template	0.03	—	0.00	Jun 9, 2010	SQL injection vulnerability in the Shape5 Bridge of Hope template for Joomla! allows remote attackers to execute arbitrary SQL commands via the id parameter in an article action to index.php.
CVE-2010-2148	Unisoft Com Mycar	0.03	—	0.00	Jun 3, 2010	SQL injection vulnerability in the My Car (com_mycar) component 1.0 for Joomla! allows remote attackers to execute arbitrary SQL commands via the pagina parameter to index.php.
CVE-2010-2142	Murat Ersoy Cyberhost	0.03	—	0.01	Jun 2, 2010	SQL injection vulnerability in default.asp in Cyberhost allows remote attackers to execute arbitrary SQL commands via the id parameter.
CVE-2010-2141	Nitropowered Nitro Web Gallery	0.03	—	0.00	Jun 2, 2010	SQL injection vulnerability in index.php in NITRO Web Gallery allows remote attackers to execute arbitrary SQL commands via the PictureId parameter in an open action.
CVE-2010-2135	Hazelpress Hazelpress	0.03	—	0.00	Jun 2, 2010	Multiple SQL injection vulnerabilities in login.php in HazelPress Lite 0.0.4 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) Username and (2) password fields.
CVE-2010-2134	Http Solution Project Man	0.03	—	0.00	Jun 2, 2010	Multiple SQL injection vulnerabilities in login.php in Project Man 1.0 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) username or (2) password parameter.
CVE-2010-2133	My Little Forum Mylittleforum	0.03	—	0.00	Jun 2, 2010	SQL injection vulnerability in contact.php in My Little Forum allows remote attackers to execute arbitrary SQL commands via the id parameter, a different vector than CVE-2007-2942.
CVE-2010-2124	Bartels Schoene Conpresso	0.03	—	0.01	Jun 1, 2010	SQL injection vulnerability in firma.php in Bartels Schone ConPresso 4.0.7 allows remote attackers to execute arbitrary SQL commands via the id parameter.
CVE-2010-2051	Debliteck Dbcart	0.03	—	0.01	May 25, 2010	SQL injection vulnerability in article.php in Debliteck DBCart allows remote attackers to execute arbitrary SQL commands via the id parameter.
CVE-2010-2047	Joenasejes Je CMS	0.03	—	0.01	May 25, 2010	SQL injection vulnerability in index.php in JE CMS 1.0.0 and 1.1 allows remote attackers to execute arbitrary SQL commands via the categoryid parameter in a viewcategory action. NOTE: some of these details are obtained from third party information.
CVE-2010-2044	Adhie Utomo Com Konsultasi	0.03	—	0.01	May 25, 2010	SQL injection vulnerability in the Konsultasi (com_konsultasi) component 1.0.0 for Joomla! allows remote attackers to execute arbitrary SQL commands via the sid parameter in a detail action to index.php.

CVE-2010-2319Jun 17, 2010
Idevspot
Textads
risk 0.03cvss —epss 0.00
SQL injection vulnerability in index.php in IDevSpot TextAds 2.08 allows remote attackers to execute arbitrary SQL commands via the page parameter.
CVE-2010-2317Jun 17, 2010
Wmsdesign
Wmscms
risk 0.03cvss —epss 0.00
Multiple SQL injection vulnerabilities in WmsCms 2.0 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) search, (2) sbr, (3) pid, (4) sbl, and (5) FilePath parameters to default.asp; and the (6) sbr, (7) pr, and (8) psPrice parameters to printpage.asp.
CVE-2010-2312Jun 16, 2010
Hauntmax
Haunted House Directory Listing CMS
risk 0.03cvss —epss 0.00
SQL injection vulnerability in index.php in HauntmAx Haunted House Directory Listing CMS allows remote attackers to execute arbitrary SQL commands via the state parameter in a listings action.
CVE-2009-4892Jun 11, 2010
Webjump
Webjump\!
risk 0.03cvss —epss 0.01
SQL injection vulnerability in Content Management System WEBjump! allows remote attackers to execute arbitrary SQL commands via the id parameter to (1) portfolio_genre.php and (2) news_id.php.
CVE-2009-4889Jun 11, 2010
Basti2web
Book Panel
risk 0.03cvss —epss 0.01
SQL injection vulnerability in books.php in the Book Panel (book_panel) module for PHP-Fusion allows remote attackers to execute arbitrary SQL commands via the bookid parameter.
CVE-2009-4883Jun 11, 2010
Todd Rogers
Phprecipebook
risk 0.03cvss —epss 0.01
SQL injection vulnerability in index.php in PHPRecipeBook 2.24 and 2.39 allows remote attackers to execute arbitrary SQL commands via the (1) base_id or (2) course_id parameter in a search action.
CVE-2010-1931Jun 10, 2010
Cubecart
Cubecart
risk 0.03cvss —epss 0.02
SQL injection vulnerability in includes/content/cart.inc.php in CubeCart PHP Shopping cart 4.3.4 through 4.3.9 allows remote attackers to execute arbitrary SQL commands via the shipKey parameter to index.php.
CVE-2010-2257Jun 9, 2010
Payperviewvideosoftware
Pay Per Minute Video Chat Script
risk 0.03cvss —epss 0.00
SQL injection vulnerability in index_ie.php in Pay Per Minute Video Chat Script 2.0 and 2.1 allows remote attackers to execute arbitrary SQL commands via the page parameter.
CVE-2010-2255Jun 9, 2010
Tamlyncreative
Com Bfsurvey Profree
risk 0.03cvss —epss 0.00
SQL injection vulnerability in the BF Survey Pro (com_bfsurvey_pro) component before 1.3.1, BF Survey Pro Free (com_bfsurvey_profree) component 1.2.6, and BF Survey Basic component before 1.2 for Joomla! allows remote attackers to execute arbitrary SQL commands via the catid parameter to index.php. NOTE: some of these details are obtained from third party information.
CVE-2010-2254Jun 9, 2010
Shape5
Bridge Of Hope Template
risk 0.03cvss —epss 0.00
SQL injection vulnerability in the Shape5 Bridge of Hope template for Joomla! allows remote attackers to execute arbitrary SQL commands via the id parameter in an article action to index.php.
CVE-2010-2148Jun 3, 2010
Unisoft
Com Mycar
risk 0.03cvss —epss 0.00
SQL injection vulnerability in the My Car (com_mycar) component 1.0 for Joomla! allows remote attackers to execute arbitrary SQL commands via the pagina parameter to index.php.
CVE-2010-2142Jun 2, 2010
Murat Ersoy
Cyberhost
risk 0.03cvss —epss 0.01
SQL injection vulnerability in default.asp in Cyberhost allows remote attackers to execute arbitrary SQL commands via the id parameter.
CVE-2010-2141Jun 2, 2010
Nitropowered
Nitro Web Gallery
risk 0.03cvss —epss 0.00
SQL injection vulnerability in index.php in NITRO Web Gallery allows remote attackers to execute arbitrary SQL commands via the PictureId parameter in an open action.
CVE-2010-2135Jun 2, 2010
Hazelpress
Hazelpress
risk 0.03cvss —epss 0.00
Multiple SQL injection vulnerabilities in login.php in HazelPress Lite 0.0.4 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) Username and (2) password fields.
CVE-2010-2134Jun 2, 2010
Http Solution
Project Man
risk 0.03cvss —epss 0.00
Multiple SQL injection vulnerabilities in login.php in Project Man 1.0 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) username or (2) password parameter.
CVE-2010-2133Jun 2, 2010
My Little Forum
Mylittleforum
risk 0.03cvss —epss 0.00
SQL injection vulnerability in contact.php in My Little Forum allows remote attackers to execute arbitrary SQL commands via the id parameter, a different vector than CVE-2007-2942.
CVE-2010-2124Jun 1, 2010
Bartels Schoene
Conpresso
risk 0.03cvss —epss 0.01
SQL injection vulnerability in firma.php in Bartels Schone ConPresso 4.0.7 allows remote attackers to execute arbitrary SQL commands via the id parameter.
CVE-2010-2051May 25, 2010
Debliteck
Dbcart
risk 0.03cvss —epss 0.01
SQL injection vulnerability in article.php in Debliteck DBCart allows remote attackers to execute arbitrary SQL commands via the id parameter.
CVE-2010-2047May 25, 2010
Joenasejes
Je CMS
risk 0.03cvss —epss 0.01
SQL injection vulnerability in index.php in JE CMS 1.0.0 and 1.1 allows remote attackers to execute arbitrary SQL commands via the categoryid parameter in a viewcategory action. NOTE: some of these details are obtained from third party information.
CVE-2010-2044May 25, 2010
Adhie Utomo
Com Konsultasi
risk 0.03cvss —epss 0.01
SQL injection vulnerability in the Konsultasi (com_konsultasi) component 1.0.0 for Joomla! allows remote attackers to execute arbitrary SQL commands via the sid parameter in a detail action to index.php.