CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

BaseStableLikelihood: High

Description

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Hierarchy (View 1000)

Parents

CWE-943

Children

CWE-564

Related attack patterns (CAPEC)

CAPEC-108 · CAPEC-109 · CAPEC-110 · CAPEC-470 · CAPEC-66 · CAPEC-7

CVEs mapped to this weakness (8,875)

page 277 of 444

CVE	Vendor / Product	Risk	CVSS	EPSS	Published	Description
CVE-2010-1874	Com Property Com Properties	0.03	—	0.00	May 12, 2010	SQL injection vulnerability in the Real Estate Property (com_properties) component 3.1.22-03 for Joomla! allows remote attackers to execute arbitrary SQL commands via the aid parameter in an agentlisting action to index.php. NOTE: some of these details are obtained from third party information.
CVE-2010-1873	Jvehicles Com Jvehicles	0.03	—	0.01	May 12, 2010	SQL injection vulnerability in the Jvehicles (com_jvehicles) component 1.0, 2.0, and 2.1111 for Joomla! allows remote attackers to execute arbitrary SQL commands via the aid parameter in an agentlisting action to index.php. NOTE: some of these details are obtained from third party information.
CVE-2009-4872	Logoshows Logoshows Bbs	0.03	—	0.00	May 11, 2010	Multiple SQL injection vulnerabilities in globepersonnel_login.asp in Logoshows BBS 2.0 allow remote attackers to execute arbitrary SQL commands via the (1) username and (2) password fields.
CVE-2009-4871	Logoshows Logoshows Bbs	0.03	—	0.01	May 11, 2010	SQL injection vulnerability in globepersonnel_forum.asp in Logoshows BBS 2.0 allows remote attackers to execute arbitrary SQL commands via the forumid parameter.
CVE-2009-4870	Phpcityportal Phpcityportal	0.03	—	0.00	May 11, 2010	Multiple SQL injection vulnerabilities in login.php in PHPCityPortal allow remote attackers to execute arbitrary SQL commands via the (1) req_username (aka Username) and (2) req_password (aka Password) parameters. NOTE: some of these details are obtained from third party information.
CVE-2009-4862	Abushhab Alwasel	0.03	—	0.00	May 11, 2010	Multiple SQL injection vulnerabilities in Alwasel 1.5 allow remote attackers to execute arbitrary SQL commands via the id parameter to (1) show.php and (2) xml.php.
CVE-2009-4860	Demarque Typing Pal	0.03	—	0.00	May 11, 2010	SQL injection vulnerability in demo.php in Typing Pal 1.0 and earlier allows remote attackers to execute arbitrary SQL commands via the idTableProduit parameter.
CVE-2009-4855	TYPO3 Typo3	0.03	—	0.01	May 11, 2010	SQL injection vulnerability in index.php in TYPO3 4.0 allows remote attackers to execute arbitrary SQL commands via the showUid parameter. NOTE: the TYPO3 Security Team disputes this report, stating that "there is no such vulnerability... The showUid parameter is generally used in third-party TYPO3 extensions - not in TYPO3 Core.
CVE-2010-1859	Deluxebb Deluxebb	0.03	—	0.00	May 7, 2010	SQL injection vulnerability in newpost.php in DeluxeBB 1.3 and earlier, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the membercookie cookie when adding a new thread.
CVE-2010-1855	Phpscripte24 Pay Per Watch \& Bid Auktions System	0.03	—	0.03	May 7, 2010	SQL injection vulnerability in auktion.php in Pay Per Watch & Bid Auktions System allows remote attackers to execute arbitrary SQL commands via the id_auk parameter.
CVE-2010-1744	Alibabaclone B2b Gold Script	0.03	—	0.02	May 6, 2010	SQL injection vulnerability in product.html in B2B Gold Script allows remote attackers to execute arbitrary SQL commands via the id parameter.
CVE-2010-1743	Satyadeep Scratcher	0.03	—	0.01	May 6, 2010	SQL injection vulnerability in projects.php in Scratcher allows remote attackers to execute arbitrary SQL commands via the id parameter.
CVE-2010-1741	Billwerx Billwerx Rc	0.03	—	0.01	May 6, 2010	SQL injection vulnerability in request_account.php in Billwerx RC 5.2.2 PL2 allows remote attackers to execute arbitrary SQL commands via the primary_number parameter.
CVE-2010-1740	Freeguppy Guppy	0.03	—	0.00	May 6, 2010	SQL injection vulnerability in newsletter.php in GuppY 4.5.18 allows remote attackers to execute arbitrary SQL commands via the lng parameter.
CVE-2010-1739	Joomla Com Newsfeeds	0.03	—	0.00	May 6, 2010	SQL injection vulnerability in the Newsfeeds (com_newsfeeds) component for Joomla! allows remote attackers to execute arbitrary SQL commands via the feedid parameter in a categories action to index.php.
CVE-2010-1727	Aspsiteware Jobpost	0.03	—	0.00	May 6, 2010	SQL injection vulnerability in type.asp in JobPost 1.0 allows remote attackers to execute arbitrary SQL commands via the iType parameter. NOTE: some of these details are obtained from third party information.
CVE-2010-1726	Alibabaclone Ec21 Clone	0.03	—	0.01	May 6, 2010	SQL injection vulnerability in offers_buy.php in EC21 Clone 3.0 allows remote attackers to execute arbitrary SQL commands via the id parameter.
CVE-2010-1725	Alibabaclone Alibaba Clone Platinum	0.03	—	0.01	May 6, 2010	SQL injection vulnerability in offers_buy.php in Alibaba Clone Platinum allows remote attackers to execute arbitrary SQL commands via the id parameter.
CVE-2010-1583	Taskfreak Taskfreak\!	0.03	—	0.01	May 6, 2010	SQL injection vulnerability in the loadByKey function in the TznDbConnection class in tzn_mysql.php in Tirzen (aka TZN) Framework 1.5, as used in TaskFreak! before 0.6.3, allows remote attackers to execute arbitrary SQL commands via the username field in a login action.
CVE-2010-1721	Thethinkery Com Iproperty	0.03	—	0.00	May 4, 2010	SQL injection vulnerability in the Intellectual Property (aka IProperty or com_iproperty) component 1.5.3 for Joomla! allows remote attackers to execute arbitrary SQL commands via the id parameter in an agentproperties action to index.php.

CVE-2010-1874May 12, 2010
Com Property
Com Properties
risk 0.03cvss —epss 0.00
SQL injection vulnerability in the Real Estate Property (com_properties) component 3.1.22-03 for Joomla! allows remote attackers to execute arbitrary SQL commands via the aid parameter in an agentlisting action to index.php. NOTE: some of these details are obtained from third party information.
CVE-2010-1873May 12, 2010
Jvehicles
Com Jvehicles
risk 0.03cvss —epss 0.01
SQL injection vulnerability in the Jvehicles (com_jvehicles) component 1.0, 2.0, and 2.1111 for Joomla! allows remote attackers to execute arbitrary SQL commands via the aid parameter in an agentlisting action to index.php. NOTE: some of these details are obtained from third party information.
CVE-2009-4872May 11, 2010
Logoshows
Logoshows Bbs
risk 0.03cvss —epss 0.00
Multiple SQL injection vulnerabilities in globepersonnel_login.asp in Logoshows BBS 2.0 allow remote attackers to execute arbitrary SQL commands via the (1) username and (2) password fields.
CVE-2009-4871May 11, 2010
Logoshows
Logoshows Bbs
risk 0.03cvss —epss 0.01
SQL injection vulnerability in globepersonnel_forum.asp in Logoshows BBS 2.0 allows remote attackers to execute arbitrary SQL commands via the forumid parameter.
CVE-2009-4870May 11, 2010
Phpcityportal
Phpcityportal
risk 0.03cvss —epss 0.00
Multiple SQL injection vulnerabilities in login.php in PHPCityPortal allow remote attackers to execute arbitrary SQL commands via the (1) req_username (aka Username) and (2) req_password (aka Password) parameters. NOTE: some of these details are obtained from third party information.
CVE-2009-4862May 11, 2010
Abushhab
Alwasel
risk 0.03cvss —epss 0.00
Multiple SQL injection vulnerabilities in Alwasel 1.5 allow remote attackers to execute arbitrary SQL commands via the id parameter to (1) show.php and (2) xml.php.
CVE-2009-4860May 11, 2010
Demarque
Typing Pal
risk 0.03cvss —epss 0.00
SQL injection vulnerability in demo.php in Typing Pal 1.0 and earlier allows remote attackers to execute arbitrary SQL commands via the idTableProduit parameter.
CVE-2009-4855May 11, 2010
TYPO3
Typo3
risk 0.03cvss —epss 0.01
SQL injection vulnerability in index.php in TYPO3 4.0 allows remote attackers to execute arbitrary SQL commands via the showUid parameter. NOTE: the TYPO3 Security Team disputes this report, stating that "there is no such vulnerability... The showUid parameter is generally used in third-party TYPO3 extensions - not in TYPO3 Core.
CVE-2010-1859May 7, 2010
Deluxebb
Deluxebb
risk 0.03cvss —epss 0.00
SQL injection vulnerability in newpost.php in DeluxeBB 1.3 and earlier, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the membercookie cookie when adding a new thread.
CVE-2010-1855May 7, 2010
Phpscripte24
Pay Per Watch \& Bid Auktions System
risk 0.03cvss —epss 0.03
SQL injection vulnerability in auktion.php in Pay Per Watch & Bid Auktions System allows remote attackers to execute arbitrary SQL commands via the id_auk parameter.
CVE-2010-1744May 6, 2010
Alibabaclone
B2b Gold Script
risk 0.03cvss —epss 0.02
SQL injection vulnerability in product.html in B2B Gold Script allows remote attackers to execute arbitrary SQL commands via the id parameter.
CVE-2010-1743May 6, 2010
Satyadeep
Scratcher
risk 0.03cvss —epss 0.01
SQL injection vulnerability in projects.php in Scratcher allows remote attackers to execute arbitrary SQL commands via the id parameter.
CVE-2010-1741May 6, 2010
Billwerx
Billwerx Rc
risk 0.03cvss —epss 0.01
SQL injection vulnerability in request_account.php in Billwerx RC 5.2.2 PL2 allows remote attackers to execute arbitrary SQL commands via the primary_number parameter.
CVE-2010-1740May 6, 2010
Freeguppy
Guppy
risk 0.03cvss —epss 0.00
SQL injection vulnerability in newsletter.php in GuppY 4.5.18 allows remote attackers to execute arbitrary SQL commands via the lng parameter.
CVE-2010-1739May 6, 2010
Joomla
Com Newsfeeds
risk 0.03cvss —epss 0.00
SQL injection vulnerability in the Newsfeeds (com_newsfeeds) component for Joomla! allows remote attackers to execute arbitrary SQL commands via the feedid parameter in a categories action to index.php.
CVE-2010-1727May 6, 2010
Aspsiteware
Jobpost
risk 0.03cvss —epss 0.00
SQL injection vulnerability in type.asp in JobPost 1.0 allows remote attackers to execute arbitrary SQL commands via the iType parameter. NOTE: some of these details are obtained from third party information.
CVE-2010-1726May 6, 2010
Alibabaclone
Ec21 Clone
risk 0.03cvss —epss 0.01
SQL injection vulnerability in offers_buy.php in EC21 Clone 3.0 allows remote attackers to execute arbitrary SQL commands via the id parameter.
CVE-2010-1725May 6, 2010
Alibabaclone
Alibaba Clone Platinum
risk 0.03cvss —epss 0.01
SQL injection vulnerability in offers_buy.php in Alibaba Clone Platinum allows remote attackers to execute arbitrary SQL commands via the id parameter.
CVE-2010-1583May 6, 2010
Taskfreak
Taskfreak\!
risk 0.03cvss —epss 0.01
SQL injection vulnerability in the loadByKey function in the TznDbConnection class in tzn_mysql.php in Tirzen (aka TZN) Framework 1.5, as used in TaskFreak! before 0.6.3, allows remote attackers to execute arbitrary SQL commands via the username field in a login action.
CVE-2010-1721May 4, 2010
Thethinkery
Com Iproperty
risk 0.03cvss —epss 0.00
SQL injection vulnerability in the Intellectual Property (aka IProperty or com_iproperty) component 1.5.3 for Joomla! allows remote attackers to execute arbitrary SQL commands via the id parameter in an agentproperties action to index.php.