VYPR

CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

BaseStableLikelihood: High

Description

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Hierarchy (View 1000)

Parents

Children

Related attack patterns (CAPEC)

CAPEC-108 · CAPEC-109 · CAPEC-110 · CAPEC-470 · CAPEC-66 · CAPEC-7

CVEs mapped to this weakness (10,236)

page 28 of 512
  • CVE-2024-0610CriFeb 17, 2024
    risk 0.64cvss 9.8epss 0.01

    The Piraeus Bank WooCommerce Payment Gateway plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'MerchantReference' parameter in all versions up to, and including, 1.6.5.1 due to insufficient escaping on the user supplied parameter and lack of…

  • CVE-2023-7081CriFeb 15, 2024
    risk 0.64cvss 9.8epss 0.01

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in POSTAHSİL Online Payment System allows SQL Injection. This issue affects Online Payment System: before 14.02.2024.

  • CVE-2023-5155CriFeb 15, 2024
    risk 0.64cvss 9.8epss 0.01

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Utarit Information Technologies SoliPay Mobile App allows SQL Injection. This issue affects SoliPay Mobile App: before 5.0.8.

  • CVE-2023-6441CriFeb 14, 2024
    risk 0.64cvss 9.8epss 0.01

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in UNI-PA University Marketing & Computer Internet Trade Inc. University Information System allows SQL Injection. This issue affects University Information System: before…

  • CVE-2023-6677CriFeb 9, 2024
    risk 0.64cvss 9.8epss 0.01

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Oduyo Financial Technology Online Collection allows SQL Injection. This issue affects Online Collection: before v.1.0.2.

  • CVE-2024-23751CriJan 22, 2024
    risk 0.64cvss 9.8epss 0.01

    LlamaIndex (aka llama_index) through 0.9.34 allows SQL injection via the Text-to-SQL feature in NLSQLTableQueryEngine, SQLTableRetrieverQueryEngine, NLSQLRetriever, RetrieverQueryEngine, and PGVectorSQLQueryEngine. For example, an attacker might be able to delete this year's…

  • CVE-2024-0705CriJan 19, 2024
    risk 0.64cvss 9.8epss 0.03

    The Stripe Payment Plugin for WooCommerce plugin for WordPress is vulnerable to SQL Injection via the 'id' parameter in all versions up to, and including, 3.7.9 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL…

  • CVE-2023-5806CriJan 18, 2024
    risk 0.64cvss 9.8epss 0.01

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Mergen Software Quality Management System allows SQL Injection. This issue affects Quality Management System: before v1.2.

  • CVE-2023-6436CriJan 2, 2024
    risk 0.64cvss 9.8epss 0.01

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Ekol Informatics Website Template allows SQL Injection. This issue affects Website Template: through 20231215.

  • CVE-2023-50578CriDec 30, 2023
    risk 0.64cvss 9.8epss 0.02

    Mingsoft MCMS v5.2.9 was discovered to contain a SQL injection vulnerability via the categoryType parameter at /content/list.do.

  • CVE-2023-41543CriDec 30, 2023
    risk 0.64cvss 9.8epss 0.01

    SQL injection vulnerability in jeecg-boot v3.5.3, allows remote attackers to escalate privileges and obtain sensitive information via the component /sys/replicate/check.

  • CVE-2023-41542CriDec 30, 2023
    risk 0.64cvss 9.8epss 0.01

    SQL injection vulnerability in jeecg-boot version 3.5.3, allows remote attackers to escalate privileges and obtain sensitive information via the jmreport/qurestSql component.

  • CVE-2023-4675CriDec 29, 2023
    risk 0.64cvss 9.8epss 0.01

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in GM Information Technologies MDO allows SQL Injection. This issue affects MDO: through 20231229.  NOTE: The vendor was contacted early about this disclosure but did not…

  • CVE-2023-4541CriDec 29, 2023
    risk 0.64cvss 9.8epss 0.01

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Ween Software Admin Panel allows SQL Injection. This issue affects Admin Panel: through 20231229.  NOTE: The vendor was contacted early about this disclosure but did not…

  • CVE-2023-4671CriDec 28, 2023
    risk 0.64cvss 9.8epss 0.01

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Talent Software ECOP allows Command Line Execution through SQL Injection. This issue affects ECOP: before 32255.

  • CVE-2023-6145CriDec 21, 2023
    risk 0.64cvss 9.8epss 0.01

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in İstanbul Soft Informatics and Consultancy Limited Company Softomi Advanced C2C Marketplace Software allows SQL Injection. This issue affects Softomi Advanced C2C Marketplace…

  • CVE-2023-49371CriDec 1, 2023
    risk 0.64cvss 9.8epss 0.04

    RuoYi up to v4.6 was discovered to contain a SQL injection vulnerability via /system/dept/edit.

  • CVE-2023-5634CriDec 1, 2023
    risk 0.64cvss 9.8epss 0.01

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in ArslanSoft Education Portal allows SQL Injection. This issue affects Education Portal: before v1.1.

  • CVE-2022-45135CriNov 30, 2023
    risk 0.64cvss 9.8epss 0.01

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Apache Cocoon.This issue affects Apache Cocoon: from 2.2.0 before 2.3.0. Users are recommended to upgrade to version 2.3.0, which fixes the issue.

  • CVE-2023-3631CriNov 23, 2023
    risk 0.64cvss 9.8epss 0.01

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Medart Health Services Medart Notification Panel allows SQL Injection. This issue affects Medart Notification Panel: through 20231123.  NOTE: The vendor was contacted early…