CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

BaseStableLikelihood: High

Description

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Hierarchy (View 1000)

Parents

CWE-943

Children

CWE-564

Related attack patterns (CAPEC)

CAPEC-108 · CAPEC-109 · CAPEC-110 · CAPEC-470 · CAPEC-66 · CAPEC-7

CVEs mapped to this weakness (8,875)

page 280 of 444

CVE	Vendor / Product	Risk	CVSS	EPSS	Published	Description
CVE-2010-1372	Hdflvplayer Com Hdflvplayer	0.03	—	0.01	Apr 13, 2010	SQL injection vulnerability in the HD FLV Player (com_hdflvplayer) component 1.3 for Joomla! allows remote attackers to execute arbitrary SQL commands via the id parameter to index.php.
CVE-2010-1369	Preprojects Pre Classified Listings Asp	0.03	—	0.01	Apr 13, 2010	SQL injection vulnerability in signup.asp in Pre Classified Listings ASP allows remote attackers to execute arbitrary SQL commands via the email parameter.
CVE-2010-1368	Gamescript Gamescript	0.03	—	0.00	Apr 13, 2010	SQL injection vulnerability in index.php in GameScript (GS) 3.0 allows remote attackers to execute arbitrary SQL commands via the id parameter in a category action.
CVE-2010-1366	Uiga Fan Club	0.03	—	0.00	Apr 13, 2010	Multiple SQL injection vulnerabilities in admin/admin_login.php in Uiga Fan Club 1.0 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) admin_name and (2) admin_password parameters.
CVE-2010-1365	Uiga Fan Club	0.03	—	0.01	Apr 13, 2010	SQL injection vulnerability in index.php in Uiga Fan Club, as downloaded on 20100310, allows remote attackers to execute arbitrary SQL commands via the id parameter in a photos action.
CVE-2010-1364	Uiga Personal Portal	0.03	—	0.00	Apr 13, 2010	SQL injection vulnerability in index.php in Uiga Personal Portal, as downloaded on 20100301, allows remote attackers to execute arbitrary SQL commands via the id parameter in a photos action. NOTE: some of these details are obtained from third party information.
CVE-2010-1363	Extremejoomla Com J Projects	0.03	—	0.00	Apr 13, 2010	SQL injection vulnerability in the JProjects (com_j-projects) component for Joomla! allows remote attackers to execute arbitrary SQL commands via the project parameter in a projects action to index.php.
CVE-2010-1350	Joomlaprojects Com Jp Jobs	0.03	—	0.02	Apr 12, 2010	SQL injection vulnerability in the JP Jobs (com_jp_jobs) component 1.4.1 and earlier for Joomla! allows remote attackers to execute arbitrary SQL commands via the id parameter in a detail action to index.php.
CVE-2010-1346	Ribafs Mini CMS Ribafs	0.03	—	0.01	Apr 9, 2010	SQL injection vulnerability in admin/login.php in Mini CMS RibaFS 1.0, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the login parameter. NOTE: some of these details are obtained from third party information.
CVE-2010-1344	Cookex Com Ckforms	0.03	—	0.01	Apr 9, 2010	SQL injection vulnerability in the Cookex Agency CKForms (com_ckforms) component 1.3.3 for Joomla! allows remote attackers to execute arbitrary SQL commands via the fid parameter in a detail action to index.php.
CVE-2010-1343	Bj Sintay Sitex	0.03	—	0.00	Apr 9, 2010	SQL injection vulnerability in photo.php in SiteX 0.7.4 beta allows remote attackers to execute arbitrary SQL commands via the albumid parameter.
CVE-2010-1341	Systemsoftware Community Black Forum	0.03	—	0.00	Apr 9, 2010	SQL injection vulnerability in index.php in Systemsoftware Community Black Forum allows remote attackers to execute arbitrary SQL commands via the s_flaeche parameter.
CVE-2010-1338	Robertotto Teamsite Hack Plugin	0.03	—	0.02	Apr 9, 2010	SQL injection vulnerability in ts_other.php in the Teamsite Hack plugin 3.0 and earlier for WoltLab Burning Board allows remote attackers to execute arbitrary SQL commands via the userid parameter in a modboard action.
CVE-2010-1336	Invohost Invohost	0.03	—	0.00	Apr 9, 2010	Multiple SQL injection vulnerabilities in INVOhost 3.4 allow remote attackers to execute arbitrary SQL commands via the (1) id and (2) newlanguage parameters to site.php, (3) search parameter to manuals.php, and (4) unspecified vectors to faq.php. NOTE: some of these details are obtained from third party information.
CVE-2010-1301	Centreon Centreon	0.03	—	0.02	Apr 7, 2010	SQL injection vulnerability in main.php in Centreon 2.1.5 allows remote attackers to execute arbitrary SQL commands via the host_id parameter.
CVE-2010-1300	Yamamah Yamamah	0.03	—	0.04	Apr 7, 2010	SQL injection vulnerability in index.php in Yamamah (aka Dove Photo Album) 1.00 allows remote attackers to execute arbitrary SQL commands via the calbums parameter.
CVE-2010-1271	Smart Plugs Smartplugs	0.03	—	0.01	Apr 6, 2010	SQL injection vulnerability in showplugs.php in smartplugs 1.3 allows remote attackers to execute arbitrary SQL commands via the domain parameter.
CVE-2010-1270	Phpscripte24 Multi Suktions Komplett System	0.03	—	0.02	Apr 6, 2010	SQL injection vulnerability in auktion.php in Multi Auktions Komplett System 2 allows remote attackers to execute arbitrary SQL commands via the id_auk parameter.
CVE-2010-1269	Phpscripte24 Niedrig Gebote Pro Auktions System Ii	0.03	—	0.01	Apr 6, 2010	SQL injection vulnerability in auktion.php in phpscripte24 Niedrig Gebote Pro Auktions System II allows remote attackers to execute arbitrary SQL commands via the id_auk parameter.
CVE-2010-1265	Ekith Com Dcs Flashgames	0.03	—	0.00	Apr 6, 2010	SQL injection vulnerability in Adam Corley dcsFlashGames (com_dcs_flashgames) allows remote attackers to execute arbitrary SQL commands via the catid parameter to index.php.

CVE-2010-1372Apr 13, 2010
Hdflvplayer
Com Hdflvplayer
risk 0.03cvss —epss 0.01
SQL injection vulnerability in the HD FLV Player (com_hdflvplayer) component 1.3 for Joomla! allows remote attackers to execute arbitrary SQL commands via the id parameter to index.php.
CVE-2010-1369Apr 13, 2010
Preprojects
Pre Classified Listings Asp
risk 0.03cvss —epss 0.01
SQL injection vulnerability in signup.asp in Pre Classified Listings ASP allows remote attackers to execute arbitrary SQL commands via the email parameter.
CVE-2010-1368Apr 13, 2010
Gamescript
Gamescript
risk 0.03cvss —epss 0.00
SQL injection vulnerability in index.php in GameScript (GS) 3.0 allows remote attackers to execute arbitrary SQL commands via the id parameter in a category action.
CVE-2010-1366Apr 13, 2010
Uiga
Fan Club
risk 0.03cvss —epss 0.00
Multiple SQL injection vulnerabilities in admin/admin_login.php in Uiga Fan Club 1.0 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) admin_name and (2) admin_password parameters.
CVE-2010-1365Apr 13, 2010
Uiga
Fan Club
risk 0.03cvss —epss 0.01
SQL injection vulnerability in index.php in Uiga Fan Club, as downloaded on 20100310, allows remote attackers to execute arbitrary SQL commands via the id parameter in a photos action.
CVE-2010-1364Apr 13, 2010
Uiga
Personal Portal
risk 0.03cvss —epss 0.00
SQL injection vulnerability in index.php in Uiga Personal Portal, as downloaded on 20100301, allows remote attackers to execute arbitrary SQL commands via the id parameter in a photos action. NOTE: some of these details are obtained from third party information.
CVE-2010-1363Apr 13, 2010
Extremejoomla
Com J Projects
risk 0.03cvss —epss 0.00
SQL injection vulnerability in the JProjects (com_j-projects) component for Joomla! allows remote attackers to execute arbitrary SQL commands via the project parameter in a projects action to index.php.
CVE-2010-1350Apr 12, 2010
Joomlaprojects
Com Jp Jobs
risk 0.03cvss —epss 0.02
SQL injection vulnerability in the JP Jobs (com_jp_jobs) component 1.4.1 and earlier for Joomla! allows remote attackers to execute arbitrary SQL commands via the id parameter in a detail action to index.php.
CVE-2010-1346Apr 9, 2010
Ribafs
Mini CMS Ribafs
risk 0.03cvss —epss 0.01
SQL injection vulnerability in admin/login.php in Mini CMS RibaFS 1.0, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the login parameter. NOTE: some of these details are obtained from third party information.
CVE-2010-1344Apr 9, 2010
Cookex
Com Ckforms
risk 0.03cvss —epss 0.01
SQL injection vulnerability in the Cookex Agency CKForms (com_ckforms) component 1.3.3 for Joomla! allows remote attackers to execute arbitrary SQL commands via the fid parameter in a detail action to index.php.
CVE-2010-1343Apr 9, 2010
Bj Sintay
Sitex
risk 0.03cvss —epss 0.00
SQL injection vulnerability in photo.php in SiteX 0.7.4 beta allows remote attackers to execute arbitrary SQL commands via the albumid parameter.
CVE-2010-1341Apr 9, 2010
Systemsoftware
Community Black Forum
risk 0.03cvss —epss 0.00
SQL injection vulnerability in index.php in Systemsoftware Community Black Forum allows remote attackers to execute arbitrary SQL commands via the s_flaeche parameter.
CVE-2010-1338Apr 9, 2010
Robertotto
Teamsite Hack Plugin
risk 0.03cvss —epss 0.02
SQL injection vulnerability in ts_other.php in the Teamsite Hack plugin 3.0 and earlier for WoltLab Burning Board allows remote attackers to execute arbitrary SQL commands via the userid parameter in a modboard action.
CVE-2010-1336Apr 9, 2010
Invohost
Invohost
risk 0.03cvss —epss 0.00
Multiple SQL injection vulnerabilities in INVOhost 3.4 allow remote attackers to execute arbitrary SQL commands via the (1) id and (2) newlanguage parameters to site.php, (3) search parameter to manuals.php, and (4) unspecified vectors to faq.php. NOTE: some of these details are obtained from third party information.
CVE-2010-1301Apr 7, 2010
Centreon
Centreon
risk 0.03cvss —epss 0.02
SQL injection vulnerability in main.php in Centreon 2.1.5 allows remote attackers to execute arbitrary SQL commands via the host_id parameter.
CVE-2010-1300Apr 7, 2010
Yamamah
Yamamah
risk 0.03cvss —epss 0.04
SQL injection vulnerability in index.php in Yamamah (aka Dove Photo Album) 1.00 allows remote attackers to execute arbitrary SQL commands via the calbums parameter.
CVE-2010-1271Apr 6, 2010
Smart Plugs
Smartplugs
risk 0.03cvss —epss 0.01
SQL injection vulnerability in showplugs.php in smartplugs 1.3 allows remote attackers to execute arbitrary SQL commands via the domain parameter.
CVE-2010-1270Apr 6, 2010
Phpscripte24
Multi Suktions Komplett System
risk 0.03cvss —epss 0.02
SQL injection vulnerability in auktion.php in Multi Auktions Komplett System 2 allows remote attackers to execute arbitrary SQL commands via the id_auk parameter.
CVE-2010-1269Apr 6, 2010
Phpscripte24
Niedrig Gebote Pro Auktions System Ii
risk 0.03cvss —epss 0.01
SQL injection vulnerability in auktion.php in phpscripte24 Niedrig Gebote Pro Auktions System II allows remote attackers to execute arbitrary SQL commands via the id_auk parameter.
CVE-2010-1265Apr 6, 2010
Ekith
Com Dcs Flashgames
risk 0.03cvss —epss 0.00
SQL injection vulnerability in Adam Corley dcsFlashGames (com_dcs_flashgames) allows remote attackers to execute arbitrary SQL commands via the catid parameter to index.php.