CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Description
The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-108 · CAPEC-109 · CAPEC-110 · CAPEC-470 · CAPEC-66 · CAPEC-7
CVEs mapped to this weakness (8,875)
page 281 of 444| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2009-4751 | 0.03 | — | 0.00 | Mar 26, 2010 | SQL injection vulnerability in anzeiger/start.php in Swinger Club Portal allows remote attackers to execute arbitrary SQL commands via the id parameter in a rubrik action. | |||
| CVE-2009-4749 | 0.03 | — | 0.01 | Mar 26, 2010 | Multiple SQL injection vulnerabilities in PHP Live! 3.2.1 and 3.2.2 allow remote attackers to execute arbitrary SQL commands via the x parameter to (1) message_box.php and (2) request.php. | |||
| CVE-2009-4748 | 0.03 | — | 0.00 | Mar 26, 2010 | SQL injection vulnerability in mycategoryorder.php in the My Category Order plugin 2.8 and earlier for WordPress allows remote attackers to execute arbitrary SQL commands via the parentID parameter in an act_OrderCategories action to wp-admin/post-new.php. | |||
| CVE-2009-4745 | 0.03 | — | 0.00 | Mar 26, 2010 | Multiple SQL injection vulnerabilities in index.php in Dreamlevels DreamPoll 3.1 allow remote attackers to execute arbitrary SQL commands via the (1) sortField, (2) sortDesc, or (3) pageNumber parameter in a login action. | |||
| CVE-2009-4742 | 0.03 | — | 0.00 | Mar 26, 2010 | Multiple SQL injection vulnerabilities in Docebo 3.6.0.3 allow remote attackers to execute arbitrary SQL commands via (1) the word parameter in a play help action to the faq module, reachable through index.php; (2) the word parameter in a play keyw action to the link module, reachable through index.php; (3) the id_certificate parameter in an elemmetacertificate action to the meta_certificate module, reachable through index.php; or (4) the id_certificate parameter in an elemcertificate action to the certificate module, reachable through index.php. | |||
| CVE-2010-1109 | 0.03 | — | 0.01 | Mar 25, 2010 | Multiple SQL injection vulnerabilities in index.php in phpMySport 1.4, when magic_quotes_gpc is disabled, allow remote attackers to execute arbitrary SQL commands via the (1) v2 parameter in a member view action, (2) v1 parameter in a news action, (3) v1 parameter in an information action, (4) v2 parameter in a team view action, (5) v2 parameter in a club view action, or (6) v2 parameter in a matches view action. | |||
| CVE-2010-1094 | 0.03 | — | 0.01 | Mar 24, 2010 | SQL injection vulnerability in news.php in DZ EROTIK Auktionshaus V4rgo allows remote attackers to execute arbitrary SQL commands via the id parameter. | |||
| CVE-2010-1093 | — | 0.03 | — | 0.01 | Mar 24, 2010 | SQL injection vulnerability in rss.php in 1024 CMS 2.1.1, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the id parameter in a vp action. | ||
| CVE-2010-1092 | 0.03 | — | 0.00 | Mar 24, 2010 | Multiple SQL injection vulnerabilities in login.php in ScriptsFeed Business Directory Software allow remote attackers to execute arbitrary SQL commands via the (1) us and (2) ps parameters. | |||
| CVE-2010-1090 | 0.03 | — | 0.01 | Mar 24, 2010 | SQL injection vulnerability in index.php in phpMySite allows remote attackers to execute arbitrary SQL commands via the action parameter. | |||
| CVE-2010-1089 | 0.03 | — | 0.01 | Mar 24, 2010 | SQL injection vulnerability in vedi_faq.php in PHP Trouble Ticket 2.2 allows remote attackers to execute arbitrary SQL commands via the id parameter. | |||
| CVE-2010-1078 | 0.03 | — | 0.00 | Mar 23, 2010 | SQL injection vulnerability in archive.php in XlentProjects SphereCMS 1.1 alpha allows remote attackers to execute arbitrary SQL commands via encoded null bytes ("%00") in the view parameter, which bypasses a protection mechanism. | |||
| CVE-2010-1073 | 0.03 | — | 0.00 | Mar 23, 2010 | SQL injection vulnerability in the jEmbed-Embed Anything (com_jembed) component for Joomla! allows remote attackers to execute arbitrary SQL commands via the catid parameter in a summary action to index.php. | |||
| CVE-2010-1071 | 0.03 | — | 0.00 | Mar 23, 2010 | SQL injection vulnerability in profil.php in phpMDJ 1.0.3 allows remote attackers to execute arbitrary SQL commands via the id parameter. | |||
| CVE-2010-1070 | 0.03 | — | 0.01 | Mar 23, 2010 | SQL injection vulnerability in index.php in ImagoScripts Deviant Art Clone allows remote attackers to execute arbitrary SQL commands via the seid parameter in a forums viewcat action. | |||
| CVE-2010-1069 | 0.03 | — | 0.00 | Mar 23, 2010 | SQL injection vulnerability in games/game.php in ProArcadeScript allows remote attackers to execute arbitrary SQL commands via the id parameter. | |||
| CVE-2010-1054 | 0.03 | — | 0.02 | Mar 23, 2010 | Multiple SQL injection vulnerabilities in ParsCMS allow remote attackers to execute arbitrary SQL commands via the RP parameter to (1) fa_default.asp and (2) en_default.asp. | |||
| CVE-2010-1053 | 0.03 | — | 0.00 | Mar 23, 2010 | Multiple SQL injection vulnerabilities in Zen Time Tracking 2.2 and earlier, when magic_quotes_gpc is disabled, allow remote attackers to execute arbitrary SQL commands via the (1) username and (2) password parameters to (a) userlogin.php and (b) managerlogin.php. NOTE: some of these details are obtained from third party information. | |||
| CVE-2010-1051 | 0.03 | — | 0.00 | Mar 23, 2010 | Multiple SQL injection vulnerabilities in index.php in AudiStat 1.3 allow remote attackers to execute arbitrary SQL commands via the (1) year and (2) month parameters. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. | |||
| CVE-2010-1050 | 0.03 | — | 0.01 | Mar 23, 2010 | SQL injection vulnerability in index.php in AudiStat 1.3 allows remote attackers to execute arbitrary SQL commands via the mday parameter. |
- CVE-2009-4751Mar 26, 2010risk 0.03cvss —epss 0.00
SQL injection vulnerability in anzeiger/start.php in Swinger Club Portal allows remote attackers to execute arbitrary SQL commands via the id parameter in a rubrik action.
- CVE-2009-4749Mar 26, 2010risk 0.03cvss —epss 0.01
Multiple SQL injection vulnerabilities in PHP Live! 3.2.1 and 3.2.2 allow remote attackers to execute arbitrary SQL commands via the x parameter to (1) message_box.php and (2) request.php.
- CVE-2009-4748Mar 26, 2010risk 0.03cvss —epss 0.00
SQL injection vulnerability in mycategoryorder.php in the My Category Order plugin 2.8 and earlier for WordPress allows remote attackers to execute arbitrary SQL commands via the parentID parameter in an act_OrderCategories action to wp-admin/post-new.php.
- CVE-2009-4745Mar 26, 2010risk 0.03cvss —epss 0.00
Multiple SQL injection vulnerabilities in index.php in Dreamlevels DreamPoll 3.1 allow remote attackers to execute arbitrary SQL commands via the (1) sortField, (2) sortDesc, or (3) pageNumber parameter in a login action.
- CVE-2009-4742Mar 26, 2010risk 0.03cvss —epss 0.00
Multiple SQL injection vulnerabilities in Docebo 3.6.0.3 allow remote attackers to execute arbitrary SQL commands via (1) the word parameter in a play help action to the faq module, reachable through index.php; (2) the word parameter in a play keyw action to the link module, reachable through index.php; (3) the id_certificate parameter in an elemmetacertificate action to the meta_certificate module, reachable through index.php; or (4) the id_certificate parameter in an elemcertificate action to the certificate module, reachable through index.php.
- CVE-2010-1109Mar 25, 2010risk 0.03cvss —epss 0.01
Multiple SQL injection vulnerabilities in index.php in phpMySport 1.4, when magic_quotes_gpc is disabled, allow remote attackers to execute arbitrary SQL commands via the (1) v2 parameter in a member view action, (2) v1 parameter in a news action, (3) v1 parameter in an information action, (4) v2 parameter in a team view action, (5) v2 parameter in a club view action, or (6) v2 parameter in a matches view action.
- CVE-2010-1094Mar 24, 2010risk 0.03cvss —epss 0.01
SQL injection vulnerability in news.php in DZ EROTIK Auktionshaus V4rgo allows remote attackers to execute arbitrary SQL commands via the id parameter.
- CVE-2010-1093Mar 24, 2010risk 0.03cvss —epss 0.01
SQL injection vulnerability in rss.php in 1024 CMS 2.1.1, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the id parameter in a vp action.
- CVE-2010-1092Mar 24, 2010risk 0.03cvss —epss 0.00
Multiple SQL injection vulnerabilities in login.php in ScriptsFeed Business Directory Software allow remote attackers to execute arbitrary SQL commands via the (1) us and (2) ps parameters.
- CVE-2010-1090Mar 24, 2010risk 0.03cvss —epss 0.01
SQL injection vulnerability in index.php in phpMySite allows remote attackers to execute arbitrary SQL commands via the action parameter.
- CVE-2010-1089Mar 24, 2010risk 0.03cvss —epss 0.01
SQL injection vulnerability in vedi_faq.php in PHP Trouble Ticket 2.2 allows remote attackers to execute arbitrary SQL commands via the id parameter.
- CVE-2010-1078Mar 23, 2010risk 0.03cvss —epss 0.00
SQL injection vulnerability in archive.php in XlentProjects SphereCMS 1.1 alpha allows remote attackers to execute arbitrary SQL commands via encoded null bytes ("%00") in the view parameter, which bypasses a protection mechanism.
- CVE-2010-1073Mar 23, 2010risk 0.03cvss —epss 0.00
SQL injection vulnerability in the jEmbed-Embed Anything (com_jembed) component for Joomla! allows remote attackers to execute arbitrary SQL commands via the catid parameter in a summary action to index.php.
- CVE-2010-1071Mar 23, 2010risk 0.03cvss —epss 0.00
SQL injection vulnerability in profil.php in phpMDJ 1.0.3 allows remote attackers to execute arbitrary SQL commands via the id parameter.
- CVE-2010-1070Mar 23, 2010risk 0.03cvss —epss 0.01
SQL injection vulnerability in index.php in ImagoScripts Deviant Art Clone allows remote attackers to execute arbitrary SQL commands via the seid parameter in a forums viewcat action.
- CVE-2010-1069Mar 23, 2010risk 0.03cvss —epss 0.00
SQL injection vulnerability in games/game.php in ProArcadeScript allows remote attackers to execute arbitrary SQL commands via the id parameter.
- CVE-2010-1054Mar 23, 2010risk 0.03cvss —epss 0.02
Multiple SQL injection vulnerabilities in ParsCMS allow remote attackers to execute arbitrary SQL commands via the RP parameter to (1) fa_default.asp and (2) en_default.asp.
- CVE-2010-1053Mar 23, 2010risk 0.03cvss —epss 0.00
Multiple SQL injection vulnerabilities in Zen Time Tracking 2.2 and earlier, when magic_quotes_gpc is disabled, allow remote attackers to execute arbitrary SQL commands via the (1) username and (2) password parameters to (a) userlogin.php and (b) managerlogin.php. NOTE: some of these details are obtained from third party information.
- CVE-2010-1051Mar 23, 2010risk 0.03cvss —epss 0.00
Multiple SQL injection vulnerabilities in index.php in AudiStat 1.3 allow remote attackers to execute arbitrary SQL commands via the (1) year and (2) month parameters. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
- CVE-2010-1050Mar 23, 2010risk 0.03cvss —epss 0.01
SQL injection vulnerability in index.php in AudiStat 1.3 allows remote attackers to execute arbitrary SQL commands via the mday parameter.