CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

BaseStableLikelihood: High

Description

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Hierarchy (View 1000)

Parents

CWE-943

Children

CWE-564

Related attack patterns (CAPEC)

CAPEC-108 · CAPEC-109 · CAPEC-110 · CAPEC-470 · CAPEC-66 · CAPEC-7

CVEs mapped to this weakness (8,875)

page 284 of 444

CVE	Vendor / Product	Risk	CVSS	EPSS	Published	Description
CVE-2010-0803	Jvideodirect Com Jvideodirect	0.03	—	0.00	Mar 2, 2010	SQL injection vulnerability in the jVideoDirect (com_jvideodirect) component 1.1 RC3b for Joomla! allows remote attackers to execute arbitrary SQL commands via the v parameter to index.php.
CVE-2010-0802	Aleinbeen \(nv2\) Awards	0.03	—	0.00	Mar 2, 2010	SQL injection vulnerability in index.php in (nv2) Awards 1.1.0, a modification for Invision Power Board, allows remote attackers to execute arbitrary SQL commands via the id parameter in a view action.
CVE-2010-0800	Joomservices Com Dms	0.03	—	0.00	Mar 2, 2010	SQL injection vulnerability in the Ossolution Team Documents Seller (aka DMS) (com_dms) component 2.5.1 for Joomla! allows remote attackers to execute arbitrary SQL commands via the category_id parameter in a view_category action to index.php.
CVE-2010-0796	Harmistechnology Com Jeeventcalendar	0.03	—	0.01	Mar 2, 2010	SQL injection vulnerability in the JE Quiz (com_jequizmanagement) component 1.b01 for Joomla! allows remote attackers to execute arbitrary SQL commands via the eid parameter in a question action to index.php.
CVE-2010-0795	Harmistechnology Com Jeeventcalendar	0.03	—	0.00	Mar 2, 2010	SQL injection vulnerability in the JE Event Calendars (com_jeeventcalendar) component 1.0 for Joomla! allows remote attackers to execute arbitrary SQL commands via the event_id parameter in an event action to index.php.
CVE-2010-0764	Kuwaitphp Esmile	0.03	—	0.00	Mar 2, 2010	SQL injection vulnerability in index.php in KuwaitPHP eSmile allows remote attackers to execute arbitrary SQL commands via the cid parameter in a show action.
CVE-2010-0763	Commodityrentals Vacation Rental Software	0.03	—	0.00	Mar 2, 2010	SQL injection vulnerability in index.php in CommodityRentals Vacation Rental Software allows remote attackers to execute arbitrary SQL commands via the rental_id parameter in a CalendarView action.
CVE-2010-0762	Commodityrentals Cd Rental Software	0.03	—	0.01	Mar 2, 2010	SQL injection vulnerability in index.php in CommodityRentals CD Rental Software allows remote attackers to execute arbitrary SQL commands via the cat_id parameter in a catalog action.
CVE-2010-0761	Commodityrentals Books\/ebooks Rentals Script	0.03	—	0.01	Mar 2, 2010	SQL injection vulnerability in index.php in CommodityRentals Books/eBooks Rentals Script allows remote attackers to execute arbitrary SQL commands via the cat_id parameter in a gamecatalog action.
CVE-2010-0758	Softbizscripts Softbiz Jobs And Recruitment Script	0.03	—	0.00	Feb 27, 2010	SQL injection vulnerability in news_desc.php in Softbiz Jobs allows remote attackers to execute arbitrary SQL commands via the id parameter.
CVE-2010-0753	Componentslab Com Sqlreport	0.03	—	0.01	Feb 27, 2010	SQL injection vulnerability in the SQL Reports (com_sqlreport) component 1.1 for Joomla! allows remote attackers to execute arbitrary SQL commands via the user_id parameter to ajax/print.php. NOTE: some of these details are obtained from third party information.
CVE-2010-0724	Mhd Zaher Ghaibeh Arab Cart	0.03	—	0.01	Feb 26, 2010	SQL injection vulnerability in showimg.php in Arab Cart 1.0.2.0 allows remote attackers to execute arbitrary SQL commands via the id parameter.
CVE-2010-0723	Mhproducts Ero Auktion	0.03	—	0.02	Feb 26, 2010	SQL injection vulnerability in news.php in Ero Auktion 2.0 and 2010 allows remote attackers to execute arbitrary SQL commands via the id parameter.
CVE-2010-0722	Mhproducts PHP Auktion Pro	0.03	—	0.00	Feb 26, 2010	SQL injection vulnerability in news.php in Php Auktion Pro allows remote attackers to execute arbitrary SQL commands via the id parameter.
CVE-2010-0721	Systemsoftware Auktionshaus Gelb	0.03	—	0.01	Feb 26, 2010	SQL injection vulnerability in news.php in Auktionshaus Gelb 3.0 allows remote attackers to execute arbitrary SQL commands via the id parameter.
CVE-2010-0720	Systemsoftware Erotik Auktionshaus	0.03	—	0.01	Feb 26, 2010	SQL injection vulnerability in news.php in Erotik Auktionshaus allows remote attackers to execute arbitrary SQL commands via the id parameter.
CVE-2010-0712	Zenoss Zenoss	0.03	—	0.01	Feb 26, 2010	Multiple SQL injection vulnerabilities in zport/dmd/Events/getJSONEventsInfo in Zenoss 2.3.3, and other versions before 2.5, allow remote authenticated users to execute arbitrary SQL commands via the (1) severity, (2) state, (3) filter, (4) offset, and (5) count parameters.
CVE-2010-0702	Netfortris Trixbox	0.03	—	0.01	Feb 23, 2010	SQL injection vulnerability in cisco/services/PhonecDirectory.php in Fonality Trixbox 2.2.4 allows remote attackers to execute arbitrary SQL commands via the ID parameter.
CVE-2010-0701	Newgensoft Omnidocs	0.03	—	0.01	Feb 23, 2010	SQL injection vulnerability in ForceChangePassword.jsp in Newgen Software OmniDocs allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
CVE-2010-0698	Dynamicsoft Wsc CMS	0.03	—	0.00	Feb 23, 2010	SQL injection vulnerability in backoffice/login.asp in Dynamicsoft WSC CMS 2.2 allows remote attackers to execute arbitrary SQL commands via the Password parameter. NOTE: some of these details are obtained from third party information.

CVE-2010-0803Mar 2, 2010
Jvideodirect
Com Jvideodirect
risk 0.03cvss —epss 0.00
SQL injection vulnerability in the jVideoDirect (com_jvideodirect) component 1.1 RC3b for Joomla! allows remote attackers to execute arbitrary SQL commands via the v parameter to index.php.
CVE-2010-0802Mar 2, 2010
Aleinbeen
\(nv2\) Awards
risk 0.03cvss —epss 0.00
SQL injection vulnerability in index.php in (nv2) Awards 1.1.0, a modification for Invision Power Board, allows remote attackers to execute arbitrary SQL commands via the id parameter in a view action.
CVE-2010-0800Mar 2, 2010
Joomservices
Com Dms
risk 0.03cvss —epss 0.00
SQL injection vulnerability in the Ossolution Team Documents Seller (aka DMS) (com_dms) component 2.5.1 for Joomla! allows remote attackers to execute arbitrary SQL commands via the category_id parameter in a view_category action to index.php.
CVE-2010-0796Mar 2, 2010
Harmistechnology
Com Jeeventcalendar
risk 0.03cvss —epss 0.01
SQL injection vulnerability in the JE Quiz (com_jequizmanagement) component 1.b01 for Joomla! allows remote attackers to execute arbitrary SQL commands via the eid parameter in a question action to index.php.
CVE-2010-0795Mar 2, 2010
Harmistechnology
Com Jeeventcalendar
risk 0.03cvss —epss 0.00
SQL injection vulnerability in the JE Event Calendars (com_jeeventcalendar) component 1.0 for Joomla! allows remote attackers to execute arbitrary SQL commands via the event_id parameter in an event action to index.php.
CVE-2010-0764Mar 2, 2010
Kuwaitphp
Esmile
risk 0.03cvss —epss 0.00
SQL injection vulnerability in index.php in KuwaitPHP eSmile allows remote attackers to execute arbitrary SQL commands via the cid parameter in a show action.
CVE-2010-0763Mar 2, 2010
Commodityrentals
Vacation Rental Software
risk 0.03cvss —epss 0.00
SQL injection vulnerability in index.php in CommodityRentals Vacation Rental Software allows remote attackers to execute arbitrary SQL commands via the rental_id parameter in a CalendarView action.
CVE-2010-0762Mar 2, 2010
Commodityrentals
Cd Rental Software
risk 0.03cvss —epss 0.01
SQL injection vulnerability in index.php in CommodityRentals CD Rental Software allows remote attackers to execute arbitrary SQL commands via the cat_id parameter in a catalog action.
CVE-2010-0761Mar 2, 2010
Commodityrentals
Books\/ebooks Rentals Script
risk 0.03cvss —epss 0.01
SQL injection vulnerability in index.php in CommodityRentals Books/eBooks Rentals Script allows remote attackers to execute arbitrary SQL commands via the cat_id parameter in a gamecatalog action.
CVE-2010-0758Feb 27, 2010
Softbizscripts
Softbiz Jobs And Recruitment Script
risk 0.03cvss —epss 0.00
SQL injection vulnerability in news_desc.php in Softbiz Jobs allows remote attackers to execute arbitrary SQL commands via the id parameter.
CVE-2010-0753Feb 27, 2010
Componentslab
Com Sqlreport
risk 0.03cvss —epss 0.01
SQL injection vulnerability in the SQL Reports (com_sqlreport) component 1.1 for Joomla! allows remote attackers to execute arbitrary SQL commands via the user_id parameter to ajax/print.php. NOTE: some of these details are obtained from third party information.
CVE-2010-0724Feb 26, 2010
Mhd Zaher Ghaibeh
Arab Cart
risk 0.03cvss —epss 0.01
SQL injection vulnerability in showimg.php in Arab Cart 1.0.2.0 allows remote attackers to execute arbitrary SQL commands via the id parameter.
CVE-2010-0723Feb 26, 2010
Mhproducts
Ero Auktion
risk 0.03cvss —epss 0.02
SQL injection vulnerability in news.php in Ero Auktion 2.0 and 2010 allows remote attackers to execute arbitrary SQL commands via the id parameter.
CVE-2010-0722Feb 26, 2010
Mhproducts
PHP Auktion Pro
risk 0.03cvss —epss 0.00
SQL injection vulnerability in news.php in Php Auktion Pro allows remote attackers to execute arbitrary SQL commands via the id parameter.
CVE-2010-0721Feb 26, 2010
Systemsoftware
Auktionshaus Gelb
risk 0.03cvss —epss 0.01
SQL injection vulnerability in news.php in Auktionshaus Gelb 3.0 allows remote attackers to execute arbitrary SQL commands via the id parameter.
CVE-2010-0720Feb 26, 2010
Systemsoftware
Erotik Auktionshaus
risk 0.03cvss —epss 0.01
SQL injection vulnerability in news.php in Erotik Auktionshaus allows remote attackers to execute arbitrary SQL commands via the id parameter.
CVE-2010-0712Feb 26, 2010
Zenoss
Zenoss
risk 0.03cvss —epss 0.01
Multiple SQL injection vulnerabilities in zport/dmd/Events/getJSONEventsInfo in Zenoss 2.3.3, and other versions before 2.5, allow remote authenticated users to execute arbitrary SQL commands via the (1) severity, (2) state, (3) filter, (4) offset, and (5) count parameters.
CVE-2010-0702Feb 23, 2010
Netfortris
Trixbox
risk 0.03cvss —epss 0.01
SQL injection vulnerability in cisco/services/PhonecDirectory.php in Fonality Trixbox 2.2.4 allows remote attackers to execute arbitrary SQL commands via the ID parameter.
CVE-2010-0701Feb 23, 2010
Newgensoft
Omnidocs
risk 0.03cvss —epss 0.01
SQL injection vulnerability in ForceChangePassword.jsp in Newgen Software OmniDocs allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
CVE-2010-0698Feb 23, 2010
Dynamicsoft
Wsc CMS
risk 0.03cvss —epss 0.00
SQL injection vulnerability in backoffice/login.asp in Dynamicsoft WSC CMS 2.2 allows remote attackers to execute arbitrary SQL commands via the Password parameter. NOTE: some of these details are obtained from third party information.