CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

BaseStableLikelihood: High

Description

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Hierarchy (View 1000)

Parents

CWE-943

Children

CWE-564

Related attack patterns (CAPEC)

CAPEC-108 · CAPEC-109 · CAPEC-110 · CAPEC-470 · CAPEC-66 · CAPEC-7

CVEs mapped to this weakness (8,850)

page 289 of 443

CVE	Vendor / Product	Risk	CVSS	EPSS	Published	Description
CVE-2009-3804	Runcms Runcms	0.03	—	0.00	Oct 27, 2009	Multiple SQL injection vulnerabilities in modules/forum/post.php in RunCMS 2M1 allow remote authenticated users to execute arbitrary SQL commands via (1) the pid parameter, which is not properly handled by the store function in modules/forum/class/class.forumposts.php, or (2) the topic_id parameter.
CVE-2009-3758	Citrix Systems Xencenterweb	0.03	—	0.01	Oct 22, 2009	SQL injection vulnerability in login.php in sample code in the XenServer Resource Kit in Citrix XenCenterWeb allows remote attackers to execute arbitrary SQL commands via the username parameter. NOTE: some of these details are obtained from third party information.
CVE-2009-3754	Kreotek Phpbms	0.03	—	0.00	Oct 22, 2009	Multiple SQL injection vulnerabilities in phpBMS 0.96 allow remote attackers to execute arbitrary SQL commands via the (1) id parameter to modules/bms/invoices_discount_ajax.php, (2) f parameter to dbgraphic.php, and (3) tid parameter in a show action to advancedsearch.php.
CVE-2009-3752	Opial Opial	0.03	—	0.00	Oct 22, 2009	SQL injection vulnerability in home.php in Opial 1.0 allows remote attackers to execute arbitrary SQL commands via the genres_parent parameter.
CVE-2009-3750	Santostefano Giovanni Toylog	0.03	—	0.00	Oct 22, 2009	SQL injection vulnerability in read.php in ToyLog 0.1 allows remote attackers to execute arbitrary SQL commands via the idm parameter.
CVE-2009-3718	Davethewebguy Battle Blog	0.03	—	0.00	Oct 16, 2009	SQL injection vulnerability in admin/authenticate.asp in Battle Blog 1.25 and 1.30 build 2 allows remote attackers to execute arbitrary SQL commands via the UserName parameter.
CVE-2009-3715	Maniacomputer Mcshoutbox	0.03	—	0.00	Oct 16, 2009	Multiple SQL injection vulnerabilities in scr_login.php in MCshoutbox 1.1, when magic_quotes_gpc is disabled, allow remote attackers to execute arbitrary SQL commands via the (1) username and (2) password parameters.
CVE-2009-3713	Morcego Morcegocms	0.03	—	0.00	Oct 16, 2009	SQL injection vulnerability in fichero.php in MorcegoCMS 1.7.6 and earlier allows remote attackers to execute arbitrary SQL commands via the query string.
CVE-2009-3712	Ebayclonescript Ebay Clone	0.03	—	0.00	Oct 16, 2009	Multiple SQL injection vulnerabilities in Ebay Clone 2009 allow remote attackers to execute arbitrary SQL commands via the (1) user_id parameter to feedback.php; and the item_id parameter to (2) view_full_size.php, (3) classifide_ad.php, and (4) crosspromoteitems.php.
CVE-2009-2734	Achievo Achievo	0.03	—	0.00	Oct 16, 2009	SQL injection vulnerability in the get_employee function in classweekreport.inc in Achievo before 1.4.0 allows remote attackers to execute arbitrary SQL commands via the userid parameter (aka user_id variable) to dispatch.php.
CVE-2009-3669	Foobla Com Foobla Suggestions	0.03	—	0.00	Oct 11, 2009	SQL injection vulnerability in the foobla Suggestions (com_foobla_suggestions) component 1.5.11 for Joomla! allows remote attackers to execute arbitrary SQL commands via the idea_id parameter to index.php.
CVE-2009-3667	Adsdx Adsdx	0.03	—	0.00	Oct 11, 2009	SQL injection vulnerability in admin/index.php in AdsDX 3.05 allows remote attackers to execute arbitrary SQL commands via the Username.
CVE-2009-3665	Nullam Nullam Blog	0.03	—	0.00	Oct 11, 2009	Multiple SQL injection vulnerabilities in index.php in Nullam Blog 0.1.2 allow remote attackers to execute arbitrary SQL commands via the (1) i parameter or (2) v parameters in a register action.
CVE-2009-3661	Blueconstantmedia Com Djcatalog	0.03	—	0.00	Oct 11, 2009	Multiple SQL injection vulnerabilities in the DJ-Catalog (com_djcatalog) component for Joomla! allow remote attackers to execute arbitrary SQL commands via the (1) id parameter in a showItem action and (2) cid parameter in a show action to index.php.
CVE-2009-3659	Stanback Bs Counter	0.03	—	0.00	Oct 11, 2009	SQL injection vulnerability in file/stats.php in BS Counter 2.5.3 allows remote attackers to execute arbitrary SQL commands via the page parameter.
CVE-2009-3645	Joomlacache Com Cbresumebuilder	0.03	—	0.00	Oct 9, 2009	SQL injection vulnerability in the JoomlaCache CB Resume Builder (com_cbresumebuilder) component for Joomla! allows remote attackers to execute arbitrary SQL commands via the group_id parameter in a group_members action to index.php.
CVE-2009-3644	Soundset Com Soundset	0.03	—	0.00	Oct 9, 2009	SQL injection vulnerability in the Soundset (com_soundset) component 1.0 for Joomla! allows remote attackers to execute arbitrary SQL commands via the cat_id parameter to index.php.
CVE-2009-3642	Frontrange Heat	0.03	—	0.00	Oct 9, 2009	Multiple SQL injection vulnerabilities in the Call Logging feature in FrontRange HEAT 8.01 allow remote attackers to execute arbitrary SQL commands via the (1) username and (2) password parameters.
CVE-2009-3595	Vspanel Vs Panel	0.03	—	0.00	Oct 8, 2009	SQL injection vulnerability in results.php in VS PANEL 7.5.5 allows remote attackers to execute arbitrary SQL commands via the Cat_ID parameter, a different vector than CVE-2009-3590.
CVE-2009-3590	Vspanel Vs Panel	0.03	—	0.00	Oct 8, 2009	SQL injection vulnerability in showcat.php in VS PANEL 7.3.6 allows remote attackers to execute arbitrary SQL commands via the Cat_ID parameter.

CVE-2009-3804Oct 27, 2009
Runcms
Runcms
risk 0.03cvss —epss 0.00
Multiple SQL injection vulnerabilities in modules/forum/post.php in RunCMS 2M1 allow remote authenticated users to execute arbitrary SQL commands via (1) the pid parameter, which is not properly handled by the store function in modules/forum/class/class.forumposts.php, or (2) the topic_id parameter.
CVE-2009-3758Oct 22, 2009
Citrix Systems
Xencenterweb
risk 0.03cvss —epss 0.01
SQL injection vulnerability in login.php in sample code in the XenServer Resource Kit in Citrix XenCenterWeb allows remote attackers to execute arbitrary SQL commands via the username parameter. NOTE: some of these details are obtained from third party information.
CVE-2009-3754Oct 22, 2009
Kreotek
Phpbms
risk 0.03cvss —epss 0.00
Multiple SQL injection vulnerabilities in phpBMS 0.96 allow remote attackers to execute arbitrary SQL commands via the (1) id parameter to modules/bms/invoices_discount_ajax.php, (2) f parameter to dbgraphic.php, and (3) tid parameter in a show action to advancedsearch.php.
CVE-2009-3752Oct 22, 2009
Opial
Opial
risk 0.03cvss —epss 0.00
SQL injection vulnerability in home.php in Opial 1.0 allows remote attackers to execute arbitrary SQL commands via the genres_parent parameter.
CVE-2009-3750Oct 22, 2009
Santostefano Giovanni
Toylog
risk 0.03cvss —epss 0.00
SQL injection vulnerability in read.php in ToyLog 0.1 allows remote attackers to execute arbitrary SQL commands via the idm parameter.
CVE-2009-3718Oct 16, 2009
Davethewebguy
Battle Blog
risk 0.03cvss —epss 0.00
SQL injection vulnerability in admin/authenticate.asp in Battle Blog 1.25 and 1.30 build 2 allows remote attackers to execute arbitrary SQL commands via the UserName parameter.
CVE-2009-3715Oct 16, 2009
Maniacomputer
Mcshoutbox
risk 0.03cvss —epss 0.00
Multiple SQL injection vulnerabilities in scr_login.php in MCshoutbox 1.1, when magic_quotes_gpc is disabled, allow remote attackers to execute arbitrary SQL commands via the (1) username and (2) password parameters.
CVE-2009-3713Oct 16, 2009
Morcego
Morcegocms
risk 0.03cvss —epss 0.00
SQL injection vulnerability in fichero.php in MorcegoCMS 1.7.6 and earlier allows remote attackers to execute arbitrary SQL commands via the query string.
CVE-2009-3712Oct 16, 2009
Ebayclonescript
Ebay Clone
risk 0.03cvss —epss 0.00
Multiple SQL injection vulnerabilities in Ebay Clone 2009 allow remote attackers to execute arbitrary SQL commands via the (1) user_id parameter to feedback.php; and the item_id parameter to (2) view_full_size.php, (3) classifide_ad.php, and (4) crosspromoteitems.php.
CVE-2009-2734Oct 16, 2009
Achievo
Achievo
risk 0.03cvss —epss 0.00
SQL injection vulnerability in the get_employee function in classweekreport.inc in Achievo before 1.4.0 allows remote attackers to execute arbitrary SQL commands via the userid parameter (aka user_id variable) to dispatch.php.
CVE-2009-3669Oct 11, 2009
Foobla
Com Foobla Suggestions
risk 0.03cvss —epss 0.00
SQL injection vulnerability in the foobla Suggestions (com_foobla_suggestions) component 1.5.11 for Joomla! allows remote attackers to execute arbitrary SQL commands via the idea_id parameter to index.php.
CVE-2009-3667Oct 11, 2009
Adsdx
Adsdx
risk 0.03cvss —epss 0.00
SQL injection vulnerability in admin/index.php in AdsDX 3.05 allows remote attackers to execute arbitrary SQL commands via the Username.
CVE-2009-3665Oct 11, 2009
Nullam
Nullam Blog
risk 0.03cvss —epss 0.00
Multiple SQL injection vulnerabilities in index.php in Nullam Blog 0.1.2 allow remote attackers to execute arbitrary SQL commands via the (1) i parameter or (2) v parameters in a register action.
CVE-2009-3661Oct 11, 2009
Blueconstantmedia
Com Djcatalog
risk 0.03cvss —epss 0.00
Multiple SQL injection vulnerabilities in the DJ-Catalog (com_djcatalog) component for Joomla! allow remote attackers to execute arbitrary SQL commands via the (1) id parameter in a showItem action and (2) cid parameter in a show action to index.php.
CVE-2009-3659Oct 11, 2009
Stanback
Bs Counter
risk 0.03cvss —epss 0.00
SQL injection vulnerability in file/stats.php in BS Counter 2.5.3 allows remote attackers to execute arbitrary SQL commands via the page parameter.
CVE-2009-3645Oct 9, 2009
Joomlacache
Com Cbresumebuilder
risk 0.03cvss —epss 0.00
SQL injection vulnerability in the JoomlaCache CB Resume Builder (com_cbresumebuilder) component for Joomla! allows remote attackers to execute arbitrary SQL commands via the group_id parameter in a group_members action to index.php.
CVE-2009-3644Oct 9, 2009
Soundset
Com Soundset
risk 0.03cvss —epss 0.00
SQL injection vulnerability in the Soundset (com_soundset) component 1.0 for Joomla! allows remote attackers to execute arbitrary SQL commands via the cat_id parameter to index.php.
CVE-2009-3642Oct 9, 2009
Frontrange
Heat
risk 0.03cvss —epss 0.00
Multiple SQL injection vulnerabilities in the Call Logging feature in FrontRange HEAT 8.01 allow remote attackers to execute arbitrary SQL commands via the (1) username and (2) password parameters.
CVE-2009-3595Oct 8, 2009
Vspanel
Vs Panel
risk 0.03cvss —epss 0.00
SQL injection vulnerability in results.php in VS PANEL 7.5.5 allows remote attackers to execute arbitrary SQL commands via the Cat_ID parameter, a different vector than CVE-2009-3590.
CVE-2009-3590Oct 8, 2009
Vspanel
Vs Panel
risk 0.03cvss —epss 0.00
SQL injection vulnerability in showcat.php in VS PANEL 7.3.6 allows remote attackers to execute arbitrary SQL commands via the Cat_ID parameter.