VYPR

CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

BaseStableLikelihood: High

Description

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Hierarchy (View 1000)

Parents

Children

Related attack patterns (CAPEC)

CAPEC-108 · CAPEC-109 · CAPEC-110 · CAPEC-470 · CAPEC-66 · CAPEC-7

CVEs mapped to this weakness (10,236)

page 29 of 512
  • CVE-2023-3377CriNov 23, 2023
    risk 0.64cvss 9.8epss 0.01

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Veribilim Software Computer Veribase allows SQL Injection. This issue affects Veribase: through 20231123.  NOTE: The vendor was contacted early about this disclosure but did…

  • CVE-2023-2889CriNov 22, 2023
    risk 0.64cvss 9.8epss 0.01

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Veon Computer Service Tracking Software allows SQL Injection. This issue affects Service Tracking Software: before crm 2.0.

  • CVE-2023-5047CriNov 22, 2023
    risk 0.64cvss 9.8epss 0.01

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in DRD Fleet Leasing DRDrive allows SQL Injection. This issue affects DRDrive: before 20231006.

  • CVE-2023-38382CriNov 6, 2023
    risk 0.64cvss 9.8epss 0.01

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Daniel Söderström / Sidney van de Stouwe Subscribe to Category allows SQL Injection.This issue affects Subscribe to Category: from n/a through 2.7.4.

  • CVE-2023-36529CriNov 3, 2023
    risk 0.64cvss 9.9epss 0.01

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Favethemes Houzez - Real Estate WordPress Theme allows SQL Injection.This issue affects Houzez - Real Estate WordPress Theme: from n/a through 1.3.4.

  • CVE-2023-36263CriOct 31, 2023
    risk 0.64cvss 9.8epss 0.00

    Prestashop opartlimitquantity 1.4.5 and before is vulnerable to SQL Injection. OpartlimitquantityAlertlimitModuleFrontController::displayAjaxPushAlertMessage()` has sensitive SQL calls that can be executed with a trivial http call and exploited to forge a SQL injection.

  • CVE-2023-5807CriOct 27, 2023
    risk 0.64cvss 9.8epss 0.01

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in TRtek Software Education Portal allows SQL Injection. This issue affects Education Portal: before 3.2023.29.

  • CVE-2023-5204CriOct 19, 2023
    risk 0.64cvss 9.8epss 0.07

    The ChatBot plugin for WordPress is vulnerable to SQL Injection via the $strid parameter in versions up to, and including, 4.8.9 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for…

  • CVE-2023-5046CriOct 12, 2023
    risk 0.64cvss 9.8epss 0.01

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Biltay Technology Procost allows SQL Injection, Command Line Execution through SQL Injection. This issue affects Procost: before 1390.

  • CVE-2023-5045CriOct 12, 2023
    risk 0.64cvss 9.8epss 0.01

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Biltay Technology Kayisi allows SQL Injection, Command Line Execution through SQL Injection. This issue affects Kayisi: before 1286.

  • CVE-2023-4530CriOct 6, 2023
    risk 0.64cvss 9.8epss 0.01

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Turna Advertising Administration Panel allows SQL Injection. This issue affects Advertising Administration Panel: before 1.1.

  • CVE-2023-4737CriSep 27, 2023
    risk 0.64cvss 9.8epss 0.01

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Hedef Tracking Admin Panel allows SQL Injection. This issue affects Admin Panel: before 1.2.

  • CVE-2023-35071CriSep 27, 2023
    risk 0.64cvss 9.8epss 0.01

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in MRV Tech Logging Administration Panel allows SQL Injection. This issue affects Logging Administration Panel: before 20230915 .

  • CVE-2023-34576CriSep 21, 2023
    risk 0.64cvss 9.8epss 0.01

    SQL injection vulnerability in updatepos.php in PrestaShop opartfaq through 1.0.3 allows remote attackers to run arbitrary SQL commands via unspedified vector.

  • CVE-2023-34575CriSep 20, 2023
    risk 0.64cvss 9.8epss 0.01

    SQL injection vulnerability in PrestaShop opartsavecart through 2.0.7 allows remote attackers to run arbitrary SQL commands via OpartSaveCartDefaultModuleFrontController::initContent() and OpartSaveCartDefaultModuleFrontController::displayAjaxSendCartByEmail() methods.

  • CVE-2023-4835CriSep 15, 2023
    risk 0.64cvss 9.8epss 0.01

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in CF Software Oil Management Software allows SQL Injection. This issue affects Oil Management Software: before 20230912 .

  • CVE-2023-4833CriSep 15, 2023
    risk 0.64cvss 9.8epss 0.01

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Besttem Network Marketing Software allows SQL Injection. This issue affects Network Marketing Software: before 1.0.2309.6.

  • CVE-2023-4661CriSep 15, 2023
    risk 0.64cvss 9.8epss 0.01

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Saphira Saphira Connect allows SQL Injection. This issue affects Saphira Connect: before 9.

  • CVE-2023-4670CriSep 15, 2023
    risk 0.64cvss 9.8epss 0.01

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Innosa Probbys allows SQL Injection. This issue affects Probbys: before 2.

  • CVE-2023-4231CriSep 15, 2023
    risk 0.64cvss 9.8epss 0.01

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Cevik Informatics Online Payment System allows SQL Injection. This issue affects Online Payment System: before 4.09.