CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

BaseStableLikelihood: High

Description

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Hierarchy (View 1000)

Parents

CWE-943

Children

CWE-564

Related attack patterns (CAPEC)

CAPEC-108 · CAPEC-109 · CAPEC-110 · CAPEC-470 · CAPEC-66 · CAPEC-7

CVEs mapped to this weakness (8,850)

page 291 of 443

CVE	Vendor / Product	Risk	CVSS	Published	Description
CVE-2009-3430	Allomani Mobile	0.03	—	Sep 25, 2009	SQL injection vulnerability in login.php in Allomani Mobile 2.5 allows remote attackers to execute arbitrary SQL commands via the username parameter in a login action.
CVE-2009-3419	Intesync Miniweb	0.03	—	Sep 25, 2009	SQL injection vulnerability in index.php in the Publisher module 2.0 for Miniweb allows remote attackers to execute arbitrary SQL commands via the historymonth parameter.
CVE-2009-3418	Plume Cms Plume CMS	0.03	—	Sep 25, 2009	Multiple SQL injection vulnerabilities in Plume CMS 1.2.3 allow (1) remote authenticated users to execute arbitrary SQL commands via the m parameter to manager/index.php and (2) remote authenticated administrators to execute arbitrary SQL commands via the id parameter in an edit_link action to manager/tools.php. NOTE: some of these details are obtained from third party information.
CVE-2009-3417	Idojoomla Com Idoblog	0.03	—	Sep 25, 2009	SQL injection vulnerability in the IDoBlog (com_idoblog) component 1.1 build 30 for Joomla! allows remote attackers to execute arbitrary SQL commands via the userid parameter in a profile action to index.php, a different vector than CVE-2008-2627.
CVE-2009-3361	Paul Gibbs PHP Ipnmonitor	0.03	—	Sep 24, 2009	SQL injection vulnerability in index.php in PHP-IPNMonitor allows remote attackers to execute arbitrary SQL commands via the maincat_id parameter.
CVE-2009-3358	Tourismscripts Adult Portal Escort Listing	0.03	—	Sep 24, 2009	SQL injection vulnerability in profile.php in Tourism Scripts Adult Portal escort listing allows remote attackers to execute arbitrary SQL commands via the user_id parameter.
CVE-2009-3357	Joomlahbs Com Hbssearch	0.03	—	Sep 24, 2009	Multiple SQL injection vulnerabilities in the Hotel Booking Reservation System (aka HBS or com_hbssearch) component for Joomla! allow remote attackers to execute arbitrary SQL commands via the (1) h_id, (2) id, and (3) rid parameters to longDesc.php, and the h_id parameter to (4) detail.php, (5) detail1.php, (6) detail2.php, (7) detail3.php, (8) detail4.php, (9) detail5.php, (10) detail6.php, (11) detail7.php, and (12) detail8.php, different vectors than CVE-2008-5865, CVE-2008-5874, and CVE-2008-5875.
CVE-2009-3356	Plohni Image Voting	0.03	—	Sep 24, 2009	SQL injection vulnerability in index.php in Image voting 1.0 allows remote attackers to execute arbitrary SQL commands via the show parameter.
CVE-2009-3349	Datavore Gyro	0.03	—	Sep 24, 2009	SQL injection vulnerability in Datavore Gyro 5.0 allows remote attackers to execute arbitrary SQL commands via the cid parameter in a cat action to the home component.
CVE-2009-3343	Hotwebscripts Hotweb Rentals	0.03	—	Sep 24, 2009	SQL injection vulnerability in details.asp in HotWeb Rentals allows remote attackers to execute arbitrary SQL commands via the PropId parameter.
CVE-2009-3342	Alphaplug Com Alphauserpoints	0.03	—	Sep 24, 2009	SQL injection vulnerability in frontend/assets/ajax/checkusername.php in the AlphaUserPoints (com_alphauserpoints) component 1.5.2 for Joomla! allows remote attackers to execute arbitrary SQL commands via the username2points parameter.
CVE-2009-3336	Phpprobid Phpprobid	0.03	—	Sep 24, 2009	SQL injection vulnerability in auction_details.php in PHP Pro Bid allows remote attackers to execute arbitrary SQL commands via the auction_id parameter.
CVE-2009-3335	Turtus Turtushout	0.03	—	Sep 24, 2009	SQL injection vulnerability in the TurtuShout component 0.11 for Joomla! allows remote attackers to execute arbitrary SQL commands via the Name field.
CVE-2009-3334	Lhacky Com Jinc	0.03	—	Sep 23, 2009	SQL injection vulnerability in the Lhacky! Extensions Cave Joomla! Integrated Newsletters Component (aka JINC or com_jinc) component 0.2 for Joomla! allows remote attackers to execute arbitrary SQL commands via the newsid parameter in a messages action to index.php.
CVE-2009-3332	Sopinet Com Jbudgetsmagic	0.03	—	Sep 23, 2009	SQL injection vulnerability in the JBudgetsMagic (com_jbudgetsmagic) component 0.3.2 through 0.4.0 for Joomla! allows remote attackers to execute arbitrary SQL commands via the bid parameter in a mybudget action to index.php.
CVE-2009-3330	Cpecreator Cp Creator	0.03	—	Sep 23, 2009	SQL injection vulnerability in index.php in cP Creator 2.7.1, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the tickets parameter in a support ticket action.
CVE-2009-3327	Webilix Wx Guestbook	0.03	—	Sep 23, 2009	Multiple SQL injection vulnerabilities in WX-Guestbook 1.1.208 allow remote attackers to execute arbitrary SQL commands via the (1) QUERY parameter to search.php and (2) USERNAME parameter to login.php. NOTE: some of these details are obtained from third party information.
CVE-2009-3326	Cmscontrol Cmscontrol	0.03	—	Sep 23, 2009	SQL injection vulnerability in index.php in CMScontrol Content Management System 7.x allows remote attackers to execute arbitrary SQL commands via the id_menu parameter.
CVE-2009-3325	Focusdev Com Surveymanager	0.03	—	Sep 23, 2009	SQL injection vulnerability in the Focusplus Developments Survey Manager (com_surveymanager) component 1.5.0 for Joomla! allows remote attackers to execute arbitrary SQL commands via the stype parameter in an editsurvey action to index.php.
CVE-2009-3321	Saphplesson Saphplesson	0.03	—	Sep 23, 2009	SQL injection vulnerability in SaphpLesson 4.3, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the CLIENT_IP HTTP header.

CVE-2009-3430Sep 25, 2009
Allomani
Mobile
risk 0.03cvss —epss 0.00
SQL injection vulnerability in login.php in Allomani Mobile 2.5 allows remote attackers to execute arbitrary SQL commands via the username parameter in a login action.
CVE-2009-3419Sep 25, 2009
Intesync
Miniweb
risk 0.03cvss —epss 0.00
SQL injection vulnerability in index.php in the Publisher module 2.0 for Miniweb allows remote attackers to execute arbitrary SQL commands via the historymonth parameter.
CVE-2009-3418Sep 25, 2009
Plume Cms
Plume CMS
risk 0.03cvss —epss 0.00
Multiple SQL injection vulnerabilities in Plume CMS 1.2.3 allow (1) remote authenticated users to execute arbitrary SQL commands via the m parameter to manager/index.php and (2) remote authenticated administrators to execute arbitrary SQL commands via the id parameter in an edit_link action to manager/tools.php. NOTE: some of these details are obtained from third party information.
CVE-2009-3417Sep 25, 2009
Idojoomla
Com Idoblog
risk 0.03cvss —epss 0.00
SQL injection vulnerability in the IDoBlog (com_idoblog) component 1.1 build 30 for Joomla! allows remote attackers to execute arbitrary SQL commands via the userid parameter in a profile action to index.php, a different vector than CVE-2008-2627.
CVE-2009-3361Sep 24, 2009
Paul Gibbs
PHP Ipnmonitor
risk 0.03cvss —epss 0.00
SQL injection vulnerability in index.php in PHP-IPNMonitor allows remote attackers to execute arbitrary SQL commands via the maincat_id parameter.
CVE-2009-3358Sep 24, 2009
Tourismscripts
Adult Portal Escort Listing
risk 0.03cvss —epss 0.00
SQL injection vulnerability in profile.php in Tourism Scripts Adult Portal escort listing allows remote attackers to execute arbitrary SQL commands via the user_id parameter.
CVE-2009-3357Sep 24, 2009
Joomlahbs
Com Hbssearch
risk 0.03cvss —epss 0.00
Multiple SQL injection vulnerabilities in the Hotel Booking Reservation System (aka HBS or com_hbssearch) component for Joomla! allow remote attackers to execute arbitrary SQL commands via the (1) h_id, (2) id, and (3) rid parameters to longDesc.php, and the h_id parameter to (4) detail.php, (5) detail1.php, (6) detail2.php, (7) detail3.php, (8) detail4.php, (9) detail5.php, (10) detail6.php, (11) detail7.php, and (12) detail8.php, different vectors than CVE-2008-5865, CVE-2008-5874, and CVE-2008-5875.
CVE-2009-3356Sep 24, 2009
Plohni
Image Voting
risk 0.03cvss —epss 0.00
SQL injection vulnerability in index.php in Image voting 1.0 allows remote attackers to execute arbitrary SQL commands via the show parameter.
CVE-2009-3349Sep 24, 2009
Datavore
Gyro
risk 0.03cvss —epss 0.00
SQL injection vulnerability in Datavore Gyro 5.0 allows remote attackers to execute arbitrary SQL commands via the cid parameter in a cat action to the home component.
CVE-2009-3343Sep 24, 2009
Hotwebscripts
Hotweb Rentals
risk 0.03cvss —epss 0.00
SQL injection vulnerability in details.asp in HotWeb Rentals allows remote attackers to execute arbitrary SQL commands via the PropId parameter.
CVE-2009-3342Sep 24, 2009
Alphaplug
Com Alphauserpoints
risk 0.03cvss —epss 0.00
SQL injection vulnerability in frontend/assets/ajax/checkusername.php in the AlphaUserPoints (com_alphauserpoints) component 1.5.2 for Joomla! allows remote attackers to execute arbitrary SQL commands via the username2points parameter.
CVE-2009-3336Sep 24, 2009
Phpprobid
Phpprobid
risk 0.03cvss —epss 0.00
SQL injection vulnerability in auction_details.php in PHP Pro Bid allows remote attackers to execute arbitrary SQL commands via the auction_id parameter.
CVE-2009-3335Sep 24, 2009
Turtus
Turtushout
risk 0.03cvss —epss 0.00
SQL injection vulnerability in the TurtuShout component 0.11 for Joomla! allows remote attackers to execute arbitrary SQL commands via the Name field.
CVE-2009-3334Sep 23, 2009
Lhacky
Com Jinc
risk 0.03cvss —epss 0.00
SQL injection vulnerability in the Lhacky! Extensions Cave Joomla! Integrated Newsletters Component (aka JINC or com_jinc) component 0.2 for Joomla! allows remote attackers to execute arbitrary SQL commands via the newsid parameter in a messages action to index.php.
CVE-2009-3332Sep 23, 2009
Sopinet
Com Jbudgetsmagic
risk 0.03cvss —epss 0.00
SQL injection vulnerability in the JBudgetsMagic (com_jbudgetsmagic) component 0.3.2 through 0.4.0 for Joomla! allows remote attackers to execute arbitrary SQL commands via the bid parameter in a mybudget action to index.php.
CVE-2009-3330Sep 23, 2009
Cpecreator
Cp Creator
risk 0.03cvss —epss 0.00
SQL injection vulnerability in index.php in cP Creator 2.7.1, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the tickets parameter in a support ticket action.
CVE-2009-3327Sep 23, 2009
Webilix
Wx Guestbook
risk 0.03cvss —epss 0.00
Multiple SQL injection vulnerabilities in WX-Guestbook 1.1.208 allow remote attackers to execute arbitrary SQL commands via the (1) QUERY parameter to search.php and (2) USERNAME parameter to login.php. NOTE: some of these details are obtained from third party information.
CVE-2009-3326Sep 23, 2009
Cmscontrol
Cmscontrol
risk 0.03cvss —epss 0.00
SQL injection vulnerability in index.php in CMScontrol Content Management System 7.x allows remote attackers to execute arbitrary SQL commands via the id_menu parameter.
CVE-2009-3325Sep 23, 2009
Focusdev
Com Surveymanager
risk 0.03cvss —epss 0.00
SQL injection vulnerability in the Focusplus Developments Survey Manager (com_surveymanager) component 1.5.0 for Joomla! allows remote attackers to execute arbitrary SQL commands via the stype parameter in an editsurvey action to index.php.
CVE-2009-3321Sep 23, 2009
Saphplesson
Saphplesson
risk 0.03cvss —epss 0.00
SQL injection vulnerability in SaphpLesson 4.3, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the CLIENT_IP HTTP header.