CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

BaseStableLikelihood: High

Description

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Hierarchy (View 1000)

Parents

CWE-943

Children

CWE-564

Related attack patterns (CAPEC)

CAPEC-108 · CAPEC-109 · CAPEC-110 · CAPEC-470 · CAPEC-66 · CAPEC-7

CVEs mapped to this weakness (8,850)

page 292 of 443

CVE	Vendor / Product	Risk	CVSS	Published	Description
CVE-2009-3316	Jforjoomla Com Jreservation	0.03	—	Sep 23, 2009	SQL injection vulnerability in the JReservation (com_jreservation) component 1.0 and 1.5 for Joomla! allows remote attackers to execute arbitrary SQL commands via the pid parameter in a propertycpanel action to index.php.
CVE-2009-3315	Nelogic Technologies Nephp Publisher	0.03	—	Sep 23, 2009	SQL injection vulnerability in admin/index.php in NeLogic Nephp Publisher Enterprise 3.5.9 and 4.5 allows remote attackers to execute arbitrary SQL commands via the Username field.
CVE-2009-3314	Eliteladders Elite Gaming Ladders	0.03	—	Sep 23, 2009	SQL injection vulnerability in ladders.php in Elite Gaming Ladders 3.2 allows remote attackers to execute arbitrary SQL commands via the platform parameter.
CVE-2009-3313	Fmyclone Fmyclone	0.03	—	Sep 23, 2009	Multiple SQL injection vulnerabilities in FMyClone 2.3 allow remote attackers to execute arbitrary SQL commands via the comp parameter to (1) index.php and (2) editComments.php, and (3) allow remote authenticated administrators to execute arbitrary SQL commands via the id parameter in a comment action to edit.php.
CVE-2009-3310	Shalwan Zainu	0.03	—	Sep 23, 2009	SQL injection vulnerability in index.php in Zainu 1.0 allows remote attackers to execute arbitrary SQL commands via the album_id parameter in an AlbumSongs action.
CVE-2009-3309	Cfshopkart Cf Shopkart	0.03	—	Sep 23, 2009	SQL injection vulnerability in index.cfm in CF ShopKart 5.4 beta allows remote attackers to execute arbitrary SQL commands via the itemid parameter in a ViewDetails action, a different vector than CVE-2008-6320.
CVE-2009-3308	Fanupdate Fanupdate	0.03	—	Sep 23, 2009	SQL injection vulnerability in show-cat.php in FanUpdate 2.2.1 allows remote attackers to execute arbitrary SQL commands via the listingid parameter.
CVE-2009-3252	Dave Robinson Rockbandcms	0.03	—	Sep 18, 2009	Multiple SQL injection vulnerabilities in news.php in Rock Band CMS 0.10 allow remote attackers to execute arbitrary SQL commands via the (1) year and (2) id parameters.
CVE-2009-3246	Mybuxscript Pts Bux	0.03	—	Sep 18, 2009	SQL injection vulnerability in spnews.php in MyBuxScript PTC-BUX allows remote attackers to execute arbitrary SQL commands via the id parameter in an spnews action to the default URI. NOTE: some of these details are obtained from third party information.
CVE-2009-3226	Almondsoft Almond Classifieds	0.03	—	Sep 16, 2009	SQL injection vulnerability in index.php in AlmondSoft Almond Classifieds Ads Enterprise and Almond Affiliate Network Classifieds allows remote attackers to execute arbitrary SQL commands via the replid parameter in a manw_repl add_form action. NOTE: some of these details are obtained from third party information.
CVE-2009-3224	Classified Software Super Mod System	0.03	—	Sep 16, 2009	SQL injection vulnerability in index.php in Super Mod System, when using the 68 Classifieds 3.1 Core System, allows remote attackers to execute arbitrary SQL commands via the s parameter.
CVE-2009-3223	Inoutscripts Inout Adserver	0.03	—	Sep 16, 2009	SQL injection vulnerability in ppc-add-keywords.php in Inout Adserver allows remote authenticated users to execute arbitrary SQL commands via the id parameter.
CVE-2009-3218	Awcm Cms Ar Web Content Manager	0.03	—	Sep 16, 2009	SQL injection vulnerability in control/login.php in AR Web Content Manager (AWCM) 2.1, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the username parameter.
CVE-2009-3217	Wiccle Iwiccle	0.03	—	Sep 16, 2009	SQL injection vulnerability in the admin module in iWiccle 1.01 allows remote attackers to execute arbitrary SQL commands via the member_id parameter in an edit_user action to index.php.
CVE-2009-3215	Php Shop System Ixxo Cart	0.03	—	Sep 16, 2009	SQL injection vulnerability in IXXO Cart Standalone before 3.9.6.1, and the IXXO Cart component for Joomla! 1.0.x, allows remote attackers to execute arbitrary SQL commands via the parent parameter.
CVE-2009-3209	Raizlabs PHP Email Manager	0.03	—	Sep 16, 2009	SQL injection vulnerability in remove.php in PHP eMail Manager 3.3.0 allows remote attackers to execute arbitrary SQL commands via the ID parameter.
CVE-2009-3208	Prakashatma Mishra Phpfreebb	0.03	—	Sep 16, 2009	Multiple SQL injection vulnerabilities in phpfreeBB 1.0 allow remote attackers to execute arbitrary SQL commands via the (1) id parameter to permalink.php and (2) year parameter to index.php.
CVE-2009-3205	Cbauthority Cbauthority	0.03	—	Sep 16, 2009	SQL injection vulnerability in main.php in CBAuthority allows remote attackers to execute arbitrary SQL commands via the id parameter in a view_product action.
CVE-2009-3203	Aj Square Aj Auction Pro Oopd	0.03	—	Sep 16, 2009	SQL injection vulnerability in store.php in AJ Auction Pro OOPD 2.x allows remote attackers to execute arbitrary SQL commands via the id parameter.
CVE-2009-3193	Uwix Com Digifolio	0.03	—	Sep 15, 2009	SQL injection vulnerability in the DigiFolio (com_digifolio) component 1.52 for Joomla! allows remote attackers to execute arbitrary SQL commands via the id parameter in a project action to index.php.

CVE-2009-3316Sep 23, 2009
Jforjoomla
Com Jreservation
risk 0.03cvss —epss 0.00
SQL injection vulnerability in the JReservation (com_jreservation) component 1.0 and 1.5 for Joomla! allows remote attackers to execute arbitrary SQL commands via the pid parameter in a propertycpanel action to index.php.
CVE-2009-3315Sep 23, 2009
Nelogic Technologies
Nephp Publisher
risk 0.03cvss —epss 0.00
SQL injection vulnerability in admin/index.php in NeLogic Nephp Publisher Enterprise 3.5.9 and 4.5 allows remote attackers to execute arbitrary SQL commands via the Username field.
CVE-2009-3314Sep 23, 2009
Eliteladders
Elite Gaming Ladders
risk 0.03cvss —epss 0.00
SQL injection vulnerability in ladders.php in Elite Gaming Ladders 3.2 allows remote attackers to execute arbitrary SQL commands via the platform parameter.
CVE-2009-3313Sep 23, 2009
Fmyclone
Fmyclone
risk 0.03cvss —epss 0.00
Multiple SQL injection vulnerabilities in FMyClone 2.3 allow remote attackers to execute arbitrary SQL commands via the comp parameter to (1) index.php and (2) editComments.php, and (3) allow remote authenticated administrators to execute arbitrary SQL commands via the id parameter in a comment action to edit.php.
CVE-2009-3310Sep 23, 2009
Shalwan
Zainu
risk 0.03cvss —epss 0.00
SQL injection vulnerability in index.php in Zainu 1.0 allows remote attackers to execute arbitrary SQL commands via the album_id parameter in an AlbumSongs action.
CVE-2009-3309Sep 23, 2009
Cfshopkart
Cf Shopkart
risk 0.03cvss —epss 0.00
SQL injection vulnerability in index.cfm in CF ShopKart 5.4 beta allows remote attackers to execute arbitrary SQL commands via the itemid parameter in a ViewDetails action, a different vector than CVE-2008-6320.
CVE-2009-3308Sep 23, 2009
Fanupdate
Fanupdate
risk 0.03cvss —epss 0.00
SQL injection vulnerability in show-cat.php in FanUpdate 2.2.1 allows remote attackers to execute arbitrary SQL commands via the listingid parameter.
CVE-2009-3252Sep 18, 2009
Dave Robinson
Rockbandcms
risk 0.03cvss —epss 0.00
Multiple SQL injection vulnerabilities in news.php in Rock Band CMS 0.10 allow remote attackers to execute arbitrary SQL commands via the (1) year and (2) id parameters.
CVE-2009-3246Sep 18, 2009
Mybuxscript
Pts Bux
risk 0.03cvss —epss 0.00
SQL injection vulnerability in spnews.php in MyBuxScript PTC-BUX allows remote attackers to execute arbitrary SQL commands via the id parameter in an spnews action to the default URI. NOTE: some of these details are obtained from third party information.
CVE-2009-3226Sep 16, 2009
Almondsoft
Almond Classifieds
risk 0.03cvss —epss 0.00
SQL injection vulnerability in index.php in AlmondSoft Almond Classifieds Ads Enterprise and Almond Affiliate Network Classifieds allows remote attackers to execute arbitrary SQL commands via the replid parameter in a manw_repl add_form action. NOTE: some of these details are obtained from third party information.
CVE-2009-3224Sep 16, 2009
Classified Software
Super Mod System
risk 0.03cvss —epss 0.00
SQL injection vulnerability in index.php in Super Mod System, when using the 68 Classifieds 3.1 Core System, allows remote attackers to execute arbitrary SQL commands via the s parameter.
CVE-2009-3223Sep 16, 2009
Inoutscripts
Inout Adserver
risk 0.03cvss —epss 0.00
SQL injection vulnerability in ppc-add-keywords.php in Inout Adserver allows remote authenticated users to execute arbitrary SQL commands via the id parameter.
CVE-2009-3218Sep 16, 2009
Awcm Cms
Ar Web Content Manager
risk 0.03cvss —epss 0.00
SQL injection vulnerability in control/login.php in AR Web Content Manager (AWCM) 2.1, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the username parameter.
CVE-2009-3217Sep 16, 2009
Wiccle
Iwiccle
risk 0.03cvss —epss 0.00
SQL injection vulnerability in the admin module in iWiccle 1.01 allows remote attackers to execute arbitrary SQL commands via the member_id parameter in an edit_user action to index.php.
CVE-2009-3215Sep 16, 2009
Php Shop System
Ixxo Cart
risk 0.03cvss —epss 0.00
SQL injection vulnerability in IXXO Cart Standalone before 3.9.6.1, and the IXXO Cart component for Joomla! 1.0.x, allows remote attackers to execute arbitrary SQL commands via the parent parameter.
CVE-2009-3209Sep 16, 2009
Raizlabs
PHP Email Manager
risk 0.03cvss —epss 0.00
SQL injection vulnerability in remove.php in PHP eMail Manager 3.3.0 allows remote attackers to execute arbitrary SQL commands via the ID parameter.
CVE-2009-3208Sep 16, 2009
Prakashatma Mishra
Phpfreebb
risk 0.03cvss —epss 0.00
Multiple SQL injection vulnerabilities in phpfreeBB 1.0 allow remote attackers to execute arbitrary SQL commands via the (1) id parameter to permalink.php and (2) year parameter to index.php.
CVE-2009-3205Sep 16, 2009
Cbauthority
Cbauthority
risk 0.03cvss —epss 0.00
SQL injection vulnerability in main.php in CBAuthority allows remote attackers to execute arbitrary SQL commands via the id parameter in a view_product action.
CVE-2009-3203Sep 16, 2009
Aj Square
Aj Auction Pro Oopd
risk 0.03cvss —epss 0.00
SQL injection vulnerability in store.php in AJ Auction Pro OOPD 2.x allows remote attackers to execute arbitrary SQL commands via the id parameter.
CVE-2009-3193Sep 15, 2009
Uwix
Com Digifolio
risk 0.03cvss —epss 0.00
SQL injection vulnerability in the DigiFolio (com_digifolio) component 1.52 for Joomla! allows remote attackers to execute arbitrary SQL commands via the id parameter in a project action to index.php.