CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Description
The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-108 · CAPEC-109 · CAPEC-110 · CAPEC-470 · CAPEC-66 · CAPEC-7
CVEs mapped to this weakness (8,848)
page 296 of 443| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2008-6989 | 0.03 | — | 0.00 | Aug 19, 2009 | SQL injection vulnerability in gallery.php in Easy Photo Gallery (aka Ezphotogallery) 2.1 allows remote attackers to execute arbitrary SQL commands via the username parameter. | |||
| CVE-2008-6985 | 0.03 | — | 0.01 | Aug 19, 2009 | Multiple SQL injection vulnerabilities in includes/classes/shopping_cart.php in Zen Cart 1.2.0 through 1.3.8a, when magic_quotes_gpc is disabled, allow remote attackers to execute arbitrary SQL commands via the id parameter when (1) adding or (2) updating the shopping cart. | |||
| CVE-2009-2790 | 0.03 | — | 0.00 | Aug 17, 2009 | SQL injection vulnerability in cat_products.php in SoftBiz Dating Script allows remote attackers to execute arbitrary SQL commands via the cid parameter. NOTE: this might overlap CVE-2006-3271.4. | |||
| CVE-2009-2788 | 0.03 | — | 0.00 | Aug 17, 2009 | Multiple SQL injection vulnerabilities in Mobilelib GOLD 3 allow remote attackers to execute arbitrary SQL commands via the (1) adminName parameter to cp/auth.php, (2) cid parameter to artcat.php, and (3) catid parameter to show.php. | |||
| CVE-2009-2786 | 0.03 | — | 0.00 | Aug 17, 2009 | SQL injection vulnerability in reputation.php in the Reputation plugin 2.2.4, 2.2.3, 2.0.4, and earlier for PunBB allows remote attackers to execute arbitrary SQL commands via the poster parameter. | |||
| CVE-2009-2782 | 0.03 | — | 0.00 | Aug 17, 2009 | SQL injection vulnerability in the JFusion (com_jfusion) component for Joomla! allows remote attackers to execute arbitrary SQL commands via the Itemid parameter to index.php. | |||
| CVE-2009-2781 | 0.03 | — | 0.00 | Aug 17, 2009 | SQL injection vulnerability in forum.php in Arab Portal 2.x, when magic_quotes_gpc is disabled, allows remote authenticated users to execute arbitrary SQL commands via the qc parameter in an addcomment action, a different vector than CVE-2006-1666. | |||
| CVE-2009-2779 | 0.03 | — | 0.00 | Aug 17, 2009 | SQL injection vulnerability in index.php in AJ Matrix DNA allows remote attackers to execute arbitrary SQL commands via the id parameter in a productdetail action. | |||
| CVE-2009-2777 | 0.03 | — | 0.00 | Aug 14, 2009 | SQL injection vulnerability in visitor/view.php in GarageSales Script allows remote attackers to execute arbitrary SQL commands via the key parameter. | |||
| CVE-2009-2776 | 0.03 | — | 0.00 | Aug 14, 2009 | SQL injection vulnerability in showresult.asp in Smart ASP Survey allows remote attackers to execute arbitrary SQL commands via the catid parameter. | |||
| CVE-2009-2775 | 0.03 | — | 0.00 | Aug 14, 2009 | SQL injection vulnerability in linkout.php in PHPArcadeScript (PHP Arcade Script) 4.0 allows remote attackers to execute arbitrary SQL commands via the id parameter. | |||
| CVE-2009-2774 | 0.03 | — | 0.00 | Aug 14, 2009 | SQL injection vulnerability in paidbanner.php in PHP Paid 4 Mail Script allows remote attackers to execute arbitrary SQL commands via the ID parameter. | |||
| CVE-2008-6970 | 0.03 | — | 0.01 | Aug 13, 2009 | SQL injection vulnerability in dosearch.inc.php in UBB.threads 7.3.1 and earlier allows remote attackers to execute arbitrary SQL commands via the Forum[] array parameter. | |||
| CVE-2008-6968 | 0.03 | — | 0.00 | Aug 13, 2009 | Multiple SQL injection vulnerabilities in submit.php in Pligg CMS 9.9.5 allow remote attackers to execute arbitrary SQL commands via the (1) category and (2) id parameters. | |||
| CVE-2008-6964 | 0.03 | — | 0.00 | Aug 13, 2009 | SQL injection vulnerability in the login page in X7 Chat 2.0.5 allows remote attackers to execute arbitrary SQL commands via the password field. | |||
| CVE-2008-6952 | 0.03 | — | 0.00 | Aug 12, 2009 | SQL injection vulnerability in Rss.php in MauryCMS 0.53.2 and earlier allows remote attackers to execute arbitrary SQL commands via the c parameter. | |||
| CVE-2008-6950 | 0.03 | — | 0.00 | Aug 12, 2009 | Multiple SQL injection vulnerabilities in login.asp in Bankoi WebHosting Control Panel 1.20 allow remote attackers to execute arbitrary SQL commands via the (1) username or (2) password field. | |||
| CVE-2008-6941 | 0.03 | — | 0.01 | Aug 12, 2009 | SQL injection vulnerability in the login functionality in TurnkeyForms Web Hosting Directory allows remote attackers to execute arbitrary SQL commands via the password field. | |||
| CVE-2009-2735 | 0.03 | — | 0.00 | Aug 11, 2009 | SQL injection vulnerability in admin.php in sun-jester OpenNews 1.0, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the username parameter. | |||
| CVE-2008-6923 | 0.03 | — | 0.00 | Aug 10, 2009 | SQL injection vulnerability in the content component (com_content) 1.0.0 for Joomla! allows remote attackers to execute arbitrary SQL commands via the Itemid parameter in a blogcategory action to index.php. |
- CVE-2008-6989Aug 19, 2009risk 0.03cvss —epss 0.00
SQL injection vulnerability in gallery.php in Easy Photo Gallery (aka Ezphotogallery) 2.1 allows remote attackers to execute arbitrary SQL commands via the username parameter.
- CVE-2008-6985Aug 19, 2009risk 0.03cvss —epss 0.01
Multiple SQL injection vulnerabilities in includes/classes/shopping_cart.php in Zen Cart 1.2.0 through 1.3.8a, when magic_quotes_gpc is disabled, allow remote attackers to execute arbitrary SQL commands via the id parameter when (1) adding or (2) updating the shopping cart.
- CVE-2009-2790Aug 17, 2009risk 0.03cvss —epss 0.00
SQL injection vulnerability in cat_products.php in SoftBiz Dating Script allows remote attackers to execute arbitrary SQL commands via the cid parameter. NOTE: this might overlap CVE-2006-3271.4.
- CVE-2009-2788Aug 17, 2009risk 0.03cvss —epss 0.00
Multiple SQL injection vulnerabilities in Mobilelib GOLD 3 allow remote attackers to execute arbitrary SQL commands via the (1) adminName parameter to cp/auth.php, (2) cid parameter to artcat.php, and (3) catid parameter to show.php.
- CVE-2009-2786Aug 17, 2009risk 0.03cvss —epss 0.00
SQL injection vulnerability in reputation.php in the Reputation plugin 2.2.4, 2.2.3, 2.0.4, and earlier for PunBB allows remote attackers to execute arbitrary SQL commands via the poster parameter.
- CVE-2009-2782Aug 17, 2009risk 0.03cvss —epss 0.00
SQL injection vulnerability in the JFusion (com_jfusion) component for Joomla! allows remote attackers to execute arbitrary SQL commands via the Itemid parameter to index.php.
- CVE-2009-2781Aug 17, 2009risk 0.03cvss —epss 0.00
SQL injection vulnerability in forum.php in Arab Portal 2.x, when magic_quotes_gpc is disabled, allows remote authenticated users to execute arbitrary SQL commands via the qc parameter in an addcomment action, a different vector than CVE-2006-1666.
- CVE-2009-2779Aug 17, 2009risk 0.03cvss —epss 0.00
SQL injection vulnerability in index.php in AJ Matrix DNA allows remote attackers to execute arbitrary SQL commands via the id parameter in a productdetail action.
- CVE-2009-2777Aug 14, 2009risk 0.03cvss —epss 0.00
SQL injection vulnerability in visitor/view.php in GarageSales Script allows remote attackers to execute arbitrary SQL commands via the key parameter.
- CVE-2009-2776Aug 14, 2009risk 0.03cvss —epss 0.00
SQL injection vulnerability in showresult.asp in Smart ASP Survey allows remote attackers to execute arbitrary SQL commands via the catid parameter.
- CVE-2009-2775Aug 14, 2009risk 0.03cvss —epss 0.00
SQL injection vulnerability in linkout.php in PHPArcadeScript (PHP Arcade Script) 4.0 allows remote attackers to execute arbitrary SQL commands via the id parameter.
- CVE-2009-2774Aug 14, 2009risk 0.03cvss —epss 0.00
SQL injection vulnerability in paidbanner.php in PHP Paid 4 Mail Script allows remote attackers to execute arbitrary SQL commands via the ID parameter.
- CVE-2008-6970Aug 13, 2009risk 0.03cvss —epss 0.01
SQL injection vulnerability in dosearch.inc.php in UBB.threads 7.3.1 and earlier allows remote attackers to execute arbitrary SQL commands via the Forum[] array parameter.
- CVE-2008-6968Aug 13, 2009risk 0.03cvss —epss 0.00
Multiple SQL injection vulnerabilities in submit.php in Pligg CMS 9.9.5 allow remote attackers to execute arbitrary SQL commands via the (1) category and (2) id parameters.
- CVE-2008-6964Aug 13, 2009risk 0.03cvss —epss 0.00
SQL injection vulnerability in the login page in X7 Chat 2.0.5 allows remote attackers to execute arbitrary SQL commands via the password field.
- CVE-2008-6952Aug 12, 2009risk 0.03cvss —epss 0.00
SQL injection vulnerability in Rss.php in MauryCMS 0.53.2 and earlier allows remote attackers to execute arbitrary SQL commands via the c parameter.
- CVE-2008-6950Aug 12, 2009risk 0.03cvss —epss 0.00
Multiple SQL injection vulnerabilities in login.asp in Bankoi WebHosting Control Panel 1.20 allow remote attackers to execute arbitrary SQL commands via the (1) username or (2) password field.
- CVE-2008-6941Aug 12, 2009risk 0.03cvss —epss 0.01
SQL injection vulnerability in the login functionality in TurnkeyForms Web Hosting Directory allows remote attackers to execute arbitrary SQL commands via the password field.
- CVE-2009-2735Aug 11, 2009risk 0.03cvss —epss 0.00
SQL injection vulnerability in admin.php in sun-jester OpenNews 1.0, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the username parameter.
- CVE-2008-6923Aug 10, 2009risk 0.03cvss —epss 0.00
SQL injection vulnerability in the content component (com_content) 1.0.0 for Joomla! allows remote attackers to execute arbitrary SQL commands via the Itemid parameter in a blogcategory action to index.php.