CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

BaseStableLikelihood: High

Description

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Hierarchy (View 1000)

Parents

CWE-943

Children

CWE-564

Related attack patterns (CAPEC)

CAPEC-108 · CAPEC-109 · CAPEC-110 · CAPEC-470 · CAPEC-66 · CAPEC-7

CVEs mapped to this weakness (8,848)

page 299 of 443

CVE	Vendor / Product	Risk	CVSS	EPSS	Published	Description
CVE-2009-2428	Tauschregal.de Tausch Ticket Script	0.03	—	0.00	Jul 10, 2009	Multiple SQL injection vulnerabilities in Tausch Ticket Script 3 allow remote attackers to execute arbitrary SQL commands via the (1) userid parameter to suchauftraege_user.php and the (2) descr parameter to vote.php; and other unspecified vectors.
CVE-2009-2427	Jobbr Jobbr	0.03	—	0.00	Jul 10, 2009	SQL injection vulnerability in co-profile.php in Jobbr 2.2.7 allows remote attackers to execute arbitrary SQL commands via the emp_id parameter.
CVE-2009-2423	Ebayclonescript Ebay Clone	0.03	—	0.00	Jul 10, 2009	SQL injection vulnerability in category.php in Ebay Clone 2009 allows remote attackers to execute arbitrary SQL commands via the cate_id parameter in a list action.
CVE-2009-2402	Phpecho Cms Phpecho CMS	0.03	—	0.00	Jul 9, 2009	SQL injection vulnerability in index.php in the forum module in PHPEcho CMS 2.0-rc3 allows remote attackers to execute arbitrary SQL commands via the id parameter in a thread action, a different vector than CVE-2008-0355.
CVE-2009-2400	Fijiwebdesign Com PHP	0.03	—	0.00	Jul 9, 2009	SQL injection vulnerability in the PHP (com_php) component for Joomla! allows remote attackers to execute arbitrary SQL commands via the id parameter to index.php.
CVE-2009-2395	Joomlaworks Com K2	0.03	—	0.00	Jul 9, 2009	SQL injection vulnerability in the K2 (com_k2) component 1.0.1 Beta and earlier for Joomla! allows remote attackers to execute arbitrary SQL commands via the category parameter in an itemlist action to index.php.
CVE-2009-2394	Smspages Smspages	0.03	—	0.00	Jul 9, 2009	SQL injection vulnerability in cat.php in SMSPages 1.0 in Mr.Saphp Arabic Script Mobile (aka Messages Library) 2.0 allows remote attackers to execute arbitrary SQL commands via the CatID parameter.
CVE-2009-2392	Virtuenetz Virtue Online Test Generator	0.03	—	0.00	Jul 9, 2009	SQL injection vulnerability in text.php in Virtuenetz Virtue Online Test Generator allows remote attackers to execute arbitrary SQL commands via the tid parameter.
CVE-2009-2390	F Cimag In Com Bookflip	0.03	—	0.00	Jul 9, 2009	SQL injection vulnerability in the BookFlip (com_bookflip) component 2.1 for Joomla! allows remote attackers to execute arbitrary SQL commands via the book_id parameter to index.php.
CVE-2009-2389	Usolved Newsolved	0.03	—	0.00	Jul 9, 2009	Multiple SQL injection vulnerabilities in newsscript.php in USOLVED NEWSolved 1.1.6, when magic_quotes_gpc is disabled, allow remote attackers to execute arbitrary SQL commands via the (1) jahr or (2) idneu parameter in an archive action, or (3) the newsid parameter.
CVE-2009-2388	Shalwan Opial	0.03	—	0.00	Jul 9, 2009	SQL injection vulnerability in admin/index.php in Opial 1.0 allows remote attackers to execute arbitrary SQL commands via the txtPassword parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
CVE-2009-2385	Fustrate Member Awards	0.03	—	0.00	Jul 8, 2009	SQL injection vulnerability in the awardsMembers function in Sources/Profile.php in the Member Awards component 1.0.2 for Simple Machines Forum (SMF) allows remote attackers to execute arbitrary SQL commands via the id parameter in a profile action to index.php. NOTE: some of these details are obtained from third party information.
CVE-2009-2383	Blogtrafficexchange Related Sites	0.03	—	0.00	Jul 8, 2009	SQL injection vulnerability in BTE_RW_webajax.php in the Related Sites plugin 2.1 for WordPress allows remote attackers to execute arbitrary SQL commands via the guid parameter.
CVE-2009-2366	Datachecknh Forumpal	0.03	—	0.00	Jul 8, 2009	SQL injection vulnerability in login.asp in DataCheck Solutions ForumPal FE 1.1 and ForumPal 1.5 allows remote attackers to execute arbitrary SQL commands via the (1) password parameter in 1.1 and (2) p_password parameter in 1.5. NOTE: some of these details are obtained from third party information.
CVE-2009-2365	Datachecknh Gallerypal Fe	0.03	—	0.00	Jul 8, 2009	SQL injection vulnerability in login.asp in DataCheck Solutions GalleryPal FE 1.5 allows remote attackers to execute arbitrary SQL commands via unspecified vectors. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
CVE-2009-2361	Osticket Osticket	0.03	—	0.01	Jul 8, 2009	SQL injection vulnerability in include/class.staff.php in osTicket before 1.6 RC5 allows remote attackers to execute arbitrary SQL commands via the staff username parameter.
CVE-2009-2341	Shalwan Opial	0.03	—	0.00	Jul 7, 2009	SQL injection vulnerability in albumdetail.php in Opial 1.0 allows remote attackers to execute arbitrary SQL commands via the albumid parameter.
CVE-2009-2340	Opial Opial	0.03	—	0.00	Jul 7, 2009	SQL injection vulnerability in admin/index.php in Opial 1.0 allows remote attackers to execute arbitrary SQL commands via the txtUserName (aka User Name) parameter. NOTE: some of these details are obtained from third party information.
CVE-2009-2339	Rentventory Rentventory	0.03	—	0.00	Jul 7, 2009	SQL injection vulnerability in index.php in Rentventory allows remote attackers to execute arbitrary SQL commands via the product parameter.
CVE-2009-2337	—	0.03	—	0.00	Jul 7, 2009	SQL injection vulnerability in includes/module/book/index.inc.php in w3b\|cms Gaestebuch Guestbook Module 3.0.0, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the spam_id parameter.

CVE-2009-2428Jul 10, 2009
Tauschregal.de
Tausch Ticket Script
risk 0.03cvss —epss 0.00
Multiple SQL injection vulnerabilities in Tausch Ticket Script 3 allow remote attackers to execute arbitrary SQL commands via the (1) userid parameter to suchauftraege_user.php and the (2) descr parameter to vote.php; and other unspecified vectors.
CVE-2009-2427Jul 10, 2009
Jobbr
Jobbr
risk 0.03cvss —epss 0.00
SQL injection vulnerability in co-profile.php in Jobbr 2.2.7 allows remote attackers to execute arbitrary SQL commands via the emp_id parameter.
CVE-2009-2423Jul 10, 2009
Ebayclonescript
Ebay Clone
risk 0.03cvss —epss 0.00
SQL injection vulnerability in category.php in Ebay Clone 2009 allows remote attackers to execute arbitrary SQL commands via the cate_id parameter in a list action.
CVE-2009-2402Jul 9, 2009
Phpecho Cms
Phpecho CMS
risk 0.03cvss —epss 0.00
SQL injection vulnerability in index.php in the forum module in PHPEcho CMS 2.0-rc3 allows remote attackers to execute arbitrary SQL commands via the id parameter in a thread action, a different vector than CVE-2008-0355.
CVE-2009-2400Jul 9, 2009
Fijiwebdesign
Com PHP
risk 0.03cvss —epss 0.00
SQL injection vulnerability in the PHP (com_php) component for Joomla! allows remote attackers to execute arbitrary SQL commands via the id parameter to index.php.
CVE-2009-2395Jul 9, 2009
Joomlaworks
Com K2
risk 0.03cvss —epss 0.00
SQL injection vulnerability in the K2 (com_k2) component 1.0.1 Beta and earlier for Joomla! allows remote attackers to execute arbitrary SQL commands via the category parameter in an itemlist action to index.php.
CVE-2009-2394Jul 9, 2009
Smspages
Smspages
risk 0.03cvss —epss 0.00
SQL injection vulnerability in cat.php in SMSPages 1.0 in Mr.Saphp Arabic Script Mobile (aka Messages Library) 2.0 allows remote attackers to execute arbitrary SQL commands via the CatID parameter.
CVE-2009-2392Jul 9, 2009
Virtuenetz
Virtue Online Test Generator
risk 0.03cvss —epss 0.00
SQL injection vulnerability in text.php in Virtuenetz Virtue Online Test Generator allows remote attackers to execute arbitrary SQL commands via the tid parameter.
CVE-2009-2390Jul 9, 2009
F Cimag In
Com Bookflip
risk 0.03cvss —epss 0.00
SQL injection vulnerability in the BookFlip (com_bookflip) component 2.1 for Joomla! allows remote attackers to execute arbitrary SQL commands via the book_id parameter to index.php.
CVE-2009-2389Jul 9, 2009
Usolved
Newsolved
risk 0.03cvss —epss 0.00
Multiple SQL injection vulnerabilities in newsscript.php in USOLVED NEWSolved 1.1.6, when magic_quotes_gpc is disabled, allow remote attackers to execute arbitrary SQL commands via the (1) jahr or (2) idneu parameter in an archive action, or (3) the newsid parameter.
CVE-2009-2388Jul 9, 2009
Shalwan
Opial
risk 0.03cvss —epss 0.00
SQL injection vulnerability in admin/index.php in Opial 1.0 allows remote attackers to execute arbitrary SQL commands via the txtPassword parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
CVE-2009-2385Jul 8, 2009
Fustrate
Member Awards
risk 0.03cvss —epss 0.00
SQL injection vulnerability in the awardsMembers function in Sources/Profile.php in the Member Awards component 1.0.2 for Simple Machines Forum (SMF) allows remote attackers to execute arbitrary SQL commands via the id parameter in a profile action to index.php. NOTE: some of these details are obtained from third party information.
CVE-2009-2383Jul 8, 2009
Blogtrafficexchange
Related Sites
risk 0.03cvss —epss 0.00
SQL injection vulnerability in BTE_RW_webajax.php in the Related Sites plugin 2.1 for WordPress allows remote attackers to execute arbitrary SQL commands via the guid parameter.
CVE-2009-2366Jul 8, 2009
Datachecknh
Forumpal
risk 0.03cvss —epss 0.00
SQL injection vulnerability in login.asp in DataCheck Solutions ForumPal FE 1.1 and ForumPal 1.5 allows remote attackers to execute arbitrary SQL commands via the (1) password parameter in 1.1 and (2) p_password parameter in 1.5. NOTE: some of these details are obtained from third party information.
CVE-2009-2365Jul 8, 2009
Datachecknh
Gallerypal Fe
risk 0.03cvss —epss 0.00
SQL injection vulnerability in login.asp in DataCheck Solutions GalleryPal FE 1.5 allows remote attackers to execute arbitrary SQL commands via unspecified vectors. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
CVE-2009-2361Jul 8, 2009
Osticket
Osticket
risk 0.03cvss —epss 0.01
SQL injection vulnerability in include/class.staff.php in osTicket before 1.6 RC5 allows remote attackers to execute arbitrary SQL commands via the staff username parameter.
CVE-2009-2341Jul 7, 2009
Shalwan
Opial
risk 0.03cvss —epss 0.00
SQL injection vulnerability in albumdetail.php in Opial 1.0 allows remote attackers to execute arbitrary SQL commands via the albumid parameter.
CVE-2009-2340Jul 7, 2009
Opial
Opial
risk 0.03cvss —epss 0.00
SQL injection vulnerability in admin/index.php in Opial 1.0 allows remote attackers to execute arbitrary SQL commands via the txtUserName (aka User Name) parameter. NOTE: some of these details are obtained from third party information.
CVE-2009-2339Jul 7, 2009
Rentventory
Rentventory
risk 0.03cvss —epss 0.00
SQL injection vulnerability in index.php in Rentventory allows remote attackers to execute arbitrary SQL commands via the product parameter.
CVE-2009-2337Jul 7, 2009
risk 0.03cvss —epss 0.00
SQL injection vulnerability in includes/module/book/index.inc.php in w3b|cms Gaestebuch Guestbook Module 3.0.0, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the spam_id parameter.