CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

BaseStableLikelihood: High

Description

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Hierarchy (View 1000)

Parents

CWE-943

Children

CWE-564

Related attack patterns (CAPEC)

CAPEC-108 · CAPEC-109 · CAPEC-110 · CAPEC-470 · CAPEC-66 · CAPEC-7

CVEs mapped to this weakness (8,848)

page 302 of 443

CVE	Vendor / Product	Risk	CVSS	EPSS	Published	Description
CVE-2009-2023	Shop Script Shop Script	0.03	—	0.00	Jun 9, 2009	SQL injection vulnerability in index.php in Shop-Script Pro 2.12, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the current_currency parameter.
CVE-2009-2021	Virtuenetz Virtue Classifieds	0.03	—	0.00	Jun 9, 2009	SQL injection vulnerability in search.php in Virtue Classifieds allows remote attackers to execute arbitrary SQL commands via the category parameter.
CVE-2009-2019	Virtuenetz Virtue News Manager	0.03	—	0.00	Jun 9, 2009	SQL injection vulnerability in news_detail.php in Virtue News Manager allows remote attackers to execute arbitrary SQL commands via the nid parameter.
CVE-2009-2018	Jaredeckersley Mycars	0.03	—	0.00	Jun 9, 2009	SQL injection vulnerability in admin/index.php in Jared Eckersley MyCars, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the authuserid parameter.
CVE-2009-2017	Virtuenetz Virtue Book Store	0.03	—	0.00	Jun 9, 2009	SQL injection vulnerability in products.php in Virtue Book Store allows remote attackers to execute arbitrary SQL commands via the cid parameter.
CVE-2009-2016	Virtuenetz Virtue Shopping Mall	0.03	—	0.00	Jun 9, 2009	SQL injection vulnerability in products.php in Virtue Shopping Mall allows remote attackers to execute arbitrary SQL commands via the cid parameter.
CVE-2009-2014	Joomla Com School	0.03	—	0.00	Jun 9, 2009	SQL injection vulnerability in the ComSchool (com_school) component 1.4 for Joomla! allows remote attackers to execute arbitrary SQL commands via the classid parameter in a showclass action to index.php.
CVE-2009-2013	Frontisgroup Frontis	0.03	—	0.00	Jun 9, 2009	SQL injection vulnerability in bin/aps_browse_sources.php in Frontis 3.9.01.24 allows remote attackers to execute arbitrary SQL commands via the source_class parameter in a browse_classes action.
CVE-2009-2010	Haudenschilt Family Connections CMS	0.03	—	0.00	Jun 8, 2009	Multiple SQL injection vulnerabilities in Haudenschilt Family Connections CMS (FCMS) 1.9 and earlier allow remote authenticated users to execute arbitrary SQL commands via the (1) thread parameter to messageboard.php, (2) member parameter to profile.php, (3) pid parameter to gallery/index.php, and the (4) fcms_login_id cookie parameter.
CVE-2009-1952	Propertymaxpro Propertymax Pro Free	0.03	—	0.00	Jun 5, 2009	Multiple SQL injection vulnerabilities in the administrative login feature in PropertyMax Pro FREE 0.3, when magic_quotes_gpc is disabled, allow remote attackers to execute arbitrary SQL commands via the (1) username and (2) password parameters.
CVE-2009-1950	Ahmet Donmez Webeyes Guest Book	0.03	—	0.00	Jun 5, 2009	SQL injection vulnerability in yorum.asp in WebEyes Guest Book 3 allows remote attackers to execute arbitrary SQL commands via the mesajid parameter.
CVE-2009-1947	Unclassified Newsboard Unclassified Newsboard	0.03	—	0.00	Jun 5, 2009	SQL injection vulnerability in the UnbDbEncode function in unb_lib/database.lib.php in Unclassified NewsBoard (UNB) 1.6.4 allows remote attackers to execute arbitrary SQL commands via the Query parameter in a search action to forum.php, a different vector than CVE-2005-3686.
CVE-2009-1945	Tzo Webcal	0.03	—	0.00	Jun 5, 2009	SQL injection vulnerability in webCal3_detail.asp in WebCal 3.04 allows remote attackers to execute arbitrary SQL commands via the event_id parameter.
CVE-2009-1913	Luxbum Luxbum	0.03	—	0.00	Jun 4, 2009	SQL injection vulnerability in manager.php in LuxBum 0.5.5, when magic_quotes_gpc is disabled and dotclear authentication is used, allows remote attackers to execute arbitrary SQL commands via the username parameter in a login action.
CVE-2009-1910	Rafal Kucharski Rtwebalbum	0.03	—	0.01	Jun 4, 2009	SQL injection vulnerability in index.php in RTWebalbum 1.0.462 allows remote attackers to execute arbitrary SQL commands via the AlbumId parameter.
CVE-2009-1853	Kenseiboard Kensei Board	0.03	—	0.00	Jun 1, 2009	Multiple SQL injection vulnerabilities in index.php in Kensei Board 2.0 BETA (aka 2.0.0b) and earlier allow remote attackers to execute arbitrary SQL commands via the (1) f and (2) t parameters in a showforum action.
CVE-2009-1852	Graphiks Myforum	0.03	—	0.00	Jun 1, 2009	Multiple SQL injection vulnerabilities in Graphiks MyForum 1.3 allow remote attackers to execute arbitrary SQL commands via the (1) Username and (2) Password fields.
CVE-2009-1850	Benjamin Curtis Phpbugtracker	0.03	—	0.00	Jun 1, 2009	SQL injection vulnerability in index.php in phpBugTracker 1.0.3 allows remote attackers to execute arbitrary SQL commands via the password parameter.
CVE-2009-1848	Joomlame Com Agoragroup	0.03	—	0.00	Jun 1, 2009	SQL injection vulnerability in the JoomlaMe AgoraGroups (aka AG or com_agoragroup) component 0.3.5.3 for Joomla! allows remote attackers to execute arbitrary SQL commands via the id parameter in a groupdetail action to index.php.
CVE-2009-1843	Glenn Mcgurrin Flash Quiz	0.03	—	0.00	Jun 1, 2009	Multiple SQL injection vulnerabilities in Flash Quiz Beta 2 allow remote attackers to execute arbitrary SQL commands via the (1) quiz parameter to (a) num_questions.php, (b) answers.php, (c) high_score.php, (d) high_score_web.php, (e) results_table_web.php, and (f) question.php; and the (2) order_number parameter to (g) answers.php and (h) question.php.

CVE-2009-2023Jun 9, 2009
Shop Script
Shop Script
risk 0.03cvss —epss 0.00
SQL injection vulnerability in index.php in Shop-Script Pro 2.12, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the current_currency parameter.
CVE-2009-2021Jun 9, 2009
Virtuenetz
Virtue Classifieds
risk 0.03cvss —epss 0.00
SQL injection vulnerability in search.php in Virtue Classifieds allows remote attackers to execute arbitrary SQL commands via the category parameter.
CVE-2009-2019Jun 9, 2009
Virtuenetz
Virtue News Manager
risk 0.03cvss —epss 0.00
SQL injection vulnerability in news_detail.php in Virtue News Manager allows remote attackers to execute arbitrary SQL commands via the nid parameter.
CVE-2009-2018Jun 9, 2009
Jaredeckersley
Mycars
risk 0.03cvss —epss 0.00
SQL injection vulnerability in admin/index.php in Jared Eckersley MyCars, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the authuserid parameter.
CVE-2009-2017Jun 9, 2009
Virtuenetz
Virtue Book Store
risk 0.03cvss —epss 0.00
SQL injection vulnerability in products.php in Virtue Book Store allows remote attackers to execute arbitrary SQL commands via the cid parameter.
CVE-2009-2016Jun 9, 2009
Virtuenetz
Virtue Shopping Mall
risk 0.03cvss —epss 0.00
SQL injection vulnerability in products.php in Virtue Shopping Mall allows remote attackers to execute arbitrary SQL commands via the cid parameter.
CVE-2009-2014Jun 9, 2009
Joomla
Com School
risk 0.03cvss —epss 0.00
SQL injection vulnerability in the ComSchool (com_school) component 1.4 for Joomla! allows remote attackers to execute arbitrary SQL commands via the classid parameter in a showclass action to index.php.
CVE-2009-2013Jun 9, 2009
Frontisgroup
Frontis
risk 0.03cvss —epss 0.00
SQL injection vulnerability in bin/aps_browse_sources.php in Frontis 3.9.01.24 allows remote attackers to execute arbitrary SQL commands via the source_class parameter in a browse_classes action.
CVE-2009-2010Jun 8, 2009
Haudenschilt
Family Connections CMS
risk 0.03cvss —epss 0.00
Multiple SQL injection vulnerabilities in Haudenschilt Family Connections CMS (FCMS) 1.9 and earlier allow remote authenticated users to execute arbitrary SQL commands via the (1) thread parameter to messageboard.php, (2) member parameter to profile.php, (3) pid parameter to gallery/index.php, and the (4) fcms_login_id cookie parameter.
CVE-2009-1952Jun 5, 2009
Propertymaxpro
Propertymax Pro Free
risk 0.03cvss —epss 0.00
Multiple SQL injection vulnerabilities in the administrative login feature in PropertyMax Pro FREE 0.3, when magic_quotes_gpc is disabled, allow remote attackers to execute arbitrary SQL commands via the (1) username and (2) password parameters.
CVE-2009-1950Jun 5, 2009
Ahmet Donmez
Webeyes Guest Book
risk 0.03cvss —epss 0.00
SQL injection vulnerability in yorum.asp in WebEyes Guest Book 3 allows remote attackers to execute arbitrary SQL commands via the mesajid parameter.
CVE-2009-1947Jun 5, 2009
Unclassified Newsboard
Unclassified Newsboard
risk 0.03cvss —epss 0.00
SQL injection vulnerability in the UnbDbEncode function in unb_lib/database.lib.php in Unclassified NewsBoard (UNB) 1.6.4 allows remote attackers to execute arbitrary SQL commands via the Query parameter in a search action to forum.php, a different vector than CVE-2005-3686.
CVE-2009-1945Jun 5, 2009
Tzo
Webcal
risk 0.03cvss —epss 0.00
SQL injection vulnerability in webCal3_detail.asp in WebCal 3.04 allows remote attackers to execute arbitrary SQL commands via the event_id parameter.
CVE-2009-1913Jun 4, 2009
Luxbum
Luxbum
risk 0.03cvss —epss 0.00
SQL injection vulnerability in manager.php in LuxBum 0.5.5, when magic_quotes_gpc is disabled and dotclear authentication is used, allows remote attackers to execute arbitrary SQL commands via the username parameter in a login action.
CVE-2009-1910Jun 4, 2009
Rafal Kucharski
Rtwebalbum
risk 0.03cvss —epss 0.01
SQL injection vulnerability in index.php in RTWebalbum 1.0.462 allows remote attackers to execute arbitrary SQL commands via the AlbumId parameter.
CVE-2009-1853Jun 1, 2009
Kenseiboard
Kensei Board
risk 0.03cvss —epss 0.00
Multiple SQL injection vulnerabilities in index.php in Kensei Board 2.0 BETA (aka 2.0.0b) and earlier allow remote attackers to execute arbitrary SQL commands via the (1) f and (2) t parameters in a showforum action.
CVE-2009-1852Jun 1, 2009
Graphiks
Myforum
risk 0.03cvss —epss 0.00
Multiple SQL injection vulnerabilities in Graphiks MyForum 1.3 allow remote attackers to execute arbitrary SQL commands via the (1) Username and (2) Password fields.
CVE-2009-1850Jun 1, 2009
Benjamin Curtis
Phpbugtracker
risk 0.03cvss —epss 0.00
SQL injection vulnerability in index.php in phpBugTracker 1.0.3 allows remote attackers to execute arbitrary SQL commands via the password parameter.
CVE-2009-1848Jun 1, 2009
Joomlame
Com Agoragroup
risk 0.03cvss —epss 0.00
SQL injection vulnerability in the JoomlaMe AgoraGroups (aka AG or com_agoragroup) component 0.3.5.3 for Joomla! allows remote attackers to execute arbitrary SQL commands via the id parameter in a groupdetail action to index.php.
CVE-2009-1843Jun 1, 2009
Glenn Mcgurrin
Flash Quiz
risk 0.03cvss —epss 0.00
Multiple SQL injection vulnerabilities in Flash Quiz Beta 2 allow remote attackers to execute arbitrary SQL commands via the (1) quiz parameter to (a) num_questions.php, (b) answers.php, (c) high_score.php, (d) high_score_web.php, (e) results_table_web.php, and (f) question.php; and the (2) order_number parameter to (g) answers.php and (h) question.php.