CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

BaseStableLikelihood: High

Description

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Hierarchy (View 1000)

Parents

CWE-943

Children

CWE-564

Related attack patterns (CAPEC)

CAPEC-108 · CAPEC-109 · CAPEC-110 · CAPEC-470 · CAPEC-66 · CAPEC-7

CVEs mapped to this weakness (8,841)

page 305 of 443

CVE	Vendor / Product	Risk	CVSS	EPSS	Published	Description
CVE-2008-6788	Minddezign Photo Gallery	0.03	—	0.01	May 4, 2009	SQL injection vulnerability in MindDezign Photo Gallery 2.2, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the id parameter in an info action to index.php.
CVE-2009-1509	Myiosoft Ajaxportal	0.03	—	0.00	May 1, 2009	SQL injection vulnerability in ajaxp_backend.php in MyioSoft AjaxPortal 3.0 allows remote attackers to execute arbitrary SQL commands via the page parameter.
CVE-2009-1508	Keir Davis X Forum	0.03	—	0.00	May 1, 2009	SQL injection vulnerability in the xforum_validateUser function in Common.php in X-Forum 0.6.2 allows remote attackers to execute arbitrary SQL commands, as demonstrated via the cookie_username parameter to Configure.php.
CVE-2008-6787	Jeremy Powers Lizardware CMS	0.03	—	0.00	May 1, 2009	SQL injection vulnerability in administrator/index.php in Lizardware CMS 0.6.0 and earlier allows remote attackers to execute arbitrary SQL commands via the user.
CVE-2009-1506	Intelliants Elitius	0.03	—	0.00	May 1, 2009	SQL injection vulnerability in classes/Xp.php in eLitius 1.0 allows remote attackers to execute arbitrary SQL commands via the id parameter to banner-details.php.
CVE-2009-1503	Tigerdms Tigerdms	0.03	—	0.00	May 1, 2009	Multiple SQL injection vulnerabilities in login.php in Tiger Document Management System (DMS) allow remote attackers to execute arbitrary SQL commands via the (1) username and (2) password parameters.
CVE-2009-1500	Projectcms Projectcms	0.03	—	0.00	May 1, 2009	SQL injection vulnerability in index.php in ProjectCMS 1.0 Beta allows remote attackers to execute arbitrary SQL commands via the sn parameter.
CVE-2008-6784	Scripts For Sites Ez Adult Directory	0.03	—	0.00	May 1, 2009	SQL injection vulnerability in directory.php in Scripts For Sites (SFS) EZ Adult Directory allows remote attackers to execute arbitrary SQL commands via the cat_id parameter in a list action.
CVE-2008-6783	Scripts For Sites Ez Home Business Directory	0.03	—	0.00	May 1, 2009	SQL injection vulnerability in directory.php in Sites for Scripts (SFS) EZ Home Business Directory allows remote attackers to execute arbitrary SQL commands via the cat_id parameter in a list action.
CVE-2008-6782	Scripts For Sites Ez Hosting Directory	0.03	—	0.00	May 1, 2009	SQL injection vulnerability in directory.php in Sites for Scripts (SFS) EZ Hosting Directory allows remote attackers to execute arbitrary SQL commands via the cat_id parameter in a list action.
CVE-2008-6781	Scripts For Sites Ez Gaming Directory	0.03	—	0.02	May 1, 2009	SQL injection vulnerability in directory.php in Sites for Scripts (SFS) Gaming Directory allows remote attackers to execute arbitrary SQL commands via the cat_id parameter in a list action.
CVE-2008-6780	Scripts For Sites Ez Affiliate	0.03	—	0.00	May 1, 2009	SQL injection vulnerability in directory.php in Scripts for Sites (SFS) SFS EZ Affiliate allows remote attackers to execute arbitrary SQL commands via the cat_id parameter in a list action.
CVE-2008-6779	Warpspeed Sarkilar Module	0.03	—	0.00	May 1, 2009	SQL injection vulnerability in the Sarkilar module for PHP-Nuke allows remote attackers to execute arbitrary SQL commands via the id parameter in a showcontent action to modules.php.
CVE-2008-6778	Scripts For Sites Ez Auction	0.03	—	0.00	May 1, 2009	SQL injection vulnerability in viewfaqs.php in Scripts for Sites (SFS) EZ Auction allows remote attackers to execute arbitrary SQL commands via the cat parameter.
CVE-2008-6777	Myphp Forum Myphp Forum	0.03	—	0.00	May 1, 2009	Multiple SQL injection vulnerabilities in MyPHP Forum 3.0 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) id parameter in a confirm action, the (2) user parameter in a newconfirm action, and (3) reqpwd action to member.php; and the (4) quote parameter in a post action and (5) pid parameter in an edit action to post.php, different vectors than CVE-2005-0413.2 and CVE-2007-6667.
CVE-2008-6776	Scripts For Sites Ez Hot Or Not	0.03	—	0.00	May 1, 2009	SQL injection vulnerability in viewcomments.php in Scripts For Sites (SFS) EZ Hot or Not allows remote attackers to execute arbitrary SQL commands via the phid parameter.
CVE-2009-1499	Joomla Joomla!	0.03	—	0.00	May 1, 2009	SQL injection vulnerability in the MailTo (aka com_mailto) component in Joomla! allows remote attackers to execute arbitrary SQL commands via the article parameter in index.php. NOTE: SecurityFocus states that this issue has been disputed by the vendor.
CVE-2009-1487	Rens Rikkerink Fungamez	0.03	—	0.00	Apr 29, 2009	SQL injection vulnerability in pages/login.php in FunGamez RC1 allows remote attackers to execute arbitrary SQL commands via the login_user (aka username) parameter. NOTE: some of these details are obtained from third party information.
CVE-2009-1480	Pragyan Cms Project Pragyan CMS	0.03	—	0.00	Apr 29, 2009	SQL injection vulnerability in index.php Pragyan CMS 2.6.4 allows remote attackers to execute arbitrary SQL commands via the fileget parameter in a view action and other unspecified vectors.
CVE-2009-1453	Anoochit Chalothorn Tiny Blogr	0.03	—	0.00	Apr 28, 2009	SQL injection vulnerability in class.eport.php in Tiny Blogr 1.0.0 rc4, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the txtUsername parameter (aka the Username field). NOTE: some of these details are obtained from third party information.

CVE-2008-6788May 4, 2009
Minddezign
Photo Gallery
risk 0.03cvss —epss 0.01
SQL injection vulnerability in MindDezign Photo Gallery 2.2, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the id parameter in an info action to index.php.
CVE-2009-1509May 1, 2009
Myiosoft
Ajaxportal
risk 0.03cvss —epss 0.00
SQL injection vulnerability in ajaxp_backend.php in MyioSoft AjaxPortal 3.0 allows remote attackers to execute arbitrary SQL commands via the page parameter.
CVE-2009-1508May 1, 2009
Keir Davis
X Forum
risk 0.03cvss —epss 0.00
SQL injection vulnerability in the xforum_validateUser function in Common.php in X-Forum 0.6.2 allows remote attackers to execute arbitrary SQL commands, as demonstrated via the cookie_username parameter to Configure.php.
CVE-2008-6787May 1, 2009
Jeremy Powers
Lizardware CMS
risk 0.03cvss —epss 0.00
SQL injection vulnerability in administrator/index.php in Lizardware CMS 0.6.0 and earlier allows remote attackers to execute arbitrary SQL commands via the user.
CVE-2009-1506May 1, 2009
Intelliants
Elitius
risk 0.03cvss —epss 0.00
SQL injection vulnerability in classes/Xp.php in eLitius 1.0 allows remote attackers to execute arbitrary SQL commands via the id parameter to banner-details.php.
CVE-2009-1503May 1, 2009
Tigerdms
Tigerdms
risk 0.03cvss —epss 0.00
Multiple SQL injection vulnerabilities in login.php in Tiger Document Management System (DMS) allow remote attackers to execute arbitrary SQL commands via the (1) username and (2) password parameters.
CVE-2009-1500May 1, 2009
Projectcms
Projectcms
risk 0.03cvss —epss 0.00
SQL injection vulnerability in index.php in ProjectCMS 1.0 Beta allows remote attackers to execute arbitrary SQL commands via the sn parameter.
CVE-2008-6784May 1, 2009
Scripts For Sites
Ez Adult Directory
risk 0.03cvss —epss 0.00
SQL injection vulnerability in directory.php in Scripts For Sites (SFS) EZ Adult Directory allows remote attackers to execute arbitrary SQL commands via the cat_id parameter in a list action.
CVE-2008-6783May 1, 2009
Scripts For Sites
Ez Home Business Directory
risk 0.03cvss —epss 0.00
SQL injection vulnerability in directory.php in Sites for Scripts (SFS) EZ Home Business Directory allows remote attackers to execute arbitrary SQL commands via the cat_id parameter in a list action.
CVE-2008-6782May 1, 2009
Scripts For Sites
Ez Hosting Directory
risk 0.03cvss —epss 0.00
SQL injection vulnerability in directory.php in Sites for Scripts (SFS) EZ Hosting Directory allows remote attackers to execute arbitrary SQL commands via the cat_id parameter in a list action.
CVE-2008-6781May 1, 2009
Scripts For Sites
Ez Gaming Directory
risk 0.03cvss —epss 0.02
SQL injection vulnerability in directory.php in Sites for Scripts (SFS) Gaming Directory allows remote attackers to execute arbitrary SQL commands via the cat_id parameter in a list action.
CVE-2008-6780May 1, 2009
Scripts For Sites
Ez Affiliate
risk 0.03cvss —epss 0.00
SQL injection vulnerability in directory.php in Scripts for Sites (SFS) SFS EZ Affiliate allows remote attackers to execute arbitrary SQL commands via the cat_id parameter in a list action.
CVE-2008-6779May 1, 2009
Warpspeed
Sarkilar Module
risk 0.03cvss —epss 0.00
SQL injection vulnerability in the Sarkilar module for PHP-Nuke allows remote attackers to execute arbitrary SQL commands via the id parameter in a showcontent action to modules.php.
CVE-2008-6778May 1, 2009
Scripts For Sites
Ez Auction
risk 0.03cvss —epss 0.00
SQL injection vulnerability in viewfaqs.php in Scripts for Sites (SFS) EZ Auction allows remote attackers to execute arbitrary SQL commands via the cat parameter.
CVE-2008-6777May 1, 2009
Myphp Forum
Myphp Forum
risk 0.03cvss —epss 0.00
Multiple SQL injection vulnerabilities in MyPHP Forum 3.0 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) id parameter in a confirm action, the (2) user parameter in a newconfirm action, and (3) reqpwd action to member.php; and the (4) quote parameter in a post action and (5) pid parameter in an edit action to post.php, different vectors than CVE-2005-0413.2 and CVE-2007-6667.
CVE-2008-6776May 1, 2009
Scripts For Sites
Ez Hot Or Not
risk 0.03cvss —epss 0.00
SQL injection vulnerability in viewcomments.php in Scripts For Sites (SFS) EZ Hot or Not allows remote attackers to execute arbitrary SQL commands via the phid parameter.
CVE-2009-1499May 1, 2009
Joomla
Joomla!
risk 0.03cvss —epss 0.00
SQL injection vulnerability in the MailTo (aka com_mailto) component in Joomla! allows remote attackers to execute arbitrary SQL commands via the article parameter in index.php. NOTE: SecurityFocus states that this issue has been disputed by the vendor.
CVE-2009-1487Apr 29, 2009
Rens Rikkerink
Fungamez
risk 0.03cvss —epss 0.00
SQL injection vulnerability in pages/login.php in FunGamez RC1 allows remote attackers to execute arbitrary SQL commands via the login_user (aka username) parameter. NOTE: some of these details are obtained from third party information.
CVE-2009-1480Apr 29, 2009
Pragyan Cms Project
Pragyan CMS
risk 0.03cvss —epss 0.00
SQL injection vulnerability in index.php Pragyan CMS 2.6.4 allows remote attackers to execute arbitrary SQL commands via the fileget parameter in a view action and other unspecified vectors.
CVE-2009-1453Apr 28, 2009
Anoochit Chalothorn
Tiny Blogr
risk 0.03cvss —epss 0.00
SQL injection vulnerability in class.eport.php in Tiny Blogr 1.0.0 rc4, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the txtUsername parameter (aka the Username field). NOTE: some of these details are obtained from third party information.