CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Description
The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-108 · CAPEC-109 · CAPEC-110 · CAPEC-470 · CAPEC-66 · CAPEC-7
CVEs mapped to this weakness (8,841)
page 306 of 443| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2009-1411 | 0.03 | — | 0.00 | Apr 24, 2009 | SQL injection vulnerability in events/inc/events.inc.php in the Events plugin for Seditio CMS 1.0 allows remote attackers to execute arbitrary SQL commands via the c parameter to plug.php. | |||
| CVE-2009-1410 | 0.03 | — | 0.00 | Apr 24, 2009 | SQL injection vulnerability in index.php in Quick.Cms.Lite 0.5 allows remote attackers to execute arbitrary SQL commands via the id parameter. | |||
| CVE-2009-1409 | — | 0.03 | — | 0.00 | Apr 24, 2009 | SQL injection vulnerability in usersettings.php in e107 0.7.15 and earlier, when "Extended User Fields" is enabled and magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the hide parameter, a different vector than CVE-2005-4224 and CVE-2008-5320. | ||
| CVE-2009-1404 | 0.03 | — | 0.00 | Apr 24, 2009 | SQL injection vulnerability in admin.php in PastelCMS 0.8.0, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the user (Username) parameter. | |||
| CVE-2009-1403 | 0.03 | — | 0.00 | Apr 24, 2009 | SQL injection vulnerability in product_info.php in CRE Loaded 6.2 allows remote attackers to execute arbitrary SQL commands via the products_id parameter. | |||
| CVE-2008-6749 | 0.03 | — | 0.00 | Apr 24, 2009 | Multiple SQL injection vulnerabilities in admin/usercheck.php in FlexPHPDirectory 0.0.1, when magic_quotes_gpc is disabled, allow remote attackers to execute arbitrary SQL commands via the (1) checkuser and (2) checkpass parameters. | |||
| CVE-2009-1362 | 0.03 | — | 0.01 | Apr 22, 2009 | SQL injection vulnerability in administration/index.php in chCounter 3.1.3 allows remote attackers to execute arbitrary SQL commands via the login_name parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. | |||
| CVE-2008-6741 | 0.03 | — | 0.00 | Apr 21, 2009 | SQL injection vulnerability in Load.php in Simple Machines Forum (SMF) 1.1.4 and earlier allows remote attackers to execute arbitrary SQL commands by setting the db_character_set parameter to a multibyte character set such as big5, which causes the addslashes PHP function to produce a "\" (backslash) sequence that does not quote the "'" (single quote) character, as demonstrated via a manlabels action to index.php. | |||
| CVE-2009-1347 | 0.03 | — | 0.00 | Apr 20, 2009 | Multiple SQL injection vulnerabilities in stats/index.php in chCounter 3.1.3 allow remote attackers to execute arbitrary SQL commands via (1) the login_name parameter (aka the username field) or (2) the login_pw parameter (aka the password field). | |||
| CVE-2009-1346 | 0.03 | — | 0.00 | Apr 20, 2009 | SQL injection vulnerability in publico/ficha.php in NetHoteles 3.0 allows remote attackers to execute arbitrary SQL commands via the id_establecimiento parameter. | |||
| CVE-2009-1345 | 0.03 | — | 0.00 | Apr 20, 2009 | SQL injection vulnerability in document.php in cpCommerce 1.2.8 allows remote attackers to execute arbitrary SQL commands via the id_document parameter. | |||
| CVE-2008-6730 | 0.03 | — | 0.00 | Apr 20, 2009 | Multiple SQL injection vulnerabilities in admin/usercheck.php in FlexPHPLink Pro 0.0.6 and 0.0.7, when magic_quotes_gpc is disabled, allow remote attackers to execute arbitrary SQL commands via (1) the checkuser parameter (aka username field), or (2) the checkpass parameter (aka password field), to admin/index.php. | |||
| CVE-2009-1323 | 0.03 | — | 0.00 | Apr 17, 2009 | SQL injection vulnerability in body.asp in Web File Explorer 3.1 allows remote attackers to execute arbitrary SQL commands via the id parameter. | |||
| CVE-2009-1317 | 0.03 | — | 0.00 | Apr 17, 2009 | Multiple SQL injection vulnerabilities in Aqua CMS 1.1, when magic_quotes_gpc is disabled, allow remote attackers to execute arbitrary SQL commands via the (1) userSID cookie parameter to droplets/functions/base.php and the (2) username parameter to admin/index.php. | |||
| CVE-2009-1316 | 0.03 | — | 0.00 | Apr 17, 2009 | Multiple SQL injection vulnerabilities in AbleSpace 1.0 allow remote attackers to execute arbitrary SQL commands via the (1) eid parameter to events_view.php and the (2) id parameter to events_clndr_view.php. | |||
| CVE-2008-6725 | 0.03 | — | 0.01 | Apr 17, 2009 | Multiple SQL injection vulnerabilities in CMScout 2.06 allow remote authenticated users to execute arbitrary SQL commands via the id parameter to (1) index.php in a mythings page (mythings.php) and (2) the users page in admin.php. | |||
| CVE-2008-6721 | 0.03 | — | 0.00 | Apr 14, 2009 | SQL injection vulnerability in index.php in AJ Square AJ Article allows remote attackers to execute arbitrary SQL commands via the txtName parameter (aka the username field). | |||
| CVE-2008-6720 | 0.03 | — | 0.00 | Apr 13, 2009 | SQL injection vulnerability in admin/adm_login.php in DeltaScripts PHP Links 1.3 and earlier allows remote attackers to execute arbitrary SQL commands via the admin_username parameter (aka the admin field). | |||
| CVE-2009-1282 | 0.03 | — | 0.01 | Apr 9, 2009 | SQL injection vulnerability in private/system/lib-session.php in glFusion 1.1.2 and earlier allows remote attackers to execute arbitrary SQL commands via the glf_session cookie parameter. | |||
| CVE-2009-1277 | 0.03 | — | 0.00 | Apr 9, 2009 | SQL injection vulnerability in index.php in Gravity Board X (GBX) 2.0 BETA allows remote attackers to execute arbitrary SQL commands via the member_id parameter in a viewprofile action. NOTE: the board_id issue is already covered by CVE-2008-2996.2. |
- CVE-2009-1411Apr 24, 2009risk 0.03cvss —epss 0.00
SQL injection vulnerability in events/inc/events.inc.php in the Events plugin for Seditio CMS 1.0 allows remote attackers to execute arbitrary SQL commands via the c parameter to plug.php.
- CVE-2009-1410Apr 24, 2009risk 0.03cvss —epss 0.00
SQL injection vulnerability in index.php in Quick.Cms.Lite 0.5 allows remote attackers to execute arbitrary SQL commands via the id parameter.
- CVE-2009-1409Apr 24, 2009risk 0.03cvss —epss 0.00
SQL injection vulnerability in usersettings.php in e107 0.7.15 and earlier, when "Extended User Fields" is enabled and magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the hide parameter, a different vector than CVE-2005-4224 and CVE-2008-5320.
- CVE-2009-1404Apr 24, 2009risk 0.03cvss —epss 0.00
SQL injection vulnerability in admin.php in PastelCMS 0.8.0, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the user (Username) parameter.
- CVE-2009-1403Apr 24, 2009risk 0.03cvss —epss 0.00
SQL injection vulnerability in product_info.php in CRE Loaded 6.2 allows remote attackers to execute arbitrary SQL commands via the products_id parameter.
- CVE-2008-6749Apr 24, 2009risk 0.03cvss —epss 0.00
Multiple SQL injection vulnerabilities in admin/usercheck.php in FlexPHPDirectory 0.0.1, when magic_quotes_gpc is disabled, allow remote attackers to execute arbitrary SQL commands via the (1) checkuser and (2) checkpass parameters.
- CVE-2009-1362Apr 22, 2009risk 0.03cvss —epss 0.01
SQL injection vulnerability in administration/index.php in chCounter 3.1.3 allows remote attackers to execute arbitrary SQL commands via the login_name parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
- CVE-2008-6741Apr 21, 2009risk 0.03cvss —epss 0.00
SQL injection vulnerability in Load.php in Simple Machines Forum (SMF) 1.1.4 and earlier allows remote attackers to execute arbitrary SQL commands by setting the db_character_set parameter to a multibyte character set such as big5, which causes the addslashes PHP function to produce a "\" (backslash) sequence that does not quote the "'" (single quote) character, as demonstrated via a manlabels action to index.php.
- CVE-2009-1347Apr 20, 2009risk 0.03cvss —epss 0.00
Multiple SQL injection vulnerabilities in stats/index.php in chCounter 3.1.3 allow remote attackers to execute arbitrary SQL commands via (1) the login_name parameter (aka the username field) or (2) the login_pw parameter (aka the password field).
- CVE-2009-1346Apr 20, 2009risk 0.03cvss —epss 0.00
SQL injection vulnerability in publico/ficha.php in NetHoteles 3.0 allows remote attackers to execute arbitrary SQL commands via the id_establecimiento parameter.
- CVE-2009-1345Apr 20, 2009risk 0.03cvss —epss 0.00
SQL injection vulnerability in document.php in cpCommerce 1.2.8 allows remote attackers to execute arbitrary SQL commands via the id_document parameter.
- CVE-2008-6730Apr 20, 2009risk 0.03cvss —epss 0.00
Multiple SQL injection vulnerabilities in admin/usercheck.php in FlexPHPLink Pro 0.0.6 and 0.0.7, when magic_quotes_gpc is disabled, allow remote attackers to execute arbitrary SQL commands via (1) the checkuser parameter (aka username field), or (2) the checkpass parameter (aka password field), to admin/index.php.
- CVE-2009-1323Apr 17, 2009risk 0.03cvss —epss 0.00
SQL injection vulnerability in body.asp in Web File Explorer 3.1 allows remote attackers to execute arbitrary SQL commands via the id parameter.
- CVE-2009-1317Apr 17, 2009risk 0.03cvss —epss 0.00
Multiple SQL injection vulnerabilities in Aqua CMS 1.1, when magic_quotes_gpc is disabled, allow remote attackers to execute arbitrary SQL commands via the (1) userSID cookie parameter to droplets/functions/base.php and the (2) username parameter to admin/index.php.
- CVE-2009-1316Apr 17, 2009risk 0.03cvss —epss 0.00
Multiple SQL injection vulnerabilities in AbleSpace 1.0 allow remote attackers to execute arbitrary SQL commands via the (1) eid parameter to events_view.php and the (2) id parameter to events_clndr_view.php.
- CVE-2008-6725Apr 17, 2009risk 0.03cvss —epss 0.01
Multiple SQL injection vulnerabilities in CMScout 2.06 allow remote authenticated users to execute arbitrary SQL commands via the id parameter to (1) index.php in a mythings page (mythings.php) and (2) the users page in admin.php.
- CVE-2008-6721Apr 14, 2009risk 0.03cvss —epss 0.00
SQL injection vulnerability in index.php in AJ Square AJ Article allows remote attackers to execute arbitrary SQL commands via the txtName parameter (aka the username field).
- CVE-2008-6720Apr 13, 2009risk 0.03cvss —epss 0.00
SQL injection vulnerability in admin/adm_login.php in DeltaScripts PHP Links 1.3 and earlier allows remote attackers to execute arbitrary SQL commands via the admin_username parameter (aka the admin field).
- CVE-2009-1282Apr 9, 2009risk 0.03cvss —epss 0.01
SQL injection vulnerability in private/system/lib-session.php in glFusion 1.1.2 and earlier allows remote attackers to execute arbitrary SQL commands via the glf_session cookie parameter.
- CVE-2009-1277Apr 9, 2009risk 0.03cvss —epss 0.00
SQL injection vulnerability in index.php in Gravity Board X (GBX) 2.0 BETA allows remote attackers to execute arbitrary SQL commands via the member_id parameter in a viewprofile action. NOTE: the board_id issue is already covered by CVE-2008-2996.2.