CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

BaseStableLikelihood: High

Description

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Hierarchy (View 1000)

Parents

CWE-943

Children

CWE-564

Related attack patterns (CAPEC)

CAPEC-108 · CAPEC-109 · CAPEC-110 · CAPEC-470 · CAPEC-66 · CAPEC-7

CVEs mapped to this weakness (8,841)

page 307 of 443

CVE	Vendor / Product	Risk	CVSS	EPSS	Published	Description
CVE-2008-6678	Quickersite Quickersite	0.03	—	0.00	Apr 8, 2009	SQL injection vulnerability in asp/includes/contact.asp in QuickerSite 1.8.5 allows remote attackers to execute arbitrary SQL commands via the sNickName parameter in a profile action to default.asp.
CVE-2008-6663	Phpauction Phpauctions	0.03	—	0.00	Apr 8, 2009	SQL injection vulnerability in profile.php in PHPAuctions.info PHPAuctions (aka PHPAuctionSystem) allows remote attackers to execute arbitrary SQL commands via the auction_id parameter, a different vector than CVE-2009-0106.
CVE-2009-1263	Alikonweb Com Bookjoomlas	0.03	—	0.00	Apr 7, 2009	SQL injection vulnerability in sub_commententry.php in the BookJoomlas (com_bookjoomlas) component 0.1 for Joomla! allows remote attackers to execute arbitrary SQL commands via the gbid parameter in a comment action to index.php.
CVE-2009-1259	Insanevisions Adaptbb	0.03	—	0.00	Apr 7, 2009	SQL injection vulnerability in inc/bb/topic.php in Insane Visions AdaptBB 1.0, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the topic_id parameter in a topic action to index.php.
CVE-2009-1256	Flexcms Flexcms	0.03	—	0.00	Apr 7, 2009	SQL injection vulnerability in FlexCMS 2.5 allows remote attackers to execute arbitrary SQL commands via the ItemId parameter. NOTE: some of these details are obtained from third party information.
CVE-2008-6656	Openautoclassifieds Open Auto Classifieds	0.03	—	0.01	Apr 7, 2009	Multiple SQL injection vulnerabilities in Open Auto Classifieds 1.4.3b allow remote attackers to execute arbitrary SQL commands via (1) the id parameter to listings.php and (2) the username field to login.php.
CVE-2008-6653	Wh Com Com Webhosting	0.03	—	0.00	Apr 7, 2009	SQL injection vulnerability in webhosting.php in the Webhosting Component (com_webhosting) module before 1.1 RC7 for Joomla! and Mambo allows remote attackers to execute arbitrary SQL commands via the catid parameter to index.php.
CVE-2008-6652	Insanevisions Onecms	0.03	—	0.00	Apr 7, 2009	SQL injection vulnerability in asd.php in OneCMS 2.5 allows remote attackers to execute arbitrary SQL commands via the sitename parameter.
CVE-2008-6649	Ktools Photostore	0.03	—	0.00	Apr 7, 2009	SQL injection vulnerability in manager/image_details_editor.php in Ktools PhotoStore 2.5, 2.9.8, 3.1.0, and other versions through 3.5.2 allows remote attackers to execute arbitrary SQL commands via the id parameter.
CVE-2008-6648	Ktools Photostore	0.03	—	0.01	Apr 7, 2009	SQL injection vulnerability in crumbs.php in Ktools PhotoStore 3.4.3 and 3.5.2 allows remote attackers to execute arbitrary SQL commands via the gid parameter to about_us.php. NOTE: this might be the same issue as CVE-2008-6647.
CVE-2008-6647	Ktools Photostore	0.03	—	0.01	Apr 7, 2009	SQL injection vulnerability in gallery.php in Ktools PhotoStore 3.4.3 allows remote attackers to execute arbitrary SQL commands via the gid parameter.
CVE-2008-6642	Fluentcms Fluentcms	0.03	—	0.00	Apr 7, 2009	SQL injection vulnerability in view.php in DotContent FluentCMS 4.x allows remote attackers to execute arbitrary SQL commands via the sid parameter. NOTE: some of these details are obtained from third party information.
CVE-2008-6641	Aspindir Shader Tv	0.03	—	0.00	Apr 7, 2009	Multiple SQL injection vulnerabilities in Shader TV (Beta) allow remote authenticated administrators to execute arbitrary SQL commands via the sid parameter to (1) kanal.asp, (2) google.asp, and (3) hakk.asp in yonet/; and allow remote attackers to execute arbitrary SQL commands via the (4) username or (5) password fields to yonet/default.asp.
CVE-2008-6640	Aspindir Batmanportal	0.03	—	0.00	Apr 7, 2009	Multiple SQL injection vulnerabilities in BatmanPorTaL allow remote attackers to execute arbitrary SQL commands via the id parameter to (1) uyeadmin.asp and (2) profil.asp. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
CVE-2008-6634	Beaussier Roomphplanning	0.03	—	0.00	Apr 7, 2009	SQL injection vulnerability in RoomPHPlanning 1.5 allows remote attackers to execute arbitrary SQL commands via the idroom parameter to weekview.php.
CVE-2008-6633	Beaussier Roomphplanning	0.03	—	0.01	Apr 7, 2009	SQL injection vulnerability in RoomPHPlanning 1.5 allows remote attackers to execute arbitrary SQL commands via the idresa parameter to resaopen.php.
CVE-2008-6632	Mercuryboard Mercuryboard	0.03	—	0.00	Apr 7, 2009	SQL injection vulnerability in func/login.php in MercuryBoard 1.1.5 and earlier allows remote attackers to execute arbitrary SQL commands via the User-Agent HTTP header ($_SERVER['HTTP_USER_AGENT']).
CVE-2008-6627	Webbdomain Webshop	0.03	—	0.00	Apr 6, 2009	SQL injection vulnerability in getin.php in WEBBDOMAIN WebShop 1.2, 1.1, 1.02, and earlier allows remote attackers to execute arbitrary SQL commands via the username parameter.
CVE-2008-6626	Webbdomain Quiz	0.03	—	0.00	Apr 6, 2009	SQL injection vulnerability in getin.php in WEBBDOMAIN Quiz 1.02 and earlier allows remote attackers to execute arbitrary SQL commands via the username parameter.
CVE-2008-6625	Webbdomain Polls	0.03	—	0.00	Apr 6, 2009	SQL injection vulnerability in getin.php in WEBBDOMAIN Polls (aka Poll) 1.0 and 1.01 allows remote attackers to execute arbitrary SQL commands via the username parameter.

CVE-2008-6678Apr 8, 2009
Quickersite
Quickersite
risk 0.03cvss —epss 0.00
SQL injection vulnerability in asp/includes/contact.asp in QuickerSite 1.8.5 allows remote attackers to execute arbitrary SQL commands via the sNickName parameter in a profile action to default.asp.
CVE-2008-6663Apr 8, 2009
Phpauction
Phpauctions
risk 0.03cvss —epss 0.00
SQL injection vulnerability in profile.php in PHPAuctions.info PHPAuctions (aka PHPAuctionSystem) allows remote attackers to execute arbitrary SQL commands via the auction_id parameter, a different vector than CVE-2009-0106.
CVE-2009-1263Apr 7, 2009
Alikonweb
Com Bookjoomlas
risk 0.03cvss —epss 0.00
SQL injection vulnerability in sub_commententry.php in the BookJoomlas (com_bookjoomlas) component 0.1 for Joomla! allows remote attackers to execute arbitrary SQL commands via the gbid parameter in a comment action to index.php.
CVE-2009-1259Apr 7, 2009
Insanevisions
Adaptbb
risk 0.03cvss —epss 0.00
SQL injection vulnerability in inc/bb/topic.php in Insane Visions AdaptBB 1.0, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the topic_id parameter in a topic action to index.php.
CVE-2009-1256Apr 7, 2009
Flexcms
Flexcms
risk 0.03cvss —epss 0.00
SQL injection vulnerability in FlexCMS 2.5 allows remote attackers to execute arbitrary SQL commands via the ItemId parameter. NOTE: some of these details are obtained from third party information.
CVE-2008-6656Apr 7, 2009
Openautoclassifieds
Open Auto Classifieds
risk 0.03cvss —epss 0.01
Multiple SQL injection vulnerabilities in Open Auto Classifieds 1.4.3b allow remote attackers to execute arbitrary SQL commands via (1) the id parameter to listings.php and (2) the username field to login.php.
CVE-2008-6653Apr 7, 2009
Wh Com
Com Webhosting
risk 0.03cvss —epss 0.00
SQL injection vulnerability in webhosting.php in the Webhosting Component (com_webhosting) module before 1.1 RC7 for Joomla! and Mambo allows remote attackers to execute arbitrary SQL commands via the catid parameter to index.php.
CVE-2008-6652Apr 7, 2009
Insanevisions
Onecms
risk 0.03cvss —epss 0.00
SQL injection vulnerability in asd.php in OneCMS 2.5 allows remote attackers to execute arbitrary SQL commands via the sitename parameter.
CVE-2008-6649Apr 7, 2009
Ktools
Photostore
risk 0.03cvss —epss 0.00
SQL injection vulnerability in manager/image_details_editor.php in Ktools PhotoStore 2.5, 2.9.8, 3.1.0, and other versions through 3.5.2 allows remote attackers to execute arbitrary SQL commands via the id parameter.
CVE-2008-6648Apr 7, 2009
Ktools
Photostore
risk 0.03cvss —epss 0.01
SQL injection vulnerability in crumbs.php in Ktools PhotoStore 3.4.3 and 3.5.2 allows remote attackers to execute arbitrary SQL commands via the gid parameter to about_us.php. NOTE: this might be the same issue as CVE-2008-6647.
CVE-2008-6647Apr 7, 2009
Ktools
Photostore
risk 0.03cvss —epss 0.01
SQL injection vulnerability in gallery.php in Ktools PhotoStore 3.4.3 allows remote attackers to execute arbitrary SQL commands via the gid parameter.
CVE-2008-6642Apr 7, 2009
Fluentcms
Fluentcms
risk 0.03cvss —epss 0.00
SQL injection vulnerability in view.php in DotContent FluentCMS 4.x allows remote attackers to execute arbitrary SQL commands via the sid parameter. NOTE: some of these details are obtained from third party information.
CVE-2008-6641Apr 7, 2009
Aspindir
Shader Tv
risk 0.03cvss —epss 0.00
Multiple SQL injection vulnerabilities in Shader TV (Beta) allow remote authenticated administrators to execute arbitrary SQL commands via the sid parameter to (1) kanal.asp, (2) google.asp, and (3) hakk.asp in yonet/; and allow remote attackers to execute arbitrary SQL commands via the (4) username or (5) password fields to yonet/default.asp.
CVE-2008-6640Apr 7, 2009
Aspindir
Batmanportal
risk 0.03cvss —epss 0.00
Multiple SQL injection vulnerabilities in BatmanPorTaL allow remote attackers to execute arbitrary SQL commands via the id parameter to (1) uyeadmin.asp and (2) profil.asp. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
CVE-2008-6634Apr 7, 2009
Beaussier
Roomphplanning
risk 0.03cvss —epss 0.00
SQL injection vulnerability in RoomPHPlanning 1.5 allows remote attackers to execute arbitrary SQL commands via the idroom parameter to weekview.php.
CVE-2008-6633Apr 7, 2009
Beaussier
Roomphplanning
risk 0.03cvss —epss 0.01
SQL injection vulnerability in RoomPHPlanning 1.5 allows remote attackers to execute arbitrary SQL commands via the idresa parameter to resaopen.php.
CVE-2008-6632Apr 7, 2009
Mercuryboard
Mercuryboard
risk 0.03cvss —epss 0.00
SQL injection vulnerability in func/login.php in MercuryBoard 1.1.5 and earlier allows remote attackers to execute arbitrary SQL commands via the User-Agent HTTP header ($_SERVER['HTTP_USER_AGENT']).
CVE-2008-6627Apr 6, 2009
Webbdomain
Webshop
risk 0.03cvss —epss 0.00
SQL injection vulnerability in getin.php in WEBBDOMAIN WebShop 1.2, 1.1, 1.02, and earlier allows remote attackers to execute arbitrary SQL commands via the username parameter.
CVE-2008-6626Apr 6, 2009
Webbdomain
Quiz
risk 0.03cvss —epss 0.00
SQL injection vulnerability in getin.php in WEBBDOMAIN Quiz 1.02 and earlier allows remote attackers to execute arbitrary SQL commands via the username parameter.
CVE-2008-6625Apr 6, 2009
Webbdomain
Polls
risk 0.03cvss —epss 0.00
SQL injection vulnerability in getin.php in WEBBDOMAIN Polls (aka Poll) 1.0 and 1.01 allows remote attackers to execute arbitrary SQL commands via the username parameter.