CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Description
The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-108 · CAPEC-109 · CAPEC-110 · CAPEC-470 · CAPEC-66 · CAPEC-7
CVEs mapped to this weakness (12,807)
page 308 of 641| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2022-2593 | Hig | 0.47 | 7.2 | 0.01 | Aug 22, 2022 | The Better Search Replace WordPress plugin before 1.4.1 does not properly sanitise and escape table data before inserting it into a SQL query, which could allow high privilege users to perform SQL Injection attacks | ||
| CVE-2022-25811 | Hig | 0.47 | 7.2 | 0.01 | Aug 22, 2022 | The Transposh WordPress Translation WordPress plugin through 1.0.8 does not sanitise and escape the order and orderby parameters before using them in a SQL statement, leading to a SQL injection | ||
| CVE-2022-2674 | Hig | 0.47 | 7.3 | 0.01 | Aug 5, 2022 | A vulnerability was found in SourceCodester Best Fee Management System. It has been rated as critical. Affected by this issue is the function login of the file admin_class.php. The manipulation of the argument username leads to sql injection. The attack may be launched remotely.… | ||
| CVE-2021-44915 | Hig | 0.47 | 7.2 | 0.01 | Jul 5, 2022 | Taocms 3.0.2 was discovered to contain a blind SQL injection vulnerability via the function Edit category. | ||
| CVE-2021-40955 | Hig | 0.47 | 7.2 | 0.01 | Jun 23, 2022 | SQL injection exists in LaiKetui v3.5.0 the background administrator list. | ||
| CVE-2022-1472 | Hig | 0.47 | 7.2 | 0.01 | Jun 20, 2022 | The Better Find and Replace WordPress plugin before 1.3.6 does not properly sanitise, validate and escape various parameters before using them in an SQL statement, leading to an SQL Injection | ||
| CVE-2019-12359 | Hig | 0.47 | 7.2 | 0.01 | Jun 17, 2022 | An issue was discovered in zzcms 2019. There is a SQL injection Vulnerability in /admin/ztliuyan_sendmail.php (when the attacker has admin authority) via the id parameter. | ||
| CVE-2019-12357 | Hig | 0.47 | 7.2 | 0.01 | Jun 17, 2022 | An issue was discovered in zzcms 2019. There is a SQL injection Vulnerability in /admin/deluser.php (when the attacker has admin authority) via the id parameter. | ||
| CVE-2019-12354 | Hig | 0.47 | 7.2 | 0.01 | Jun 17, 2022 | An issue was discovered in zzcms 2019. There is a SQL injection Vulnerability in /admin/showbad.php (when the attacker has admin authority) via the id parameter. | ||
| CVE-2019-12353 | Hig | 0.47 | 7.2 | 0.01 | Jun 17, 2022 | An issue was discovered in zzcms 2019. There is a SQL injection Vulnerability in /admin/dl_sendmail.php (when the attacker has admin authority) via the id parameter. | ||
| CVE-2022-1800 | Hig | 0.47 | 7.2 | 0.01 | Jun 13, 2022 | The Export any WordPress data to XML/CSV WordPress plugin before 1.3.5 does not sanitize the cpt POST parameter when exporting post data before using it in a database query, leading to an SQL injection vulnerability. | ||
| CVE-2022-26116 | Hig | 0.47 | 7.2 | 0.01 | May 11, 2022 | Multiple improper neutralization of special elements used in SQL commands ('SQL Injection') vulnerability [CWE-89] in FortiNAC version 8.3.7 and below, 8.5.2 and below, 8.5.4, 8.6.0, 8.6.5 and below, 8.7.6 and below, 8.8.11 and below, 9.1.5 and below, 9.2.2 and below may allow… | ||
| CVE-2022-1429 | Hig | 0.47 | 7.5 | 0.64 | Apr 22, 2022 | SQL injection in GridHelperService.php in GitHub repository pimcore/pimcore prior to 10.3.6. This vulnerability is capable of steal the data | ||
| CVE-2020-13590 | Hig | 0.47 | 7.2 | 0.01 | Apr 18, 2022 | Multiple exploitable SQL injection vulnerabilities exist in the 'entities/fields' page of the Rukovoditel Project Management App 2.7.2. A specially crafted HTTP request can lead to SQL injection. An attacker can make authenticated HTTP requests to trigger these vulnerabilities,… | ||
| CVE-2022-27369 | Hig | 0.47 | 7.2 | 0.01 | Apr 15, 2022 | Cscms Music Portal System v4.2 was discovered to contain a SQL injection vulnerability via the component news_News.php_hy. | ||
| CVE-2022-27368 | Hig | 0.47 | 7.2 | 0.01 | Apr 15, 2022 | Cscms Music Portal System v4.2 was discovered to contain a SQL injection vulnerability via the component dance_Lists.php_zhuan. | ||
| CVE-2022-27367 | Hig | 0.47 | 7.2 | 0.01 | Apr 15, 2022 | Cscms Music Portal System v4.2 was discovered to contain a SQL injection vulnerability via the component dance_Topic.php_del. | ||
| CVE-2022-27366 | Hig | 0.47 | 7.2 | 0.01 | Apr 15, 2022 | Cscms Music Portal System v4.2 was discovered to contain a blind SQL injection vulnerability via the component dance_Dance.php_hy. | ||
| CVE-2022-27365 | Hig | 0.47 | 7.2 | 0.01 | Apr 15, 2022 | Cscms Music Portal System v4.2 was discovered to contain a SQL injection vulnerability via the component dance_Dance.php_del. | ||
| CVE-2022-1023 | Hig | 0.47 | 7.2 | 0.01 | Apr 11, 2022 | The Podcast Importer SecondLine WordPress plugin before 1.3.8 does not sanitise and properly escape some imported data, which could allow SQL injection attacks to be performed by imported a malicious podcast file |
- risk 0.47cvss 7.2epss 0.01
The Better Search Replace WordPress plugin before 1.4.1 does not properly sanitise and escape table data before inserting it into a SQL query, which could allow high privilege users to perform SQL Injection attacks
- risk 0.47cvss 7.2epss 0.01
The Transposh WordPress Translation WordPress plugin through 1.0.8 does not sanitise and escape the order and orderby parameters before using them in a SQL statement, leading to a SQL injection
- risk 0.47cvss 7.3epss 0.01
A vulnerability was found in SourceCodester Best Fee Management System. It has been rated as critical. Affected by this issue is the function login of the file admin_class.php. The manipulation of the argument username leads to sql injection. The attack may be launched remotely.…
- risk 0.47cvss 7.2epss 0.01
Taocms 3.0.2 was discovered to contain a blind SQL injection vulnerability via the function Edit category.
- risk 0.47cvss 7.2epss 0.01
SQL injection exists in LaiKetui v3.5.0 the background administrator list.
- risk 0.47cvss 7.2epss 0.01
The Better Find and Replace WordPress plugin before 1.3.6 does not properly sanitise, validate and escape various parameters before using them in an SQL statement, leading to an SQL Injection
- risk 0.47cvss 7.2epss 0.01
An issue was discovered in zzcms 2019. There is a SQL injection Vulnerability in /admin/ztliuyan_sendmail.php (when the attacker has admin authority) via the id parameter.
- risk 0.47cvss 7.2epss 0.01
An issue was discovered in zzcms 2019. There is a SQL injection Vulnerability in /admin/deluser.php (when the attacker has admin authority) via the id parameter.
- risk 0.47cvss 7.2epss 0.01
An issue was discovered in zzcms 2019. There is a SQL injection Vulnerability in /admin/showbad.php (when the attacker has admin authority) via the id parameter.
- risk 0.47cvss 7.2epss 0.01
An issue was discovered in zzcms 2019. There is a SQL injection Vulnerability in /admin/dl_sendmail.php (when the attacker has admin authority) via the id parameter.
- risk 0.47cvss 7.2epss 0.01
The Export any WordPress data to XML/CSV WordPress plugin before 1.3.5 does not sanitize the cpt POST parameter when exporting post data before using it in a database query, leading to an SQL injection vulnerability.
- risk 0.47cvss 7.2epss 0.01
Multiple improper neutralization of special elements used in SQL commands ('SQL Injection') vulnerability [CWE-89] in FortiNAC version 8.3.7 and below, 8.5.2 and below, 8.5.4, 8.6.0, 8.6.5 and below, 8.7.6 and below, 8.8.11 and below, 9.1.5 and below, 9.2.2 and below may allow…
- risk 0.47cvss 7.5epss 0.64
SQL injection in GridHelperService.php in GitHub repository pimcore/pimcore prior to 10.3.6. This vulnerability is capable of steal the data
- risk 0.47cvss 7.2epss 0.01
Multiple exploitable SQL injection vulnerabilities exist in the 'entities/fields' page of the Rukovoditel Project Management App 2.7.2. A specially crafted HTTP request can lead to SQL injection. An attacker can make authenticated HTTP requests to trigger these vulnerabilities,…
- risk 0.47cvss 7.2epss 0.01
Cscms Music Portal System v4.2 was discovered to contain a SQL injection vulnerability via the component news_News.php_hy.
- risk 0.47cvss 7.2epss 0.01
Cscms Music Portal System v4.2 was discovered to contain a SQL injection vulnerability via the component dance_Lists.php_zhuan.
- risk 0.47cvss 7.2epss 0.01
Cscms Music Portal System v4.2 was discovered to contain a SQL injection vulnerability via the component dance_Topic.php_del.
- risk 0.47cvss 7.2epss 0.01
Cscms Music Portal System v4.2 was discovered to contain a blind SQL injection vulnerability via the component dance_Dance.php_hy.
- risk 0.47cvss 7.2epss 0.01
Cscms Music Portal System v4.2 was discovered to contain a SQL injection vulnerability via the component dance_Dance.php_del.
- risk 0.47cvss 7.2epss 0.01
The Podcast Importer SecondLine WordPress plugin before 1.3.8 does not sanitise and properly escape some imported data, which could allow SQL injection attacks to be performed by imported a malicious podcast file