VYPR

CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

BaseStableLikelihood: High

Description

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Hierarchy (View 1000)

Parents

Children

Related attack patterns (CAPEC)

CAPEC-108 · CAPEC-109 · CAPEC-110 · CAPEC-470 · CAPEC-66 · CAPEC-7

CVEs mapped to this weakness (12,807)

page 308 of 641
  • CVE-2022-2593HigAug 22, 2022
    risk 0.47cvss 7.2epss 0.01

    The Better Search Replace WordPress plugin before 1.4.1 does not properly sanitise and escape table data before inserting it into a SQL query, which could allow high privilege users to perform SQL Injection attacks

  • CVE-2022-25811HigAug 22, 2022
    risk 0.47cvss 7.2epss 0.01

    The Transposh WordPress Translation WordPress plugin through 1.0.8 does not sanitise and escape the order and orderby parameters before using them in a SQL statement, leading to a SQL injection

  • CVE-2022-2674HigAug 5, 2022
    risk 0.47cvss 7.3epss 0.01

    A vulnerability was found in SourceCodester Best Fee Management System. It has been rated as critical. Affected by this issue is the function login of the file admin_class.php. The manipulation of the argument username leads to sql injection. The attack may be launched remotely.…

  • CVE-2021-44915HigJul 5, 2022
    risk 0.47cvss 7.2epss 0.01

    Taocms 3.0.2 was discovered to contain a blind SQL injection vulnerability via the function Edit category.

  • CVE-2021-40955HigJun 23, 2022
    risk 0.47cvss 7.2epss 0.01

    SQL injection exists in LaiKetui v3.5.0 the background administrator list.

  • CVE-2022-1472HigJun 20, 2022
    risk 0.47cvss 7.2epss 0.01

    The Better Find and Replace WordPress plugin before 1.3.6 does not properly sanitise, validate and escape various parameters before using them in an SQL statement, leading to an SQL Injection

  • CVE-2019-12359HigJun 17, 2022
    risk 0.47cvss 7.2epss 0.01

    An issue was discovered in zzcms 2019. There is a SQL injection Vulnerability in /admin/ztliuyan_sendmail.php (when the attacker has admin authority) via the id parameter.

  • CVE-2019-12357HigJun 17, 2022
    risk 0.47cvss 7.2epss 0.01

    An issue was discovered in zzcms 2019. There is a SQL injection Vulnerability in /admin/deluser.php (when the attacker has admin authority) via the id parameter.

  • CVE-2019-12354HigJun 17, 2022
    risk 0.47cvss 7.2epss 0.01

    An issue was discovered in zzcms 2019. There is a SQL injection Vulnerability in /admin/showbad.php (when the attacker has admin authority) via the id parameter.

  • CVE-2019-12353HigJun 17, 2022
    risk 0.47cvss 7.2epss 0.01

    An issue was discovered in zzcms 2019. There is a SQL injection Vulnerability in /admin/dl_sendmail.php (when the attacker has admin authority) via the id parameter.

  • CVE-2022-1800HigJun 13, 2022
    risk 0.47cvss 7.2epss 0.01

    The Export any WordPress data to XML/CSV WordPress plugin before 1.3.5 does not sanitize the cpt POST parameter when exporting post data before using it in a database query, leading to an SQL injection vulnerability.

  • CVE-2022-26116HigMay 11, 2022
    risk 0.47cvss 7.2epss 0.01

    Multiple improper neutralization of special elements used in SQL commands ('SQL Injection') vulnerability [CWE-89] in FortiNAC version 8.3.7 and below, 8.5.2 and below, 8.5.4, 8.6.0, 8.6.5 and below, 8.7.6 and below, 8.8.11 and below, 9.1.5 and below, 9.2.2 and below may allow…

  • CVE-2022-1429HigApr 22, 2022
    risk 0.47cvss 7.5epss 0.64

    SQL injection in GridHelperService.php in GitHub repository pimcore/pimcore prior to 10.3.6. This vulnerability is capable of steal the data

  • CVE-2020-13590HigApr 18, 2022
    risk 0.47cvss 7.2epss 0.01

    Multiple exploitable SQL injection vulnerabilities exist in the 'entities/fields' page of the Rukovoditel Project Management App 2.7.2. A specially crafted HTTP request can lead to SQL injection. An attacker can make authenticated HTTP requests to trigger these vulnerabilities,…

  • CVE-2022-27369HigApr 15, 2022
    risk 0.47cvss 7.2epss 0.01

    Cscms Music Portal System v4.2 was discovered to contain a SQL injection vulnerability via the component news_News.php_hy.

  • CVE-2022-27368HigApr 15, 2022
    risk 0.47cvss 7.2epss 0.01

    Cscms Music Portal System v4.2 was discovered to contain a SQL injection vulnerability via the component dance_Lists.php_zhuan.

  • CVE-2022-27367HigApr 15, 2022
    risk 0.47cvss 7.2epss 0.01

    Cscms Music Portal System v4.2 was discovered to contain a SQL injection vulnerability via the component dance_Topic.php_del.

  • CVE-2022-27366HigApr 15, 2022
    risk 0.47cvss 7.2epss 0.01

    Cscms Music Portal System v4.2 was discovered to contain a blind SQL injection vulnerability via the component dance_Dance.php_hy.

  • CVE-2022-27365HigApr 15, 2022
    risk 0.47cvss 7.2epss 0.01

    Cscms Music Portal System v4.2 was discovered to contain a SQL injection vulnerability via the component dance_Dance.php_del.

  • CVE-2022-1023HigApr 11, 2022
    risk 0.47cvss 7.2epss 0.01

    The Podcast Importer SecondLine WordPress plugin before 1.3.8 does not sanitise and properly escape some imported data, which could allow SQL injection attacks to be performed by imported a malicious podcast file