CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

BaseStableLikelihood: High

Description

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Hierarchy (View 1000)

Parents

CWE-943

Children

CWE-564

Related attack patterns (CAPEC)

CAPEC-108 · CAPEC-109 · CAPEC-110 · CAPEC-470 · CAPEC-66 · CAPEC-7

CVEs mapped to this weakness (8,841)

page 308 of 443

CVE	Vendor / Product	Risk	CVSS	EPSS	Published	Description
CVE-2008-6624	Webbdomain Petition	0.03	—	0.00	Apr 6, 2009	SQL injection vulnerability in getin.php in WEBBDOMAIN Petition 1.02, 2.0, and 3.0 allows remote attackers to execute arbitrary SQL commands via the username parameter.
CVE-2008-6623	Webbdomain Post Card	0.03	—	0.00	Apr 6, 2009	SQL injection vulnerability in getin.php in WEBBDOMAIN Post Card (aka Web Postcards) 1.02 and earlier allows remote attackers to execute arbitrary SQL commands via the username parameter.
CVE-2008-6622	Webbdomain Post Card	0.03	—	0.00	Apr 6, 2009	SQL injection vulnerability in choosecard.php in WEBBDOMAIN Post Card (aka Web Postcards) 1.02, 1.01, and earlier allows remote attackers to execute arbitrary SQL commands via the catid parameter.
CVE-2008-6618	Netlab Classsystem	0.03	—	0.02	Apr 6, 2009	Multiple SQL injection vulnerabilities in ClassSystem 2.3 allow remote attackers to execute arbitrary SQL commands via the teacher_id parameter in (1) class/HomepageMain.php and (2) class/HomepageTop.php, and (3) the message_id parameter in class/MessageReply.php.
CVE-2008-6615	Zen Cart ZenCart	0.03	—	0.00	Apr 6, 2009	SQL injection vulnerability in index.php in Zen Software Zen Cart 2008 allows remote attackers to execute arbitrary SQL commands via the keyword parameter in the advanced_search_result page. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
CVE-2008-6611	Abweb Minimal Ablog	0.03	—	0.01	Apr 6, 2009	SQL injection vulnerability in index.php in Minimal ABlog 0.4 allows remote attackers to execute arbitrary SQL commands via the id parameter.
CVE-2008-6608	Developiteasy Events Calendar	0.03	—	0.00	Apr 6, 2009	Multiple SQL injection vulnerabilities in DevelopItEasy Events Calendar 1.2 allow remote attackers to execute arbitrary SQL commands via (1) the user_name parameter (aka user field) to admin/index.php, (2) the user_pass parameter (aka pass field) to admin/index.php, or (3) the id parameter to calendar_details.php. NOTE: some of these details are obtained from third party information.
CVE-2008-6606	Matpo Matpo Link	0.03	—	0.00	Apr 6, 2009	SQL injection vulnerability in view.php in MatPo Link 1.2 Beta allows remote attackers to execute arbitrary SQL commands via the id parameter.
CVE-2008-6596	Phpcredo Phcdownload	0.03	—	0.00	Apr 3, 2009	SQL injection vulnerability in admin/index.php in PHCDownload 1.1 allows remote attackers to execute arbitrary SQL commands via the hash parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
CVE-2008-6593	Lightneasy Lightneasy	0.03	—	0.00	Apr 3, 2009	SQL injection vulnerability in LightNEasy/lightneasy.php in LightNEasy SQLite 1.2.2 and earlier allows remote attackers to inject arbitrary PHP code into comments.dat via the dlid parameter to index.php.
CVE-2009-1229	Arcadwy Arcadwy Arcade Script	0.03	—	0.00	Apr 2, 2009	SQL injection vulnerability in Arcadwy Arcade Script allows remote attackers to execute arbitrary SQL commands via the user cookie parameter.
CVE-2009-1224	Scivox Vsp Stats Processor	0.03	—	0.00	Apr 2, 2009	SQL injection vulnerability in vsp-core/pub/themes/bismarck/gamestat.php in vsp stats processor 0.45 allows remote attackers to execute arbitrary SQL commands via the gameID parameter.
CVE-2008-6582	Miniweb2 Miniweb	0.03	—	0.01	Apr 2, 2009	SQL injection vulnerability in index.php in Miniweb 2.0 allows remote attackers to execute arbitrary SQL commands via the username parameter in a login action.
CVE-2008-6572	Abledating Abledating	0.03	—	0.00	Mar 31, 2009	SQL injection vulnerability in search_results.php in ABK-Soft AbleDating 2.4 allows remote attackers to execute arbitrary SQL commands via the keyword parameter.
CVE-2009-1066	Getpixie Pixie CMS	0.03	—	0.01	Mar 26, 2009	SQL injection vulnerability in the referral function in admin/lib/lib_logs.php in Pixie CMS 1.01a allows remote attackers to execute arbitrary SQL commands via the Referer HTTP header in a request.
CVE-2008-6527	—	0.03	—	0.01	Mar 25, 2009	SQL injection vulnerability in forum.asp in GO4I.NET ASP Forum 1.0 allows remote attackers to execute arbitrary SQL commands via the iFor parameter.
CVE-2008-6526	Bosdev Bos Classifieds	0.03	—	0.00	Mar 25, 2009	SQL injection vulnerability in index.php in BosDev BosClassifieds allows remote attackers to execute arbitrary SQL commands via the cat_id parameter, a different vector than CVE-2008-1838.
CVE-2008-6525	Nicephpscripts Nice PHP Faq Script	0.03	—	0.00	Mar 25, 2009	SQL injection vulnerability in the Admin Panel in Nice PHP FAQ Script (Knowledge base Script) allows remote attackers to execute arbitrary SQL commands via the Password parameter (aka the pass field).
CVE-2008-6517	Nick Jenkin Newshowler	0.03	—	0.00	Mar 25, 2009	SQL injection vulnerability in NewsHOWLER 1.03 Beta allows remote attackers to execute arbitrary SQL commands via the news_user cookie parameter.
CVE-2009-1049	Kamads Bloginator	0.03	—	0.02	Mar 24, 2009	SQL injection vulnerability in articleCall.php in Bloginator 1A allows remote attackers to execute arbitrary SQL commands via the id parameter.

CVE-2008-6624Apr 6, 2009
Webbdomain
Petition
risk 0.03cvss —epss 0.00
SQL injection vulnerability in getin.php in WEBBDOMAIN Petition 1.02, 2.0, and 3.0 allows remote attackers to execute arbitrary SQL commands via the username parameter.
CVE-2008-6623Apr 6, 2009
Webbdomain
Post Card
risk 0.03cvss —epss 0.00
SQL injection vulnerability in getin.php in WEBBDOMAIN Post Card (aka Web Postcards) 1.02 and earlier allows remote attackers to execute arbitrary SQL commands via the username parameter.
CVE-2008-6622Apr 6, 2009
Webbdomain
Post Card
risk 0.03cvss —epss 0.00
SQL injection vulnerability in choosecard.php in WEBBDOMAIN Post Card (aka Web Postcards) 1.02, 1.01, and earlier allows remote attackers to execute arbitrary SQL commands via the catid parameter.
CVE-2008-6618Apr 6, 2009
Netlab
Classsystem
risk 0.03cvss —epss 0.02
Multiple SQL injection vulnerabilities in ClassSystem 2.3 allow remote attackers to execute arbitrary SQL commands via the teacher_id parameter in (1) class/HomepageMain.php and (2) class/HomepageTop.php, and (3) the message_id parameter in class/MessageReply.php.
CVE-2008-6615Apr 6, 2009
Zen Cart
ZenCart
risk 0.03cvss —epss 0.00
SQL injection vulnerability in index.php in Zen Software Zen Cart 2008 allows remote attackers to execute arbitrary SQL commands via the keyword parameter in the advanced_search_result page. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
CVE-2008-6611Apr 6, 2009
Abweb
Minimal Ablog
risk 0.03cvss —epss 0.01
SQL injection vulnerability in index.php in Minimal ABlog 0.4 allows remote attackers to execute arbitrary SQL commands via the id parameter.
CVE-2008-6608Apr 6, 2009
Developiteasy
Events Calendar
risk 0.03cvss —epss 0.00
Multiple SQL injection vulnerabilities in DevelopItEasy Events Calendar 1.2 allow remote attackers to execute arbitrary SQL commands via (1) the user_name parameter (aka user field) to admin/index.php, (2) the user_pass parameter (aka pass field) to admin/index.php, or (3) the id parameter to calendar_details.php. NOTE: some of these details are obtained from third party information.
CVE-2008-6606Apr 6, 2009
Matpo
Matpo Link
risk 0.03cvss —epss 0.00
SQL injection vulnerability in view.php in MatPo Link 1.2 Beta allows remote attackers to execute arbitrary SQL commands via the id parameter.
CVE-2008-6596Apr 3, 2009
Phpcredo
Phcdownload
risk 0.03cvss —epss 0.00
SQL injection vulnerability in admin/index.php in PHCDownload 1.1 allows remote attackers to execute arbitrary SQL commands via the hash parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
CVE-2008-6593Apr 3, 2009
Lightneasy
Lightneasy
risk 0.03cvss —epss 0.00
SQL injection vulnerability in LightNEasy/lightneasy.php in LightNEasy SQLite 1.2.2 and earlier allows remote attackers to inject arbitrary PHP code into comments.dat via the dlid parameter to index.php.
CVE-2009-1229Apr 2, 2009
Arcadwy
Arcadwy Arcade Script
risk 0.03cvss —epss 0.00
SQL injection vulnerability in Arcadwy Arcade Script allows remote attackers to execute arbitrary SQL commands via the user cookie parameter.
CVE-2009-1224Apr 2, 2009
Scivox
Vsp Stats Processor
risk 0.03cvss —epss 0.00
SQL injection vulnerability in vsp-core/pub/themes/bismarck/gamestat.php in vsp stats processor 0.45 allows remote attackers to execute arbitrary SQL commands via the gameID parameter.
CVE-2008-6582Apr 2, 2009
Miniweb2
Miniweb
risk 0.03cvss —epss 0.01
SQL injection vulnerability in index.php in Miniweb 2.0 allows remote attackers to execute arbitrary SQL commands via the username parameter in a login action.
CVE-2008-6572Mar 31, 2009
Abledating
Abledating
risk 0.03cvss —epss 0.00
SQL injection vulnerability in search_results.php in ABK-Soft AbleDating 2.4 allows remote attackers to execute arbitrary SQL commands via the keyword parameter.
CVE-2009-1066Mar 26, 2009
Getpixie
Pixie CMS
risk 0.03cvss —epss 0.01
SQL injection vulnerability in the referral function in admin/lib/lib_logs.php in Pixie CMS 1.01a allows remote attackers to execute arbitrary SQL commands via the Referer HTTP header in a request.
CVE-2008-6527Mar 25, 2009
risk 0.03cvss —epss 0.01
SQL injection vulnerability in forum.asp in GO4I.NET ASP Forum 1.0 allows remote attackers to execute arbitrary SQL commands via the iFor parameter.
CVE-2008-6526Mar 25, 2009
Bosdev
Bos Classifieds
risk 0.03cvss —epss 0.00
SQL injection vulnerability in index.php in BosDev BosClassifieds allows remote attackers to execute arbitrary SQL commands via the cat_id parameter, a different vector than CVE-2008-1838.
CVE-2008-6525Mar 25, 2009
Nicephpscripts
Nice PHP Faq Script
risk 0.03cvss —epss 0.00
SQL injection vulnerability in the Admin Panel in Nice PHP FAQ Script (Knowledge base Script) allows remote attackers to execute arbitrary SQL commands via the Password parameter (aka the pass field).
CVE-2008-6517Mar 25, 2009
Nick Jenkin
Newshowler
risk 0.03cvss —epss 0.00
SQL injection vulnerability in NewsHOWLER 1.03 Beta allows remote attackers to execute arbitrary SQL commands via the news_user cookie parameter.
CVE-2009-1049Mar 24, 2009
Kamads
Bloginator
risk 0.03cvss —epss 0.02
SQL injection vulnerability in articleCall.php in Bloginator 1A allows remote attackers to execute arbitrary SQL commands via the id parameter.