CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

BaseStableLikelihood: High

Description

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Hierarchy (View 1000)

Parents

CWE-943

Children

CWE-564

Related attack patterns (CAPEC)

CAPEC-108 · CAPEC-109 · CAPEC-110 · CAPEC-470 · CAPEC-66 · CAPEC-7

CVEs mapped to this weakness (8,841)

page 309 of 443

CVE	Vendor / Product	Risk	CVSS	EPSS	Published	Description
CVE-2008-6509	Igniterealtime Openfire	0.03	—	0.02	Mar 23, 2009	SQL injection vulnerability in CallLogDAO in SIP Plugin in Openfire 3.6.0a and earlier allows remote attackers to execute arbitrary SQL commands via the type parameter to sipark-log-summary.jsp.
CVE-2009-1038	Yap Yap Blog	0.03	—	0.00	Mar 20, 2009	Multiple SQL injection vulnerabilities in YAP Blog 1.1.1 allow remote attackers to execute arbitrary SQL commands via the (1) image_id parameter to comments.php, and remote authenticated administrators to execute arbitrary SQL commands via the (2) user parameter in a modif action to admin/index.php.
CVE-2009-1033	Deluxebb Deluxebb	0.03	—	0.01	Mar 20, 2009	SQL injection vulnerability in misc.php in DeluxeBB 1.3 and earlier allows remote attackers to execute arbitrary SQL commands via the qorder parameter, a different vector than CVE-2005-2989 and CVE-2006-2503.
CVE-2009-1032	Yabsoft Advanced Image Hosting Script	0.03	—	0.01	Mar 20, 2009	SQL injection vulnerability in gallery_list.php in YABSoft Advanced Image Hosting (AIH) Script 2.3 allows remote attackers to execute arbitrary SQL commands via the gal parameter.
CVE-2009-1026	Kimwebsites Kim Websites	0.03	—	0.00	Mar 20, 2009	Multiple SQL injection vulnerabilities in login.php in Kim Websites 1.0 allow remote attackers to execute arbitrary SQL commands via the (1) username and (2) password parameters.
CVE-2009-1024	Beerwin Phplinkadmin	0.03	—	0.01	Mar 20, 2009	Multiple SQL injection vulnerabilities in Beerwin PHPLinkAdmin 1.0 allow remote attackers to execute arbitrary SQL commands via the linkid parameter to edlink.php, and unspecified other vectors.
CVE-2009-1023	Phpcomasy Phpcomasy	0.03	—	0.01	Mar 20, 2009	SQL injection vulnerability in index.php in phpComasy 0.9.1 allows remote attackers to execute arbitrary SQL commands via the entry_id parameter.
CVE-2009-0968	Fahlstad Fmoblog Plugin	0.03	—	0.02	Mar 19, 2009	SQL injection vulnerability in fmoblog.php in the fMoblog plugin 2.1 for WordPress allows remote attackers to execute arbitrary SQL commands via the id parameter to index.php. NOTE: some of these details are obtained from third party information.
CVE-2009-0965	Ismail Fahmi Ganesha Digital Library	0.03	—	0.00	Mar 19, 2009	SQL injection vulnerability in functions/browse.php in Ganesha Digital Library (GDL) 4.0 and 4.2 allows remote attackers to execute arbitrary SQL commands via the node parameter in a browse action to gdl.php.
CVE-2009-0963	Xlinesoft Phprunner	0.03	—	0.02	Mar 19, 2009	Multiple SQL injection vulnerabilities in PHPRunner 4.2, and possibly earlier, allow remote attackers to execute arbitrary SQL commands via the SearchField parameter to (1) UserView_list.php, (2) orders_list.php, (3) users_list.php, and (4) Administrator_list.php.
CVE-2008-6489	Huseyin Bora Abaci Com Myalbum	0.03	—	0.00	Mar 19, 2009	SQL injection vulnerability in MyAlbum component (com_myalbum) 1.0 for Joomla! allows remote attackers to execute arbitrary SQL commands via the album parameter to index.php.
CVE-2008-6488	Softcomplex PHP Image Gallery	0.03	—	0.00	Mar 18, 2009	SQL injection vulnerability in index.php in SoftComplex PHP Image Gallery 1.0 allows remote attackers to execute arbitrary SQL commands via the Admin field in a login action.
CVE-2008-6487	Digiappz Digiaffiliate	0.03	—	0.00	Mar 18, 2009	Multiple SQL injection vulnerabilities in login.asp in Digiappz DigiAffiliate 1.4 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) admin and (2) password fields.
CVE-2008-6485	Softcomplex PHP Image Gallery	0.03	—	0.00	Mar 18, 2009	SQL injection vulnerability in index.php in SoftComplex PHP Image Gallery allows remote attackers to execute arbitrary SQL commands via the ctg parameter.
CVE-2008-6484	Mole Group Taxi Calc Dist Script	0.03	—	0.00	Mar 18, 2009	SQL injection vulnerability in login.php in Mole Group Taxi Map Script (aka Taxi Calc Dist Script) allows remote attackers to execute arbitrary SQL commands via the user field.
CVE-2008-6481	Joomprod Com Versioning	0.03	—	0.00	Mar 17, 2009	SQL injection vulnerability in the Versioning component (com_versioning) 1.0.2 in Joomla! and Mambo allows remote attackers to execute arbitrary SQL commands via the id parameter in an edit task to index.php.
CVE-2008-6477	Mumbojumbo Op4	0.03	—	0.00	Mar 16, 2009	SQL injection vulnerability in Mumbo Jumbo Media OP4 allows remote attackers to execute arbitrary SQL commands via the id parameter to index.php.
CVE-2008-6475	Drake Team Drake CMS	0.03	—	0.00	Mar 16, 2009	SQL injection vulnerability in the guestbook component (components/guestbook/guestbook.php) in Drake CMS 0.4.11 and earlier allows remote attackers to execute arbitrary SQL commands via the Via HTTP header (HTTP_VIA) to index.php.
CVE-2008-6471	Mountaingrafix Easylink	0.03	—	0.00	Mar 13, 2009	SQL injection vulnerability in detail.php in MountainGrafix easyLink 1.1.0 allows remote attackers to execute arbitrary SQL commands via the cat parameter in a show action.
CVE-2008-6469	Plaincart Plaincart	0.03	—	0.00	Mar 13, 2009	SQL injection vulnerability in index.php in PlainCart 1.1.2 allows remote attackers to execute arbitrary SQL commands via the p parameter.

CVE-2008-6509Mar 23, 2009
Igniterealtime
Openfire
risk 0.03cvss —epss 0.02
SQL injection vulnerability in CallLogDAO in SIP Plugin in Openfire 3.6.0a and earlier allows remote attackers to execute arbitrary SQL commands via the type parameter to sipark-log-summary.jsp.
CVE-2009-1038Mar 20, 2009
Yap
Yap Blog
risk 0.03cvss —epss 0.00
Multiple SQL injection vulnerabilities in YAP Blog 1.1.1 allow remote attackers to execute arbitrary SQL commands via the (1) image_id parameter to comments.php, and remote authenticated administrators to execute arbitrary SQL commands via the (2) user parameter in a modif action to admin/index.php.
CVE-2009-1033Mar 20, 2009
Deluxebb
Deluxebb
risk 0.03cvss —epss 0.01
SQL injection vulnerability in misc.php in DeluxeBB 1.3 and earlier allows remote attackers to execute arbitrary SQL commands via the qorder parameter, a different vector than CVE-2005-2989 and CVE-2006-2503.
CVE-2009-1032Mar 20, 2009
Yabsoft
Advanced Image Hosting Script
risk 0.03cvss —epss 0.01
SQL injection vulnerability in gallery_list.php in YABSoft Advanced Image Hosting (AIH) Script 2.3 allows remote attackers to execute arbitrary SQL commands via the gal parameter.
CVE-2009-1026Mar 20, 2009
Kimwebsites
Kim Websites
risk 0.03cvss —epss 0.00
Multiple SQL injection vulnerabilities in login.php in Kim Websites 1.0 allow remote attackers to execute arbitrary SQL commands via the (1) username and (2) password parameters.
CVE-2009-1024Mar 20, 2009
Beerwin
Phplinkadmin
risk 0.03cvss —epss 0.01
Multiple SQL injection vulnerabilities in Beerwin PHPLinkAdmin 1.0 allow remote attackers to execute arbitrary SQL commands via the linkid parameter to edlink.php, and unspecified other vectors.
CVE-2009-1023Mar 20, 2009
Phpcomasy
Phpcomasy
risk 0.03cvss —epss 0.01
SQL injection vulnerability in index.php in phpComasy 0.9.1 allows remote attackers to execute arbitrary SQL commands via the entry_id parameter.
CVE-2009-0968Mar 19, 2009
Fahlstad
Fmoblog Plugin
risk 0.03cvss —epss 0.02
SQL injection vulnerability in fmoblog.php in the fMoblog plugin 2.1 for WordPress allows remote attackers to execute arbitrary SQL commands via the id parameter to index.php. NOTE: some of these details are obtained from third party information.
CVE-2009-0965Mar 19, 2009
Ismail Fahmi
Ganesha Digital Library
risk 0.03cvss —epss 0.00
SQL injection vulnerability in functions/browse.php in Ganesha Digital Library (GDL) 4.0 and 4.2 allows remote attackers to execute arbitrary SQL commands via the node parameter in a browse action to gdl.php.
CVE-2009-0963Mar 19, 2009
Xlinesoft
Phprunner
risk 0.03cvss —epss 0.02
Multiple SQL injection vulnerabilities in PHPRunner 4.2, and possibly earlier, allow remote attackers to execute arbitrary SQL commands via the SearchField parameter to (1) UserView_list.php, (2) orders_list.php, (3) users_list.php, and (4) Administrator_list.php.
CVE-2008-6489Mar 19, 2009
Huseyin Bora Abaci
Com Myalbum
risk 0.03cvss —epss 0.00
SQL injection vulnerability in MyAlbum component (com_myalbum) 1.0 for Joomla! allows remote attackers to execute arbitrary SQL commands via the album parameter to index.php.
CVE-2008-6488Mar 18, 2009
Softcomplex
PHP Image Gallery
risk 0.03cvss —epss 0.00
SQL injection vulnerability in index.php in SoftComplex PHP Image Gallery 1.0 allows remote attackers to execute arbitrary SQL commands via the Admin field in a login action.
CVE-2008-6487Mar 18, 2009
Digiappz
Digiaffiliate
risk 0.03cvss —epss 0.00
Multiple SQL injection vulnerabilities in login.asp in Digiappz DigiAffiliate 1.4 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) admin and (2) password fields.
CVE-2008-6485Mar 18, 2009
Softcomplex
PHP Image Gallery
risk 0.03cvss —epss 0.00
SQL injection vulnerability in index.php in SoftComplex PHP Image Gallery allows remote attackers to execute arbitrary SQL commands via the ctg parameter.
CVE-2008-6484Mar 18, 2009
Mole Group
Taxi Calc Dist Script
risk 0.03cvss —epss 0.00
SQL injection vulnerability in login.php in Mole Group Taxi Map Script (aka Taxi Calc Dist Script) allows remote attackers to execute arbitrary SQL commands via the user field.
CVE-2008-6481Mar 17, 2009
Joomprod
Com Versioning
risk 0.03cvss —epss 0.00
SQL injection vulnerability in the Versioning component (com_versioning) 1.0.2 in Joomla! and Mambo allows remote attackers to execute arbitrary SQL commands via the id parameter in an edit task to index.php.
CVE-2008-6477Mar 16, 2009
Mumbojumbo
Op4
risk 0.03cvss —epss 0.00
SQL injection vulnerability in Mumbo Jumbo Media OP4 allows remote attackers to execute arbitrary SQL commands via the id parameter to index.php.
CVE-2008-6475Mar 16, 2009
Drake Team
Drake CMS
risk 0.03cvss —epss 0.00
SQL injection vulnerability in the guestbook component (components/guestbook/guestbook.php) in Drake CMS 0.4.11 and earlier allows remote attackers to execute arbitrary SQL commands via the Via HTTP header (HTTP_VIA) to index.php.
CVE-2008-6471Mar 13, 2009
Mountaingrafix
Easylink
risk 0.03cvss —epss 0.00
SQL injection vulnerability in detail.php in MountainGrafix easyLink 1.1.0 allows remote attackers to execute arbitrary SQL commands via the cat parameter in a show action.
CVE-2008-6469Mar 13, 2009
Plaincart
Plaincart
risk 0.03cvss —epss 0.00
SQL injection vulnerability in index.php in PlainCart 1.1.2 allows remote attackers to execute arbitrary SQL commands via the p parameter.