CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

BaseStableLikelihood: High

Description

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Hierarchy (View 1000)

Parents

CWE-943

Children

CWE-564

Related attack patterns (CAPEC)

CAPEC-108 · CAPEC-109 · CAPEC-110 · CAPEC-470 · CAPEC-66 · CAPEC-7

CVEs mapped to this weakness (8,841)

page 311 of 443

CVE	Vendor / Product	Risk	CVSS	EPSS	Published	Description
CVE-2008-6419	Socialsitegenerator Social Site Generator	0.03	—	0.01	Mar 6, 2009	Multiple SQL injection vulnerabilities in Social Site Generator (SSG) 2.0 allow remote attackers to execute arbitrary SQL commands via the (1) sgc_id parameter to display_blog.php, (2) scm_mem_id parameter to social_my_profile_download.php, and the (3) catid parameter to social_forum_subcategories.php.
CVE-2008-6418	Torrenttrader Torrenttrader	0.03	—	0.01	Mar 6, 2009	SQL injection vulnerability in scrape.php in TorrentTrader before 2008-05-13 allows remote attackers to execute arbitrary SQL commands via the info_hash parameter.
CVE-2008-6414	Aj Square Ajauction	0.03	—	0.00	Mar 6, 2009	SQL injection vulnerability in detail.php in AJ Auction Pro Platinum Skin 2 allows remote attackers to execute arbitrary SQL commands via the item_id parameter.
CVE-2008-6409	Brian Wilson Ol\'bookmarks	0.03	—	0.00	Mar 6, 2009	SQL injection vulnerability in index.php in ol'bookmarks manager 0.7.5 allows remote attackers to execute arbitrary SQL commands via the id parameter in a brain action.
CVE-2008-6405	Greatclone Hotscripts Clone	0.03	—	0.00	Mar 6, 2009	SQL injection vulnerability in showcategory.php in Hotscripts Clone allows remote attackers to execute arbitrary SQL commands via the cid parameter.
CVE-2008-6401	Jetik Jetik Web	0.03	—	0.00	Mar 6, 2009	SQL injection vulnerability in sayfa.php in JETIK-WEB allows remote attackers to execute arbitrary SQL commands via the kat parameter.
CVE-2009-0768	Yapbb Yapbb	0.03	—	0.00	Mar 6, 2009	SQL injection vulnerability in forumhop.php in YapBB 1.2 and earlier allows remote attackers to execute arbitrary SQL commands via the forumID parameter in a next action.
CVE-2009-0832	E Cart E Cart	0.03	—	0.01	Mar 5, 2009	SQL injection vulnerability in items.php in the E-Cart module 1.3 for PHP-Fusion allows remote attackers to execute arbitrary SQL commands via the CA parameter.
CVE-2009-0831	PHP-Fusion Members Cv Module	0.03	—	0.01	Mar 5, 2009	SQL injection vulnerability in members.php in the Members CV (job) module 1.0 for PHP-Fusion, when magic_quotes_gpc is disabled, allows remote authenticated users to execute arbitrary SQL commands via the sortby parameter.
CVE-2009-0829	Andrew Freed Quotebook	0.03	—	0.00	Mar 5, 2009	Multiple SQL injection vulnerabilities in QuoteBook allow remote attackers to execute arbitrary SQL commands via the (1) MyBox and (2) selectFavorites parameters to (a) quotes.php and the (3) QuoteName and (4) QuoteText parameters to (b) quotesadd.php. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
CVE-2009-0810	Xatrix Xguestbook	0.03	—	0.00	Mar 4, 2009	SQL injection vulnerability in login.php in xGuestbook 2.0 allows remote attackers to execute arbitrary SQL commands via the user parameter.
CVE-2008-6394	Cs Cart Cs Cart	0.03	—	0.01	Mar 4, 2009	SQL injection vulnerability in core/user.php in CS-Cart 1.3.5 and earlier allows remote attackers to execute arbitrary SQL commands via the cs_cookies[customer_user_id] cookie parameter.
CVE-2009-0750	Tombstone Smnews	0.03	—	0.01	Mar 2, 2009	SQL injection vulnerability in login.php in the smNews example script for txtSQL 2.2 Final allows remote attackers to execute arbitrary SQL commands via the username parameter.
CVE-2008-6392	1scripts Z1exchange	0.03	—	0.00	Mar 2, 2009	SQL injection vulnerability in showads.php in Z1Exchange allows remote attackers to execute arbitrary SQL commands via the id parameter.
CVE-2008-6391	Jbook Jbook	0.03	—	0.01	Mar 2, 2009	SQL injection vulnerability in main.asp in Jbook allows remote attackers to execute arbitrary SQL commands via the username (user parameter).
CVE-2008-6390	Ocean12 Technologies Membership Manager Pro	0.03	—	0.00	Mar 2, 2009	SQL injection vulnerability in login.asp in Ocean12 Membership Manager Pro allows remote attackers to execute arbitrary SQL commands via the Password parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
CVE-2008-6389	Aliensoftcorp Rae Media Contact Management	0.03	—	0.00	Mar 2, 2009	SQL injection vulnerability in asadmin/default.asp in Rae Media Contact Management Software SOHO, Standard, and Enterprise allows remote attackers to execute arbitrary SQL commands via the Password parameter. NOTE: some of these details are obtained from third party information.
CVE-2008-6381	Bcoos Bcoos	0.03	—	0.00	Mar 2, 2009	SQL injection vulnerability in modules/adresses/viewcat.php in bcoos 1.0.13, and possibly earlier, allows remote authenticated users with Addresses module permissions to execute arbitrary SQL commands via the cid parameter.
CVE-2008-6380	Activewebsoftwares Active Web Helpdesk	0.03	—	0.00	Mar 2, 2009	SQL injection vulnerability in default.aspx in Active Web Helpdesk 2.0 allows remote attackers to execute arbitrary SQL commands via the CategoryID parameter.
CVE-2008-6379	Mxmania Gallery Mx	0.03	—	0.00	Mar 2, 2009	SQL injection vulnerability in pics_pre.asp in Gallery MX 2.0.0 allows remote attackers to execute arbitrary SQL commands via the ID parameter.

CVE-2008-6419Mar 6, 2009
Socialsitegenerator
Social Site Generator
risk 0.03cvss —epss 0.01
Multiple SQL injection vulnerabilities in Social Site Generator (SSG) 2.0 allow remote attackers to execute arbitrary SQL commands via the (1) sgc_id parameter to display_blog.php, (2) scm_mem_id parameter to social_my_profile_download.php, and the (3) catid parameter to social_forum_subcategories.php.
CVE-2008-6418Mar 6, 2009
Torrenttrader
Torrenttrader
risk 0.03cvss —epss 0.01
SQL injection vulnerability in scrape.php in TorrentTrader before 2008-05-13 allows remote attackers to execute arbitrary SQL commands via the info_hash parameter.
CVE-2008-6414Mar 6, 2009
Aj Square
Ajauction
risk 0.03cvss —epss 0.00
SQL injection vulnerability in detail.php in AJ Auction Pro Platinum Skin 2 allows remote attackers to execute arbitrary SQL commands via the item_id parameter.
CVE-2008-6409Mar 6, 2009
Brian Wilson
Ol\'bookmarks
risk 0.03cvss —epss 0.00
SQL injection vulnerability in index.php in ol'bookmarks manager 0.7.5 allows remote attackers to execute arbitrary SQL commands via the id parameter in a brain action.
CVE-2008-6405Mar 6, 2009
Greatclone
Hotscripts Clone
risk 0.03cvss —epss 0.00
SQL injection vulnerability in showcategory.php in Hotscripts Clone allows remote attackers to execute arbitrary SQL commands via the cid parameter.
CVE-2008-6401Mar 6, 2009
Jetik
Jetik Web
risk 0.03cvss —epss 0.00
SQL injection vulnerability in sayfa.php in JETIK-WEB allows remote attackers to execute arbitrary SQL commands via the kat parameter.
CVE-2009-0768Mar 6, 2009
Yapbb
Yapbb
risk 0.03cvss —epss 0.00
SQL injection vulnerability in forumhop.php in YapBB 1.2 and earlier allows remote attackers to execute arbitrary SQL commands via the forumID parameter in a next action.
CVE-2009-0832Mar 5, 2009
E Cart
E Cart
risk 0.03cvss —epss 0.01
SQL injection vulnerability in items.php in the E-Cart module 1.3 for PHP-Fusion allows remote attackers to execute arbitrary SQL commands via the CA parameter.
CVE-2009-0831Mar 5, 2009
PHP-Fusion
Members Cv Module
risk 0.03cvss —epss 0.01
SQL injection vulnerability in members.php in the Members CV (job) module 1.0 for PHP-Fusion, when magic_quotes_gpc is disabled, allows remote authenticated users to execute arbitrary SQL commands via the sortby parameter.
CVE-2009-0829Mar 5, 2009
Andrew Freed
Quotebook
risk 0.03cvss —epss 0.00
Multiple SQL injection vulnerabilities in QuoteBook allow remote attackers to execute arbitrary SQL commands via the (1) MyBox and (2) selectFavorites parameters to (a) quotes.php and the (3) QuoteName and (4) QuoteText parameters to (b) quotesadd.php. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
CVE-2009-0810Mar 4, 2009
Xatrix
Xguestbook
risk 0.03cvss —epss 0.00
SQL injection vulnerability in login.php in xGuestbook 2.0 allows remote attackers to execute arbitrary SQL commands via the user parameter.
CVE-2008-6394Mar 4, 2009
Cs Cart
Cs Cart
risk 0.03cvss —epss 0.01
SQL injection vulnerability in core/user.php in CS-Cart 1.3.5 and earlier allows remote attackers to execute arbitrary SQL commands via the cs_cookies[customer_user_id] cookie parameter.
CVE-2009-0750Mar 2, 2009
Tombstone
Smnews
risk 0.03cvss —epss 0.01
SQL injection vulnerability in login.php in the smNews example script for txtSQL 2.2 Final allows remote attackers to execute arbitrary SQL commands via the username parameter.
CVE-2008-6392Mar 2, 2009
1scripts
Z1exchange
risk 0.03cvss —epss 0.00
SQL injection vulnerability in showads.php in Z1Exchange allows remote attackers to execute arbitrary SQL commands via the id parameter.
CVE-2008-6391Mar 2, 2009
Jbook
Jbook
risk 0.03cvss —epss 0.01
SQL injection vulnerability in main.asp in Jbook allows remote attackers to execute arbitrary SQL commands via the username (user parameter).
CVE-2008-6390Mar 2, 2009
Ocean12 Technologies
Membership Manager Pro
risk 0.03cvss —epss 0.00
SQL injection vulnerability in login.asp in Ocean12 Membership Manager Pro allows remote attackers to execute arbitrary SQL commands via the Password parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
CVE-2008-6389Mar 2, 2009
Aliensoftcorp
Rae Media Contact Management
risk 0.03cvss —epss 0.00
SQL injection vulnerability in asadmin/default.asp in Rae Media Contact Management Software SOHO, Standard, and Enterprise allows remote attackers to execute arbitrary SQL commands via the Password parameter. NOTE: some of these details are obtained from third party information.
CVE-2008-6381Mar 2, 2009
Bcoos
Bcoos
risk 0.03cvss —epss 0.00
SQL injection vulnerability in modules/adresses/viewcat.php in bcoos 1.0.13, and possibly earlier, allows remote authenticated users with Addresses module permissions to execute arbitrary SQL commands via the cid parameter.
CVE-2008-6380Mar 2, 2009
Activewebsoftwares
Active Web Helpdesk
risk 0.03cvss —epss 0.00
SQL injection vulnerability in default.aspx in Active Web Helpdesk 2.0 allows remote attackers to execute arbitrary SQL commands via the CategoryID parameter.
CVE-2008-6379Mar 2, 2009
Mxmania
Gallery Mx
risk 0.03cvss —epss 0.00
SQL injection vulnerability in pics_pre.asp in Gallery MX 2.0.0 allows remote attackers to execute arbitrary SQL commands via the ID parameter.