CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

BaseStableLikelihood: High

Description

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Hierarchy (View 1000)

Parents

CWE-943

Children

CWE-564

Related attack patterns (CAPEC)

CAPEC-108 · CAPEC-109 · CAPEC-110 · CAPEC-470 · CAPEC-66 · CAPEC-7

CVEs mapped to this weakness (8,841)

page 312 of 443

CVE	Vendor / Product	Risk	CVSS	EPSS	Published	Description
CVE-2008-6378	Mxmania Calendar Mx Professional	0.03	—	0.00	Mar 2, 2009	SQL injection vulnerability in calendar_Eventupdate.asp in Calendar Mx Professional 2.0.0 allows remote attackers to execute arbitrary SQL commands via the ID parameter.
CVE-2008-6376	Jbook Jbook	0.03	—	0.00	Mar 2, 2009	SQL injection vulnerability in main.asp in Jbook allows remote attackers to execute arbitrary SQL commands via the password (pass parameter).
CVE-2008-6372	Ocean12 Technologies Faq Manager Pro	0.03	—	0.00	Mar 2, 2009	SQL injection vulnerability in default.asp in Ocean12 FAQ Manager Pro 1.0 allows remote attackers to execute arbitrary SQL commands via the ID parameter in a Cat action. NOTE: some of these details are obtained from third party information.
CVE-2008-6371	Ocean12 Technologies Membership Manager Pro	0.03	—	0.00	Mar 2, 2009	SQL injection vulnerability in login.asp in Ocean12 Membership Manager Pro allows remote attackers to execute arbitrary SQL commands via the username (Username parameter).
CVE-2008-6369	Ocean12 Technologies Contact Manager Pro	0.03	—	0.01	Mar 2, 2009	SQL injection vulnerability in default.asp in Ocean12 Contact Manager Pro 1.02 allows remote attackers to execute arbitrary SQL commands via the Sort parameter.
CVE-2008-6366	Adserversolutions Affiliate Software Java	0.03	—	0.01	Mar 2, 2009	SQL injection vulnerability in logon.jsp in Ad Server Solutions Affiliate Software Java 4.0 allows remote attackers to execute arbitrary SQL commands via the (1) username and (2) password, possibly related to the uname and pass parameters to logon_process.jsp. NOTE: some of these details are obtained from third party information.
CVE-2008-6365	Adserversolutions Ad Management Software	0.03	—	0.00	Mar 2, 2009	SQL injection vulnerability in logon.jsp in Ad Server Solutions Ad Management Software Java allows remote attackers to execute arbitrary SQL commands via the (1) username and (2) password, related to the uname or pass parameters to logon.jsp or logon_processing.jsp. NOTE: some of these details are obtained from third party information.
CVE-2008-6364	Adserversolutions Banner Exchange Software	0.03	—	0.00	Mar 2, 2009	SQL injection vulnerability in logon_process.jsp in Ad Server Solutions Banner Exchange Solution Java allows remote attackers to execute arbitrary SQL commands via the (1) username (uname parameter) and (2) password (pass parameter). NOTE: some of these details are obtained from third party information.
CVE-2008-6362	Ezonelink Multiple Membership Script	0.03	—	0.00	Mar 2, 2009	SQL injection vulnerability in sitepage.php in Multiple Membership Script 2.5 allows remote attackers to execute arbitrary SQL commands via the id parameter.
CVE-2008-6358	Socialgroupie Social Groupie	0.03	—	0.00	Mar 2, 2009	SQL injection vulnerability in group_index.php in Social Groupie allows remote attackers to execute arbitrary SQL commands via the id parameter.
CVE-2008-6353	Asp Cms Asp CMS	0.03	—	0.00	Mar 2, 2009	SQL injection vulnerability in index.asp in ASP-CMS 1.0 allows remote attackers to execute arbitrary SQL commands via the cha parameter.
CVE-2008-6352	Xpoze Xpoze Pro	0.03	—	0.00	Mar 2, 2009	SQL injection vulnerability in home.html in Xpoze Pro 4.10 allows remote attackers to execute arbitrary SQL commands via the menu parameter.
CVE-2008-6350	Turnkeyforms Local Classifieds	0.03	—	0.00	Mar 2, 2009	SQL injection vulnerability in listtest.php in TurnkeyForms Local Classifieds allows remote attackers to execute arbitrary SQL commands via the r parameter.
CVE-2008-6349	Turnkeyforms Business Survey Pro	0.03	—	0.00	Mar 2, 2009	SQL injection vulnerability in survey_results_text.php in TurnkeyForms Business Survey Pro 1.0 allows remote attackers to execute arbitrary SQL commands via the id parameter.
CVE-2008-6348	Developiteasy Photo Gallery	0.03	—	0.00	Mar 2, 2009	Multiple SQL injection vulnerabilities in DevelopItEasy Photo Gallery 1.2 allow remote attackers to execute arbitrary SQL commands via the (1) cat_id parameter to gallery_category.php, (2) photo_id parameter to gallery_photo.php, and the (3) user_name and (4) user_pass parameters to admin/index.php. NOTE: some of these details are obtained from third party information.
CVE-2008-6345	Cms.maury91 Solarcms	0.03	—	0.00	Feb 27, 2009	SQL injection vulnerability in Forum.php in SolarCMS 0.53.8 and 1.0 allows remote attackers to execute arbitrary SQL commands via the cat parameter to indes.php. NOTE: some of these details are obtained from third party information.
CVE-2008-6337	Joomlaapps Com Volunteer	0.03	—	0.00	Feb 27, 2009	SQL injection vulnerability in the Volunteer Management System (com_volunteer) module 2.0 for Joomla! allows remote attackers to execute arbitrary SQL commands via the job_id parameter in a jobshow action to index.php.
CVE-2008-6333	Matthew General Rss Simple News	0.03	—	0.00	Feb 27, 2009	SQL injection vulnerability in news.php in RSS Simple News (RSSSN), when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the pid parameter.
CVE-2008-6332	Simplecustomer Simple Customer	0.03	—	0.01	Feb 27, 2009	SQL injection vulnerability in login.php in Simple Customer 1.2 allows remote attackers to execute arbitrary SQL commands via the password parameter.
CVE-2008-6330	Jaia Interactive Mytopix	0.03	—	0.00	Feb 27, 2009	SQL injection vulnerability in index.php in MyTopix 1.3.0 and earlier allows remote authenticated users to execute arbitrary SQL commands via the send parameter in a notes action.

CVE-2008-6378Mar 2, 2009
Mxmania
Calendar Mx Professional
risk 0.03cvss —epss 0.00
SQL injection vulnerability in calendar_Eventupdate.asp in Calendar Mx Professional 2.0.0 allows remote attackers to execute arbitrary SQL commands via the ID parameter.
CVE-2008-6376Mar 2, 2009
Jbook
Jbook
risk 0.03cvss —epss 0.00
SQL injection vulnerability in main.asp in Jbook allows remote attackers to execute arbitrary SQL commands via the password (pass parameter).
CVE-2008-6372Mar 2, 2009
Ocean12 Technologies
Faq Manager Pro
risk 0.03cvss —epss 0.00
SQL injection vulnerability in default.asp in Ocean12 FAQ Manager Pro 1.0 allows remote attackers to execute arbitrary SQL commands via the ID parameter in a Cat action. NOTE: some of these details are obtained from third party information.
CVE-2008-6371Mar 2, 2009
Ocean12 Technologies
Membership Manager Pro
risk 0.03cvss —epss 0.00
SQL injection vulnerability in login.asp in Ocean12 Membership Manager Pro allows remote attackers to execute arbitrary SQL commands via the username (Username parameter).
CVE-2008-6369Mar 2, 2009
Ocean12 Technologies
Contact Manager Pro
risk 0.03cvss —epss 0.01
SQL injection vulnerability in default.asp in Ocean12 Contact Manager Pro 1.02 allows remote attackers to execute arbitrary SQL commands via the Sort parameter.
CVE-2008-6366Mar 2, 2009
Adserversolutions
Affiliate Software Java
risk 0.03cvss —epss 0.01
SQL injection vulnerability in logon.jsp in Ad Server Solutions Affiliate Software Java 4.0 allows remote attackers to execute arbitrary SQL commands via the (1) username and (2) password, possibly related to the uname and pass parameters to logon_process.jsp. NOTE: some of these details are obtained from third party information.
CVE-2008-6365Mar 2, 2009
Adserversolutions
Ad Management Software
risk 0.03cvss —epss 0.00
SQL injection vulnerability in logon.jsp in Ad Server Solutions Ad Management Software Java allows remote attackers to execute arbitrary SQL commands via the (1) username and (2) password, related to the uname or pass parameters to logon.jsp or logon_processing.jsp. NOTE: some of these details are obtained from third party information.
CVE-2008-6364Mar 2, 2009
Adserversolutions
Banner Exchange Software
risk 0.03cvss —epss 0.00
SQL injection vulnerability in logon_process.jsp in Ad Server Solutions Banner Exchange Solution Java allows remote attackers to execute arbitrary SQL commands via the (1) username (uname parameter) and (2) password (pass parameter). NOTE: some of these details are obtained from third party information.
CVE-2008-6362Mar 2, 2009
Ezonelink
Multiple Membership Script
risk 0.03cvss —epss 0.00
SQL injection vulnerability in sitepage.php in Multiple Membership Script 2.5 allows remote attackers to execute arbitrary SQL commands via the id parameter.
CVE-2008-6358Mar 2, 2009
Socialgroupie
Social Groupie
risk 0.03cvss —epss 0.00
SQL injection vulnerability in group_index.php in Social Groupie allows remote attackers to execute arbitrary SQL commands via the id parameter.
CVE-2008-6353Mar 2, 2009
Asp Cms
Asp CMS
risk 0.03cvss —epss 0.00
SQL injection vulnerability in index.asp in ASP-CMS 1.0 allows remote attackers to execute arbitrary SQL commands via the cha parameter.
CVE-2008-6352Mar 2, 2009
Xpoze
Xpoze Pro
risk 0.03cvss —epss 0.00
SQL injection vulnerability in home.html in Xpoze Pro 4.10 allows remote attackers to execute arbitrary SQL commands via the menu parameter.
CVE-2008-6350Mar 2, 2009
Turnkeyforms
Local Classifieds
risk 0.03cvss —epss 0.00
SQL injection vulnerability in listtest.php in TurnkeyForms Local Classifieds allows remote attackers to execute arbitrary SQL commands via the r parameter.
CVE-2008-6349Mar 2, 2009
Turnkeyforms
Business Survey Pro
risk 0.03cvss —epss 0.00
SQL injection vulnerability in survey_results_text.php in TurnkeyForms Business Survey Pro 1.0 allows remote attackers to execute arbitrary SQL commands via the id parameter.
CVE-2008-6348Mar 2, 2009
Developiteasy
Photo Gallery
risk 0.03cvss —epss 0.00
Multiple SQL injection vulnerabilities in DevelopItEasy Photo Gallery 1.2 allow remote attackers to execute arbitrary SQL commands via the (1) cat_id parameter to gallery_category.php, (2) photo_id parameter to gallery_photo.php, and the (3) user_name and (4) user_pass parameters to admin/index.php. NOTE: some of these details are obtained from third party information.
CVE-2008-6345Feb 27, 2009
Cms.maury91
Solarcms
risk 0.03cvss —epss 0.00
SQL injection vulnerability in Forum.php in SolarCMS 0.53.8 and 1.0 allows remote attackers to execute arbitrary SQL commands via the cat parameter to indes.php. NOTE: some of these details are obtained from third party information.
CVE-2008-6337Feb 27, 2009
Joomlaapps
Com Volunteer
risk 0.03cvss —epss 0.00
SQL injection vulnerability in the Volunteer Management System (com_volunteer) module 2.0 for Joomla! allows remote attackers to execute arbitrary SQL commands via the job_id parameter in a jobshow action to index.php.
CVE-2008-6333Feb 27, 2009
Matthew General
Rss Simple News
risk 0.03cvss —epss 0.00
SQL injection vulnerability in news.php in RSS Simple News (RSSSN), when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the pid parameter.
CVE-2008-6332Feb 27, 2009
Simplecustomer
Simple Customer
risk 0.03cvss —epss 0.01
SQL injection vulnerability in login.php in Simple Customer 1.2 allows remote attackers to execute arbitrary SQL commands via the password parameter.
CVE-2008-6330Feb 27, 2009
Jaia Interactive
Mytopix
risk 0.03cvss —epss 0.00
SQL injection vulnerability in index.php in MyTopix 1.3.0 and earlier allows remote authenticated users to execute arbitrary SQL commands via the send parameter in a notes action.