CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

BaseStableLikelihood: High

Description

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Hierarchy (View 1000)

Parents

CWE-943

Children

CWE-564

Related attack patterns (CAPEC)

CAPEC-108 · CAPEC-109 · CAPEC-110 · CAPEC-470 · CAPEC-66 · CAPEC-7

CVEs mapped to this weakness (8,841)

page 313 of 443

CVE	Vendor / Product	Risk	CVSS	EPSS	Published	Description
CVE-2008-6329	Preprojects Pre Asp Job Board	0.03	—	0.01	Feb 27, 2009	SQL injection vulnerability in Employee/login.asp in Pre ASP Job Board allows remote attackers to execute arbitrary SQL commands via the (1) Username and (2) Password parameters, as reachable from Employee/emp_login.asp. NOTE: some of these details are obtained from third party information.
CVE-2008-6328	Butterflymedia Butterfly Organizer	0.03	—	0.01	Feb 27, 2009	SQL injection vulnerability in view.php in Butterfly Organizer 2.0.0 and 2.0.1 allows remote attackers to execute arbitrary SQL commands via the id parameter.
CVE-2008-6327	Manzovi Proquiz	0.03	—	0.00	Feb 27, 2009	SQL injection vulnerability in index.php in ProQuiz 1.0 allows remote attackers to execute arbitrary SQL commands via the password parameter, a different vector than CVE-2008-6312.
CVE-2008-6326	Simplecustomer Simple Customer	0.03	—	0.00	Feb 27, 2009	SQL injection vulnerability in login.php in Simple Customer as downloaded on 20081118 allows remote attackers to execute arbitrary SQL commands via the email parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
CVE-2008-6324	Cfmsource Cf Forum	0.03	—	0.00	Feb 27, 2009	SQL injection vulnerability in forummessages.cfm in CF_Forum allows remote attackers to execute arbitrary SQL commands via the categorynbr parameter.
CVE-2008-6323	Cfmsource Cf Auction	0.03	—	0.00	Feb 27, 2009	SQL injection vulnerability in forummessages.cfm in CFMSource CF_Auction allows remote attackers to execute arbitrary SQL commands via the categorynbr parameter.
CVE-2008-6322	Cfmsource Cfmblog	0.03	—	0.00	Feb 27, 2009	SQL injection vulnerability in index.cfm in CFMSource CFMBlog allows remote attackers to execute arbitrary SQL commands via the categorynbr parameter.
CVE-2008-6320	Cfshopkart Cf Shopkart	0.03	—	0.00	Feb 27, 2009	SQL injection vulnerability in index.cfm in CF Shopkart 5.2.2 allows remote attackers to execute arbitrary SQL commands via the Category parameter in a ViewCategory action.
CVE-2008-6319	Cfmsource Cf Calendar	0.03	—	0.00	Feb 27, 2009	SQL injection vulnerability in calendarevent.cfm in CF_Calendar allows remote attackers to execute arbitrary SQL commands via the calid parameter.
CVE-2008-6314	PhpBB Tag Board	0.03	—	0.01	Feb 27, 2009	SQL injection vulnerability in tag_board.php in the Tag Board module 4.0 and earlier for phpBB allows remote attackers to execute arbitrary SQL commands via the id parameter in a delete action.
CVE-2008-6312	Manzovi Proquiz	0.03	—	0.01	Feb 27, 2009	SQL injection vulnerability in index.php in ProQuiz 1.0 allows remote attackers to execute arbitrary SQL commands via the username parameter.
CVE-2008-6311	Butterflymedia Butterfly Organizer	0.03	—	0.01	Feb 27, 2009	SQL injection vulnerability in view.php in Butterfly Organizer 2.0.1 allows remote attackers to execute arbitrary SQL commands via the mytable parameter. NOTE: the id vector is covered by another CVE name.
CVE-2008-6310	—	0.03	—	0.01	Feb 27, 2009	SQL injection vulnerability in index.php in W3matter RevSense 1.0 allows remote attackers to execute arbitrary SQL commands via the f[password] parameter. NOTE: some of these details are obtained from third party information.
CVE-2008-6309	—	0.03	—	0.01	Feb 27, 2009	SQL injection vulnerability in index.php in W3matter AskPert allows remote attackers to execute arbitrary SQL commands via the f[password] parameter. NOTE: some of these details are obtained from third party information.
CVE-2008-6303	Toursmanager Tours Manager	0.03	—	0.00	Feb 26, 2009	SQL injection vulnerability in tourview.php in ToursManager allows remote attackers to execute arbitrary SQL commands via the tourid parameter.
CVE-2008-6301	Prezmo Small Shoutbox	0.03	—	0.00	Feb 26, 2009	SQL injection vulnerability in shoutbox_view.php in the Small ShoutBox module 1.4 for phpBB allows remote attackers to execute arbitrary SQL commands via the id parameter in a delete action.
CVE-2008-6289	Toursmanager Tours Manager	0.03	—	0.00	Feb 26, 2009	SQL injection vulnerability in cityview.php in Tours Manager 1.0 allows remote attackers to execute arbitrary SQL commands via the cityid parameter.
CVE-2008-6286	Activewebsoftwares Active Newsletter	0.03	—	0.00	Feb 25, 2009	Multiple SQL injection vulnerabilities in SubscriberStart.asp in Active Newsletter 4.3 allow remote attackers to execute arbitrary SQL commands via (1) the email parameter (aka username or E-mail field), or (2) the password parameter (aka password field), to (a) Subscriber.asp or (b) start.asp. NOTE: some of these details are obtained from third party information.
CVE-2008-6285	Businessvein PHP Tv Portal	0.03	—	0.01	Feb 25, 2009	SQL injection vulnerability in index.php in PHP TV Portal 2.0 and earlier allows remote attackers to execute arbitrary SQL commands via the mid parameter.
CVE-2008-6284	1scripts Z1exchange	0.03	—	0.00	Feb 25, 2009	SQL injection vulnerability in edit.php in Z1Exchange 1.0 allows remote attackers to execute arbitrary SQL commands via the site parameter.

CVE-2008-6329Feb 27, 2009
Preprojects
Pre Asp Job Board
risk 0.03cvss —epss 0.01
SQL injection vulnerability in Employee/login.asp in Pre ASP Job Board allows remote attackers to execute arbitrary SQL commands via the (1) Username and (2) Password parameters, as reachable from Employee/emp_login.asp. NOTE: some of these details are obtained from third party information.
CVE-2008-6328Feb 27, 2009
Butterflymedia
Butterfly Organizer
risk 0.03cvss —epss 0.01
SQL injection vulnerability in view.php in Butterfly Organizer 2.0.0 and 2.0.1 allows remote attackers to execute arbitrary SQL commands via the id parameter.
CVE-2008-6327Feb 27, 2009
Manzovi
Proquiz
risk 0.03cvss —epss 0.00
SQL injection vulnerability in index.php in ProQuiz 1.0 allows remote attackers to execute arbitrary SQL commands via the password parameter, a different vector than CVE-2008-6312.
CVE-2008-6326Feb 27, 2009
Simplecustomer
Simple Customer
risk 0.03cvss —epss 0.00
SQL injection vulnerability in login.php in Simple Customer as downloaded on 20081118 allows remote attackers to execute arbitrary SQL commands via the email parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
CVE-2008-6324Feb 27, 2009
Cfmsource
Cf Forum
risk 0.03cvss —epss 0.00
SQL injection vulnerability in forummessages.cfm in CF_Forum allows remote attackers to execute arbitrary SQL commands via the categorynbr parameter.
CVE-2008-6323Feb 27, 2009
Cfmsource
Cf Auction
risk 0.03cvss —epss 0.00
SQL injection vulnerability in forummessages.cfm in CFMSource CF_Auction allows remote attackers to execute arbitrary SQL commands via the categorynbr parameter.
CVE-2008-6322Feb 27, 2009
Cfmsource
Cfmblog
risk 0.03cvss —epss 0.00
SQL injection vulnerability in index.cfm in CFMSource CFMBlog allows remote attackers to execute arbitrary SQL commands via the categorynbr parameter.
CVE-2008-6320Feb 27, 2009
Cfshopkart
Cf Shopkart
risk 0.03cvss —epss 0.00
SQL injection vulnerability in index.cfm in CF Shopkart 5.2.2 allows remote attackers to execute arbitrary SQL commands via the Category parameter in a ViewCategory action.
CVE-2008-6319Feb 27, 2009
Cfmsource
Cf Calendar
risk 0.03cvss —epss 0.00
SQL injection vulnerability in calendarevent.cfm in CF_Calendar allows remote attackers to execute arbitrary SQL commands via the calid parameter.
CVE-2008-6314Feb 27, 2009
PhpBB
Tag Board
risk 0.03cvss —epss 0.01
SQL injection vulnerability in tag_board.php in the Tag Board module 4.0 and earlier for phpBB allows remote attackers to execute arbitrary SQL commands via the id parameter in a delete action.
CVE-2008-6312Feb 27, 2009
Manzovi
Proquiz
risk 0.03cvss —epss 0.01
SQL injection vulnerability in index.php in ProQuiz 1.0 allows remote attackers to execute arbitrary SQL commands via the username parameter.
CVE-2008-6311Feb 27, 2009
Butterflymedia
Butterfly Organizer
risk 0.03cvss —epss 0.01
SQL injection vulnerability in view.php in Butterfly Organizer 2.0.1 allows remote attackers to execute arbitrary SQL commands via the mytable parameter. NOTE: the id vector is covered by another CVE name.
CVE-2008-6310Feb 27, 2009
risk 0.03cvss —epss 0.01
SQL injection vulnerability in index.php in W3matter RevSense 1.0 allows remote attackers to execute arbitrary SQL commands via the f[password] parameter. NOTE: some of these details are obtained from third party information.
CVE-2008-6309Feb 27, 2009
risk 0.03cvss —epss 0.01
SQL injection vulnerability in index.php in W3matter AskPert allows remote attackers to execute arbitrary SQL commands via the f[password] parameter. NOTE: some of these details are obtained from third party information.
CVE-2008-6303Feb 26, 2009
Toursmanager
Tours Manager
risk 0.03cvss —epss 0.00
SQL injection vulnerability in tourview.php in ToursManager allows remote attackers to execute arbitrary SQL commands via the tourid parameter.
CVE-2008-6301Feb 26, 2009
Prezmo
Small Shoutbox
risk 0.03cvss —epss 0.00
SQL injection vulnerability in shoutbox_view.php in the Small ShoutBox module 1.4 for phpBB allows remote attackers to execute arbitrary SQL commands via the id parameter in a delete action.
CVE-2008-6289Feb 26, 2009
Toursmanager
Tours Manager
risk 0.03cvss —epss 0.00
SQL injection vulnerability in cityview.php in Tours Manager 1.0 allows remote attackers to execute arbitrary SQL commands via the cityid parameter.
CVE-2008-6286Feb 25, 2009
Activewebsoftwares
Active Newsletter
risk 0.03cvss —epss 0.00
Multiple SQL injection vulnerabilities in SubscriberStart.asp in Active Newsletter 4.3 allow remote attackers to execute arbitrary SQL commands via (1) the email parameter (aka username or E-mail field), or (2) the password parameter (aka password field), to (a) Subscriber.asp or (b) start.asp. NOTE: some of these details are obtained from third party information.
CVE-2008-6285Feb 25, 2009
Businessvein
PHP Tv Portal
risk 0.03cvss —epss 0.01
SQL injection vulnerability in index.php in PHP TV Portal 2.0 and earlier allows remote attackers to execute arbitrary SQL commands via the mid parameter.
CVE-2008-6284Feb 25, 2009
1scripts
Z1exchange
risk 0.03cvss —epss 0.00
SQL injection vulnerability in edit.php in Z1Exchange 1.0 allows remote attackers to execute arbitrary SQL commands via the site parameter.