CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

BaseStableLikelihood: High

Description

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Hierarchy (View 1000)

Parents

CWE-943

Children

CWE-564

Related attack patterns (CAPEC)

CAPEC-108 · CAPEC-109 · CAPEC-110 · CAPEC-470 · CAPEC-66 · CAPEC-7

CVEs mapped to this weakness (8,841)

page 314 of 443

CVE	Vendor / Product	Risk	CVSS	EPSS	Published	Description
CVE-2008-6282	Ortus.nirn CMS Ortus	0.03	—	0.01	Feb 25, 2009	SQL injection vulnerability in engine/users/users_edit_pub.inc in CMS Ortus 1.13 and earlier allows remote authenticated users to execute arbitrary SQL commands via the city parameter in a users_edit_pub action to index.php.
CVE-2008-6281	Bluocms Bluo CMS	0.03	—	0.00	Feb 25, 2009	SQL injection vulnerability in index.php in Bluo CMS 1.2 allows remote attackers to execute arbitrary SQL commands via the id parameter.
CVE-2008-6277	Rakhisoftware Rakhisoftware Shopping Cart	0.03	—	0.01	Feb 25, 2009	SQL injection vulnerability in product.php in RakhiSoftware Price Comparison Script (aka Shopping Cart) allows remote attackers to execute arbitrary SQL commands via the subcategory_id parameter.
CVE-2008-6274	Mjcreation Familyproject	0.03	—	0.00	Feb 25, 2009	Multiple SQL injection vulnerabilities in index.php in FamilyProject 2.0 allow remote attackers to execute arbitrary SQL commands via (1) the logmbr parameter (aka login field) or (2) the mdpmbr parameter (aka pass or "Mot de passe" field). NOTE: some of these details are obtained from third party information.
CVE-2009-0741	Craftsilicon Banking\@home	0.03	—	0.00	Feb 25, 2009	SQL injection vulnerability in Login.asp in Craft Silicon Banking@Home 2.1 and earlier allows remote attackers to execute arbitrary SQL commands via the LoginName parameter.
CVE-2009-0740	Frankmancuso Bluebird	0.03	—	0.00	Feb 25, 2009	SQL injection vulnerability in login.php in BlueBird Prelease allows remote attackers to execute arbitrary SQL commands via the (1) username and (2) passwd parameters.
CVE-2009-0739	Frankmancuso Mynews	0.03	—	0.00	Feb 25, 2009	SQL injection vulnerability in login.php in MyNews 0.10 allows remote attackers to execute arbitrary SQL commands via the (1) username and (2) passwd parameters.
CVE-2009-0738	Frankmancuso Auth PHP	0.03	—	0.00	Feb 25, 2009	SQL injection vulnerability in login.php in Auth Php 1.0 allows remote attackers to execute arbitrary SQL commands via the (1) username and (2) passwd parameters.
CVE-2008-6272	Miticdjd Apoll	0.03	—	0.00	Feb 25, 2009	SQL injection vulnerability in admin/index.php in Dragan Mitic Apoll 0.7 beta and 0.7.5 allows remote attackers to execute arbitrary SQL command via the pass parameter.
CVE-2008-6270	Miticdjd Apoll	0.03	—	0.00	Feb 25, 2009	SQL injection vulnerability in admin/index.php in Dragan Mitic Apoll 0.7 beta and 0.7.5 allows remote attackers to execute arbitrary SQL command via the user parameter.
CVE-2008-6268	Sadi Samami Multi Languages Webshop Online	0.03	—	0.00	Feb 25, 2009	SQL injection vulnerability in detail.php in WEBBDOMAIN Multi Languages WebShop Online 1.02 allows remote attackers to execute arbitrary SQL commands via the id parameter.
CVE-2008-6266	Appstate Phpwebsite	0.03	—	0.00	Feb 25, 2009	SQL injection vulnerability in links.php in Appalachian State University phpWebSite allows remote attackers to execute arbitrary SQL commands via the cid parameter in a viewlink action.
CVE-2009-0730	Gigcalendar Com Gigcalendar	0.03	—	0.01	Feb 24, 2009	Multiple SQL injection vulnerabilities in the GigCalendar (com_gigcal) component 1.0 for Mambo and Joomla!, when magic_quotes_gpc is disabled, allow remote attackers to execute arbitrary SQL commands via (1) the gigcal _venues_id parameter in a details action to index.php, which is not properly handled by venuedetails.php, and (2) the gigcal_bands_id parameter in a details action to index.php, which is not properly handled by banddetails.php, different vectors than CVE-2009-0726.
CVE-2009-0728	Maxdev My Egallery	0.03	—	0.00	Feb 24, 2009	SQL injection vulnerability in the My_eGallery module for MAXdev MDPro (MD-Pro) and Postnuke allows remote attackers to execute arbitrary SQL commands via the pid parameter in a showpic action to index.php.
CVE-2009-0727	Tony Iha Kazungu Taifajobs	0.03	—	0.00	Feb 24, 2009	SQL injection vulnerability in jobdetails.php in taifajobs 1.0 and earlier allows remote attackers to execute arbitrary SQL commands via the jobid parameter.
CVE-2009-0726	Gigcalendar Com Gigcalendar	0.03	—	0.00	Feb 24, 2009	SQL injection vulnerability in the GigCalendar (com_gigcal) component 1.0 for Mambo and Joomla! allows remote attackers to execute arbitrary SQL commands via the gigcal_gigs_id parameter in a details action to index.php.
CVE-2008-6264	E Topbiz Slide Popups	0.03	—	0.01	Feb 24, 2009	SQL injection vulnerability in admin/admin.php in E-topbiz Slide Popups 1.0 allows remote attackers to execute arbitrary SQL commands via the password parameter.
CVE-2008-6263	Infireal Saturncms	0.03	—	0.01	Feb 24, 2009	SQL injection vulnerability in lib/user/t_user.php in SaturnCMS allows remote attackers to execute arbitrary SQL commands via the username parameter to the _userLoggedIn function. NOTE: some of these details are obtained from third party information.
CVE-2008-6262	Infireal Saturncms	0.03	—	0.00	Feb 24, 2009	SQL injection vulnerability in lib/url/meta_url.php in SaturnCMS allows remote attackers to execute arbitrary SQL commands via the URL to the translate function. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
CVE-2008-6261	E Topbiz Admanager	0.03	—	0.00	Feb 24, 2009	SQL injection vulnerability in view.php in E-topbiz AdManager 4 allows remote attackers to execute arbitrary SQL commands via the group parameter.

CVE-2008-6282Feb 25, 2009
Ortus.nirn
CMS Ortus
risk 0.03cvss —epss 0.01
SQL injection vulnerability in engine/users/users_edit_pub.inc in CMS Ortus 1.13 and earlier allows remote authenticated users to execute arbitrary SQL commands via the city parameter in a users_edit_pub action to index.php.
CVE-2008-6281Feb 25, 2009
Bluocms
Bluo CMS
risk 0.03cvss —epss 0.00
SQL injection vulnerability in index.php in Bluo CMS 1.2 allows remote attackers to execute arbitrary SQL commands via the id parameter.
CVE-2008-6277Feb 25, 2009
Rakhisoftware
Rakhisoftware Shopping Cart
risk 0.03cvss —epss 0.01
SQL injection vulnerability in product.php in RakhiSoftware Price Comparison Script (aka Shopping Cart) allows remote attackers to execute arbitrary SQL commands via the subcategory_id parameter.
CVE-2008-6274Feb 25, 2009
Mjcreation
Familyproject
risk 0.03cvss —epss 0.00
Multiple SQL injection vulnerabilities in index.php in FamilyProject 2.0 allow remote attackers to execute arbitrary SQL commands via (1) the logmbr parameter (aka login field) or (2) the mdpmbr parameter (aka pass or "Mot de passe" field). NOTE: some of these details are obtained from third party information.
CVE-2009-0741Feb 25, 2009
Craftsilicon
Banking\@home
risk 0.03cvss —epss 0.00
SQL injection vulnerability in Login.asp in Craft Silicon Banking@Home 2.1 and earlier allows remote attackers to execute arbitrary SQL commands via the LoginName parameter.
CVE-2009-0740Feb 25, 2009
Frankmancuso
Bluebird
risk 0.03cvss —epss 0.00
SQL injection vulnerability in login.php in BlueBird Prelease allows remote attackers to execute arbitrary SQL commands via the (1) username and (2) passwd parameters.
CVE-2009-0739Feb 25, 2009
Frankmancuso
Mynews
risk 0.03cvss —epss 0.00
SQL injection vulnerability in login.php in MyNews 0.10 allows remote attackers to execute arbitrary SQL commands via the (1) username and (2) passwd parameters.
CVE-2009-0738Feb 25, 2009
Frankmancuso
Auth PHP
risk 0.03cvss —epss 0.00
SQL injection vulnerability in login.php in Auth Php 1.0 allows remote attackers to execute arbitrary SQL commands via the (1) username and (2) passwd parameters.
CVE-2008-6272Feb 25, 2009
Miticdjd
Apoll
risk 0.03cvss —epss 0.00
SQL injection vulnerability in admin/index.php in Dragan Mitic Apoll 0.7 beta and 0.7.5 allows remote attackers to execute arbitrary SQL command via the pass parameter.
CVE-2008-6270Feb 25, 2009
Miticdjd
Apoll
risk 0.03cvss —epss 0.00
SQL injection vulnerability in admin/index.php in Dragan Mitic Apoll 0.7 beta and 0.7.5 allows remote attackers to execute arbitrary SQL command via the user parameter.
CVE-2008-6268Feb 25, 2009
Sadi Samami
Multi Languages Webshop Online
risk 0.03cvss —epss 0.00
SQL injection vulnerability in detail.php in WEBBDOMAIN Multi Languages WebShop Online 1.02 allows remote attackers to execute arbitrary SQL commands via the id parameter.
CVE-2008-6266Feb 25, 2009
Appstate
Phpwebsite
risk 0.03cvss —epss 0.00
SQL injection vulnerability in links.php in Appalachian State University phpWebSite allows remote attackers to execute arbitrary SQL commands via the cid parameter in a viewlink action.
CVE-2009-0730Feb 24, 2009
Gigcalendar
Com Gigcalendar
risk 0.03cvss —epss 0.01
Multiple SQL injection vulnerabilities in the GigCalendar (com_gigcal) component 1.0 for Mambo and Joomla!, when magic_quotes_gpc is disabled, allow remote attackers to execute arbitrary SQL commands via (1) the gigcal _venues_id parameter in a details action to index.php, which is not properly handled by venuedetails.php, and (2) the gigcal_bands_id parameter in a details action to index.php, which is not properly handled by banddetails.php, different vectors than CVE-2009-0726.
CVE-2009-0728Feb 24, 2009
Maxdev
My Egallery
risk 0.03cvss —epss 0.00
SQL injection vulnerability in the My_eGallery module for MAXdev MDPro (MD-Pro) and Postnuke allows remote attackers to execute arbitrary SQL commands via the pid parameter in a showpic action to index.php.
CVE-2009-0727Feb 24, 2009
Tony Iha Kazungu
Taifajobs
risk 0.03cvss —epss 0.00
SQL injection vulnerability in jobdetails.php in taifajobs 1.0 and earlier allows remote attackers to execute arbitrary SQL commands via the jobid parameter.
CVE-2009-0726Feb 24, 2009
Gigcalendar
Com Gigcalendar
risk 0.03cvss —epss 0.00
SQL injection vulnerability in the GigCalendar (com_gigcal) component 1.0 for Mambo and Joomla! allows remote attackers to execute arbitrary SQL commands via the gigcal_gigs_id parameter in a details action to index.php.
CVE-2008-6264Feb 24, 2009
E Topbiz
Slide Popups
risk 0.03cvss —epss 0.01
SQL injection vulnerability in admin/admin.php in E-topbiz Slide Popups 1.0 allows remote attackers to execute arbitrary SQL commands via the password parameter.
CVE-2008-6263Feb 24, 2009
Infireal
Saturncms
risk 0.03cvss —epss 0.01
SQL injection vulnerability in lib/user/t_user.php in SaturnCMS allows remote attackers to execute arbitrary SQL commands via the username parameter to the _userLoggedIn function. NOTE: some of these details are obtained from third party information.
CVE-2008-6262Feb 24, 2009
Infireal
Saturncms
risk 0.03cvss —epss 0.00
SQL injection vulnerability in lib/url/meta_url.php in SaturnCMS allows remote attackers to execute arbitrary SQL commands via the URL to the translate function. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
CVE-2008-6261Feb 24, 2009
E Topbiz
Admanager
risk 0.03cvss —epss 0.00
SQL injection vulnerability in view.php in E-topbiz AdManager 4 allows remote attackers to execute arbitrary SQL commands via the group parameter.