CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

BaseStableLikelihood: High

Description

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Hierarchy (View 1000)

Parents

CWE-943

Children

CWE-564

Related attack patterns (CAPEC)

CAPEC-108 · CAPEC-109 · CAPEC-110 · CAPEC-470 · CAPEC-66 · CAPEC-7

CVEs mapped to this weakness (8,833)

page 318 of 442

CVE	Vendor / Product	Risk	CVSS	EPSS	Published	Description
CVE-2009-0543	Proftpd Proftpd	0.03	—	0.00	Feb 12, 2009	ProFTPD Server 1.3.1, with NLS support enabled, allows remote attackers to bypass SQL injection protection mechanisms via invalid, encoded multibyte characters, which are not properly handled in (1) mod_sql_mysql and (2) mod_sql_postgres.
CVE-2009-0534	Flexcms Flexcms	0.03	—	0.00	Feb 11, 2009	SQL injection vulnerability in FlexCMS allows remote attackers to execute arbitrary SQL commands via the catId parameter.
CVE-2009-0531	Ontarioabandonedplaces A Better Member Based Asp Photo Gallery	0.03	—	0.01	Feb 11, 2009	SQL injection vulnerability in gallery/view.asp in A Better Member-Based ASP Photo Gallery before 1.2 allows remote attackers to execute arbitrary SQL commands via the entry parameter.
CVE-2009-0528	Rhadrix If CMS	0.03	—	0.00	Feb 11, 2009	SQL injection vulnerability in frame.php in Rhadrix If-CMS 2.07 and earlier allows remote attackers to execute arbitrary SQL commands via the id parameter.
CVE-2008-6117	Pilotgroup Pg Job Site Pro	0.03	—	0.01	Feb 11, 2009	SQL injection vulnerability in homepage.php in PG Job Site Pro allows remote attackers to execute arbitrary SQL commands via the poll_view_id parameter in a results action.
CVE-2008-6116	Extrosoft Com Thyme	0.03	—	0.01	Feb 11, 2009	SQL injection vulnerability in the EXtrovert Software Thyme (com_thyme) 1.0 component for Joomla! allows remote attackers to execute arbitrary SQL commands via the event parameter to index.php.
CVE-2008-6115	Prozilla Hosting Index	0.03	—	0.01	Feb 11, 2009	SQL injection vulnerability in directory.php in Prozilla Hosting Index allows remote attackers to execute arbitrary SQL commands via the id parameter in a deadlink action, a different vector than CVE-2008-2083.
CVE-2008-6114	Mytipper Zogo Shop	0.03	—	0.01	Feb 11, 2009	SQL injection vulnerability in product_details.php in the Mytipper Zogo-shop 1.15.4 plugin for e107 allows remote attackers to execute arbitrary SQL commands via the product parameter.
CVE-2008-6111	Netartmedia Vlog System	0.03	—	0.01	Feb 11, 2009	SQL injection vulnerability in blog.php in NetArt Media Vlog System 1.1 allows remote attackers to execute arbitrary SQL commands via the note parameter.
CVE-2009-0516	Businessspace Businessspace	0.03	—	0.01	Feb 11, 2009	SQL injection vulnerability in the classified page (classified.php) in BusinessSpace 1.2 and earlier allows remote attackers to execute arbitrary SQL commands via the id parameter to index.php.
CVE-2008-6104	—	0.03	—	0.00	Feb 10, 2009	SQL injection vulnerability in A4Desk PHP Event Calendar allows remote attackers to execute arbitrary SQL commands via the eventid parameter to admin/index.php.
CVE-2008-6102	Ezonescripts Link Trader Script	0.03	—	0.01	Feb 10, 2009	SQL injection vulnerability in ratelink.php in Link Trader Script allows remote attackers to execute arbitrary SQL commands via the lnkid parameter.
CVE-2008-6101	Ezonescripts Adult Banner Exchange Website	0.03	—	0.01	Feb 10, 2009	SQL injection vulnerability in click.php in Adult Banner Exchange Website allows remote attackers to execute arbitrary SQL commands via the targetid parameter.
CVE-2008-6100	Berlios Discussion Forum 2k	0.03	—	0.00	Feb 10, 2009	Multiple SQL injection vulnerabilities in Discussion Forums 2k 3.3, when magic_quotes_gpc is disabled, allow remote attackers to execute arbitrary SQL commands via the (1) CatID parameter to (a) RSS1.php and (b) RSS2.php in misc/; and the (2) SubID parameter to (c) misc/RSS5.php.
CVE-2009-0462	Clicktech Clickcart	0.03	—	0.00	Feb 10, 2009	Multiple SQL injection vulnerabilities in customer_login_check.asp in ClickTech ClickCart 6.0 allow remote attackers to execute arbitrary SQL commands via (1) the txtEmail parameter (aka E-MAIL field) or (2) the txtPassword parameter (aka password field) to customer_login.asp. NOTE: some of these details are obtained from third party information.
CVE-2009-0459	Wholehogsoftware Password Protect	0.03	—	0.00	Feb 10, 2009	Multiple SQL injection vulnerabilities in admin/login_submit.php in Whole Hog Password Protect: Enhanced 1.x allow remote attackers to execute arbitrary SQL commands via (1) the uid parameter (aka Username field) or (2) the pwd parameter (aka Password field). NOTE: some of these details are obtained from third party information.
CVE-2009-0458	Wholehogsoftware Ware Support	0.03	—	0.00	Feb 10, 2009	Multiple SQL injection vulnerabilities in admin/login_submit.php in Whole Hog Ware Support 1.x allow remote attackers to execute arbitrary SQL commands via (1) the uid parameter (aka Username field) or (2) the pwd parameter (aka Password field). NOTE: some of these details are obtained from third party information.
CVE-2009-0452	Onlinegrades Online Grades	0.03	—	0.00	Feb 10, 2009	Multiple SQL injection vulnerabilities in parents/login.php in Online Grades 3.2.4, when magic_quotes_gpc is disabled, allow remote attackers to execute arbitrary SQL commands via the (1) uname or (2) pass parameter.
CVE-2009-0451	Skalinks Skalinks	0.03	—	0.00	Feb 10, 2009	SQL injection vulnerability in Skalfa SkaLinks 1.5 allows remote attackers to execute arbitrary SQL commands via the Admin name field to the default URI under admin/.
CVE-2009-0447	Aspindir Mydesign Sayac	0.03	—	0.00	Feb 10, 2009	Multiple SQL injection vulnerabilities in default.asp in MyDesign Sayac 2.0 allow remote attackers to execute arbitrary SQL commands via (1) the user parameter (aka UserName field) or (2) the pass parameter (aka Pass field) to (a) admin/admin.asp or (b) the default URI under admin/. NOTE: some of these details are obtained from third party information.

CVE-2009-0543Feb 12, 2009
Proftpd
Proftpd
risk 0.03cvss —epss 0.00
ProFTPD Server 1.3.1, with NLS support enabled, allows remote attackers to bypass SQL injection protection mechanisms via invalid, encoded multibyte characters, which are not properly handled in (1) mod_sql_mysql and (2) mod_sql_postgres.
CVE-2009-0534Feb 11, 2009
Flexcms
Flexcms
risk 0.03cvss —epss 0.00
SQL injection vulnerability in FlexCMS allows remote attackers to execute arbitrary SQL commands via the catId parameter.
CVE-2009-0531Feb 11, 2009
Ontarioabandonedplaces
A Better Member Based Asp Photo Gallery
risk 0.03cvss —epss 0.01
SQL injection vulnerability in gallery/view.asp in A Better Member-Based ASP Photo Gallery before 1.2 allows remote attackers to execute arbitrary SQL commands via the entry parameter.
CVE-2009-0528Feb 11, 2009
Rhadrix
If CMS
risk 0.03cvss —epss 0.00
SQL injection vulnerability in frame.php in Rhadrix If-CMS 2.07 and earlier allows remote attackers to execute arbitrary SQL commands via the id parameter.
CVE-2008-6117Feb 11, 2009
Pilotgroup
Pg Job Site Pro
risk 0.03cvss —epss 0.01
SQL injection vulnerability in homepage.php in PG Job Site Pro allows remote attackers to execute arbitrary SQL commands via the poll_view_id parameter in a results action.
CVE-2008-6116Feb 11, 2009
Extrosoft
Com Thyme
risk 0.03cvss —epss 0.01
SQL injection vulnerability in the EXtrovert Software Thyme (com_thyme) 1.0 component for Joomla! allows remote attackers to execute arbitrary SQL commands via the event parameter to index.php.
CVE-2008-6115Feb 11, 2009
Prozilla
Hosting Index
risk 0.03cvss —epss 0.01
SQL injection vulnerability in directory.php in Prozilla Hosting Index allows remote attackers to execute arbitrary SQL commands via the id parameter in a deadlink action, a different vector than CVE-2008-2083.
CVE-2008-6114Feb 11, 2009
Mytipper
Zogo Shop
risk 0.03cvss —epss 0.01
SQL injection vulnerability in product_details.php in the Mytipper Zogo-shop 1.15.4 plugin for e107 allows remote attackers to execute arbitrary SQL commands via the product parameter.
CVE-2008-6111Feb 11, 2009
Netartmedia
Vlog System
risk 0.03cvss —epss 0.01
SQL injection vulnerability in blog.php in NetArt Media Vlog System 1.1 allows remote attackers to execute arbitrary SQL commands via the note parameter.
CVE-2009-0516Feb 11, 2009
Businessspace
Businessspace
risk 0.03cvss —epss 0.01
SQL injection vulnerability in the classified page (classified.php) in BusinessSpace 1.2 and earlier allows remote attackers to execute arbitrary SQL commands via the id parameter to index.php.
CVE-2008-6104Feb 10, 2009
risk 0.03cvss —epss 0.00
SQL injection vulnerability in A4Desk PHP Event Calendar allows remote attackers to execute arbitrary SQL commands via the eventid parameter to admin/index.php.
CVE-2008-6102Feb 10, 2009
Ezonescripts
Link Trader Script
risk 0.03cvss —epss 0.01
SQL injection vulnerability in ratelink.php in Link Trader Script allows remote attackers to execute arbitrary SQL commands via the lnkid parameter.
CVE-2008-6101Feb 10, 2009
Ezonescripts
Adult Banner Exchange Website
risk 0.03cvss —epss 0.01
SQL injection vulnerability in click.php in Adult Banner Exchange Website allows remote attackers to execute arbitrary SQL commands via the targetid parameter.
CVE-2008-6100Feb 10, 2009
Berlios
Discussion Forum 2k
risk 0.03cvss —epss 0.00
Multiple SQL injection vulnerabilities in Discussion Forums 2k 3.3, when magic_quotes_gpc is disabled, allow remote attackers to execute arbitrary SQL commands via the (1) CatID parameter to (a) RSS1.php and (b) RSS2.php in misc/; and the (2) SubID parameter to (c) misc/RSS5.php.
CVE-2009-0462Feb 10, 2009
Clicktech
Clickcart
risk 0.03cvss —epss 0.00
Multiple SQL injection vulnerabilities in customer_login_check.asp in ClickTech ClickCart 6.0 allow remote attackers to execute arbitrary SQL commands via (1) the txtEmail parameter (aka E-MAIL field) or (2) the txtPassword parameter (aka password field) to customer_login.asp. NOTE: some of these details are obtained from third party information.
CVE-2009-0459Feb 10, 2009
Wholehogsoftware
Password Protect
risk 0.03cvss —epss 0.00
Multiple SQL injection vulnerabilities in admin/login_submit.php in Whole Hog Password Protect: Enhanced 1.x allow remote attackers to execute arbitrary SQL commands via (1) the uid parameter (aka Username field) or (2) the pwd parameter (aka Password field). NOTE: some of these details are obtained from third party information.
CVE-2009-0458Feb 10, 2009
Wholehogsoftware
Ware Support
risk 0.03cvss —epss 0.00
Multiple SQL injection vulnerabilities in admin/login_submit.php in Whole Hog Ware Support 1.x allow remote attackers to execute arbitrary SQL commands via (1) the uid parameter (aka Username field) or (2) the pwd parameter (aka Password field). NOTE: some of these details are obtained from third party information.
CVE-2009-0452Feb 10, 2009
Onlinegrades
Online Grades
risk 0.03cvss —epss 0.00
Multiple SQL injection vulnerabilities in parents/login.php in Online Grades 3.2.4, when magic_quotes_gpc is disabled, allow remote attackers to execute arbitrary SQL commands via the (1) uname or (2) pass parameter.
CVE-2009-0451Feb 10, 2009
Skalinks
Skalinks
risk 0.03cvss —epss 0.00
SQL injection vulnerability in Skalfa SkaLinks 1.5 allows remote attackers to execute arbitrary SQL commands via the Admin name field to the default URI under admin/.
CVE-2009-0447Feb 10, 2009
Aspindir
Mydesign Sayac
risk 0.03cvss —epss 0.00
Multiple SQL injection vulnerabilities in default.asp in MyDesign Sayac 2.0 allow remote attackers to execute arbitrary SQL commands via (1) the user parameter (aka UserName field) or (2) the pass parameter (aka Pass field) to (a) admin/admin.asp or (b) the default URI under admin/. NOTE: some of these details are obtained from third party information.