CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

BaseStableLikelihood: High

Description

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Hierarchy (View 1000)

Parents

CWE-943

Children

CWE-564

Related attack patterns (CAPEC)

CAPEC-108 · CAPEC-109 · CAPEC-110 · CAPEC-470 · CAPEC-66 · CAPEC-7

CVEs mapped to this weakness (8,833)

page 319 of 442

CVE	Vendor / Product	Risk	CVSS	EPSS	Published	Description
CVE-2009-0446	Web Album Webalbum	0.03	—	0.00	Feb 10, 2009	SQL injection vulnerability in photo.php in WEBalbum 2.4b allows remote attackers to execute arbitrary SQL commands via the id parameter.
CVE-2009-0445	Dreampics Gallery Builder	0.03	—	0.01	Feb 10, 2009	SQL injection vulnerability in index.php in Dreampics Gallery Builder allows remote attackers to execute arbitrary SQL commands via the exhibition_id parameter in a gallery.viewPhotos action.
CVE-2008-6068	Web Design Hero Joomladate	0.03	—	0.00	Feb 10, 2009	SQL injection vulnerability in the JoomlaDate (com_joomladate) component 1.2 for Joomla! allows remote attackers to execute arbitrary SQL commands via the user parameter in a viewProfile action to index.php.
CVE-2009-0494	Mivaco Com Portfol	0.03	—	0.00	Feb 10, 2009	SQL injection vulnerability in the Portfol (com_portfol) 1.2 component for Joomla! allows remote attackers to execute arbitrary SQL commands via the vcatid parameter in a viewcategory action to index.php.
CVE-2009-0493	Martin Unzner It\!CMS	0.03	—	0.00	Feb 10, 2009	SQL injection vulnerability in login.php in IT!CMS 2.1a and earlier allows remote attackers to execute arbitrary SQL commands via the Username.
CVE-2008-6093	Noname Cms Noname CMS	0.03	—	0.00	Feb 9, 2009	SQL injection vulnerability in index.php in Noname CMS 1.0, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the (1) file_id parameter in a detailansicht action and the (2) kategorie parameter in a kategorien action.
CVE-2008-6091	Bmforum Bmforum	0.03	—	0.00	Feb 9, 2009	SQL injection vulnerability in plugins.php in BMForum 5.6, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the tagname parameter.
CVE-2009-0479	Onlinegrades Online Grades	0.03	—	0.00	Feb 9, 2009	Multiple SQL injection vulnerabilities in admin/admin_login.php in Online Grades 3.2.4 allow remote attackers to execute arbitrary SQL commands via the (1) uname or (2) pword parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
CVE-2008-6088	Joomtracker Com Joomtracker	0.03	—	0.01	Feb 6, 2009	SQL injection vulnerability in the Joomtracker (com_joomtracker) 1.01 module for Joomla! allows remote attackers to execute arbitrary SQL commands via the id parameter in a tordetails action to index.php.
CVE-2008-6086	Camera Life Camera Life	0.03	—	0.01	Feb 6, 2009	SQL injection vulnerability in album.php in Camera Life 2.6.2b4 allows remote attackers to execute arbitrary SQL commands via the id parameter, a different vector than CVE-2008-3355.
CVE-2008-6081	Simplecustomer Simple Customer	0.03	—	0.01	Feb 6, 2009	SQL injection vulnerability in contact.php in Simple Customer 1.2 allows remote attackers to execute arbitrary SQL commands via the id parameter.
CVE-2008-6078	Limbo Cms Com Privmsg	0.03	—	0.00	Feb 6, 2009	SQL injection vulnerability in open.php in the Private Messaging (com_privmsg) component for Limbo CMS allows remote attackers to execute arbitrary SQL commands via the id parameter in a pms action to index.php.
CVE-2008-6077	Loudblog Loudblog	0.03	—	0.00	Feb 6, 2009	SQL injection vulnerability in loudblog/ajax.php in LoudBlog 0.8.0a and earlier allows remote authenticated users to execute arbitrary SQL commands via the colpick parameter in a singleread action.
CVE-2008-6076	Jlleblanc Com Dailymessage	0.03	—	0.00	Feb 6, 2009	SQL injection vulnerability in the Daily Message (com_dailymessage) 1.0.3 component for Joomla! allows remote attackers to execute arbitrary SQL commands via the id parameter to index.php.
CVE-2008-6075	Rasihbahar Bahar Download Script	0.03	—	0.00	Feb 6, 2009	SQL injection vulnerability in aspkat.asp in Bahar Download Script 2.0 allows remote attackers to execute arbitrary SQL commands via the kid parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
CVE-2008-6064	Domphp Domphp	0.03	—	0.00	Feb 5, 2009	Multiple SQL injection vulnerabilities in DomPHP 0.81 allow remote attackers to execute arbitrary SQL commands via the cat parameter to agenda/index.php, and unspecified other vectors.
CVE-2009-0431	Codefixer Linkspro	0.03	—	0.00	Feb 5, 2009	SQL injection vulnerability in Default.asp in LinksPro Standard Edition allows remote attackers to execute arbitrary SQL commands via the OrderDirection parameter.
CVE-2009-0429	Activewebsoftwares Active Bids	0.03	—	0.00	Feb 5, 2009	Multiple SQL injection vulnerabilities in Active Bids allow remote attackers to execute arbitrary SQL commands via the (1) search parameter to search.asp, (2) SortDir parameter to auctionsended.asp, and the (3) catid parameter to wishlist.php.
CVE-2009-0428	Dmxready Secure Document Library	0.03	—	0.02	Feb 5, 2009	SQL injection vulnerability in CategoryManager/upload_image_category.asp in DMXReady Secure Document Library 1.1 and earlier allows remote attackers to execute arbitrary SQL commands via the cid parameter.
CVE-2009-0427	Dmxready Member Directory Manager	0.03	—	0.02	Feb 5, 2009	SQL injection vulnerability in CategoryManager/upload_image_category.asp in DMXReady Member Directory Manager 1.1 and earlier allows remote attackers to execute arbitrary SQL commands via the cid parameter.

CVE-2009-0446Feb 10, 2009
Web Album
Webalbum
risk 0.03cvss —epss 0.00
SQL injection vulnerability in photo.php in WEBalbum 2.4b allows remote attackers to execute arbitrary SQL commands via the id parameter.
CVE-2009-0445Feb 10, 2009
Dreampics
Gallery Builder
risk 0.03cvss —epss 0.01
SQL injection vulnerability in index.php in Dreampics Gallery Builder allows remote attackers to execute arbitrary SQL commands via the exhibition_id parameter in a gallery.viewPhotos action.
CVE-2008-6068Feb 10, 2009
Web Design Hero
Joomladate
risk 0.03cvss —epss 0.00
SQL injection vulnerability in the JoomlaDate (com_joomladate) component 1.2 for Joomla! allows remote attackers to execute arbitrary SQL commands via the user parameter in a viewProfile action to index.php.
CVE-2009-0494Feb 10, 2009
Mivaco
Com Portfol
risk 0.03cvss —epss 0.00
SQL injection vulnerability in the Portfol (com_portfol) 1.2 component for Joomla! allows remote attackers to execute arbitrary SQL commands via the vcatid parameter in a viewcategory action to index.php.
CVE-2009-0493Feb 10, 2009
Martin Unzner
It\!CMS
risk 0.03cvss —epss 0.00
SQL injection vulnerability in login.php in IT!CMS 2.1a and earlier allows remote attackers to execute arbitrary SQL commands via the Username.
CVE-2008-6093Feb 9, 2009
Noname Cms
Noname CMS
risk 0.03cvss —epss 0.00
SQL injection vulnerability in index.php in Noname CMS 1.0, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the (1) file_id parameter in a detailansicht action and the (2) kategorie parameter in a kategorien action.
CVE-2008-6091Feb 9, 2009
Bmforum
Bmforum
risk 0.03cvss —epss 0.00
SQL injection vulnerability in plugins.php in BMForum 5.6, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the tagname parameter.
CVE-2009-0479Feb 9, 2009
Onlinegrades
Online Grades
risk 0.03cvss —epss 0.00
Multiple SQL injection vulnerabilities in admin/admin_login.php in Online Grades 3.2.4 allow remote attackers to execute arbitrary SQL commands via the (1) uname or (2) pword parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
CVE-2008-6088Feb 6, 2009
Joomtracker
Com Joomtracker
risk 0.03cvss —epss 0.01
SQL injection vulnerability in the Joomtracker (com_joomtracker) 1.01 module for Joomla! allows remote attackers to execute arbitrary SQL commands via the id parameter in a tordetails action to index.php.
CVE-2008-6086Feb 6, 2009
Camera Life
Camera Life
risk 0.03cvss —epss 0.01
SQL injection vulnerability in album.php in Camera Life 2.6.2b4 allows remote attackers to execute arbitrary SQL commands via the id parameter, a different vector than CVE-2008-3355.
CVE-2008-6081Feb 6, 2009
Simplecustomer
Simple Customer
risk 0.03cvss —epss 0.01
SQL injection vulnerability in contact.php in Simple Customer 1.2 allows remote attackers to execute arbitrary SQL commands via the id parameter.
CVE-2008-6078Feb 6, 2009
Limbo Cms
Com Privmsg
risk 0.03cvss —epss 0.00
SQL injection vulnerability in open.php in the Private Messaging (com_privmsg) component for Limbo CMS allows remote attackers to execute arbitrary SQL commands via the id parameter in a pms action to index.php.
CVE-2008-6077Feb 6, 2009
Loudblog
Loudblog
risk 0.03cvss —epss 0.00
SQL injection vulnerability in loudblog/ajax.php in LoudBlog 0.8.0a and earlier allows remote authenticated users to execute arbitrary SQL commands via the colpick parameter in a singleread action.
CVE-2008-6076Feb 6, 2009
Jlleblanc
Com Dailymessage
risk 0.03cvss —epss 0.00
SQL injection vulnerability in the Daily Message (com_dailymessage) 1.0.3 component for Joomla! allows remote attackers to execute arbitrary SQL commands via the id parameter to index.php.
CVE-2008-6075Feb 6, 2009
Rasihbahar
Bahar Download Script
risk 0.03cvss —epss 0.00
SQL injection vulnerability in aspkat.asp in Bahar Download Script 2.0 allows remote attackers to execute arbitrary SQL commands via the kid parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
CVE-2008-6064Feb 5, 2009
Domphp
Domphp
risk 0.03cvss —epss 0.00
Multiple SQL injection vulnerabilities in DomPHP 0.81 allow remote attackers to execute arbitrary SQL commands via the cat parameter to agenda/index.php, and unspecified other vectors.
CVE-2009-0431Feb 5, 2009
Codefixer
Linkspro
risk 0.03cvss —epss 0.00
SQL injection vulnerability in Default.asp in LinksPro Standard Edition allows remote attackers to execute arbitrary SQL commands via the OrderDirection parameter.
CVE-2009-0429Feb 5, 2009
Activewebsoftwares
Active Bids
risk 0.03cvss —epss 0.00
Multiple SQL injection vulnerabilities in Active Bids allow remote attackers to execute arbitrary SQL commands via the (1) search parameter to search.asp, (2) SortDir parameter to auctionsended.asp, and the (3) catid parameter to wishlist.php.
CVE-2009-0428Feb 5, 2009
Dmxready
Secure Document Library
risk 0.03cvss —epss 0.02
SQL injection vulnerability in CategoryManager/upload_image_category.asp in DMXReady Secure Document Library 1.1 and earlier allows remote attackers to execute arbitrary SQL commands via the cid parameter.
CVE-2009-0427Feb 5, 2009
Dmxready
Member Directory Manager
risk 0.03cvss —epss 0.02
SQL injection vulnerability in CategoryManager/upload_image_category.asp in DMXReady Member Directory Manager 1.1 and earlier allows remote attackers to execute arbitrary SQL commands via the cid parameter.