VYPR

CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

BaseStableLikelihood: High

Description

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Hierarchy (View 1000)

Parents

Children

Related attack patterns (CAPEC)

CAPEC-108 · CAPEC-109 · CAPEC-110 · CAPEC-470 · CAPEC-66 · CAPEC-7

CVEs mapped to this weakness (8,824)

page 320 of 442
  • CVE-2009-0403Feb 3, 2009
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in admin/authenticate.php in Chipmunk Blogger Script allows remote attackers to execute arbitrary SQL commands via the (1) username and (2) password parameters.

  • CVE-2009-0400Feb 3, 2009
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in blog.php in SocialEngine 3.06 trial allows remote attackers to execute arbitrary SQL commands via the category_id parameter.

  • CVE-2008-6043Feb 3, 2009
    risk 0.03cvss epss 0.00

    Multiple SQL injection vulnerabilities in PHP Pro Bid (PPB) 6.04 allow remote attackers to execute arbitrary SQL commands via the (1) order_field and (2) order_type parameters to categories.php and unspecified other components. NOTE: some of these details are obtained from third party information.

  • CVE-2008-6042Feb 3, 2009
    risk 0.03cvss epss 0.00

    SQL injection vulnerability in the re_search module in NetArtMedia Real Estate Portal 2.0 allows remote attackers to execute arbitrary SQL commands via the ad parameter to index.php.

  • CVE-2008-6038Feb 3, 2009
    risk 0.03cvss epss 0.00

    SQL injection vulnerability in index.php in MapCal 0.1 allows remote attackers to execute arbitrary SQL commands via the id parameter in an editevent action, possibly related to dsp_editevent.php.

  • CVE-2008-6037Feb 3, 2009
    risk 0.03cvss epss 0.00

    SQL injection vulnerability in view.php in AvailScript Article Script allows remote attackers to execute arbitrary SQL commands via the v parameter.

  • CVE-2008-6033Feb 3, 2009
    risk 0.03cvss epss 0.00

    SQL injection vulnerability in comments.php in WSN Links 2.20 allows remote attackers to execute arbitrary SQL commands via the id parameter.

  • CVE-2008-6032Feb 3, 2009
    risk 0.03cvss epss 0.00

    SQL injection vulnerability in comments.php in WSN Links Free 4.0.34P allows remote attackers to execute arbitrary SQL commands via the id parameter.

  • CVE-2008-6031Feb 3, 2009
    risk 0.03cvss epss 0.00

    SQL injection vulnerability in vote.php in WSN Links 2.22 and 2.23 allows remote attackers to execute arbitrary SQL commands via the id parameter. NOTE: it was later reported that 2.34 is also vulnerable.

  • CVE-2008-6030Feb 3, 2009
    risk 0.03cvss epss 0.00

    Multiple SQL injection vulnerabilities in NetArtMedia Jobs Portal 1.3 allow remote attackers to execute arbitrary SQL commands via (1) the job parameter to index.php in the search module or (2) the news_id parameter to index.php.

  • CVE-2008-6029Feb 3, 2009
    risk 0.03cvss epss 0.00

    SQL injection vulnerability in search.php in BuzzyWall 1.3.1 and earlier, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the search parameter.

  • CVE-2008-6028Feb 3, 2009
    risk 0.03cvss epss 0.00

    SQL injection vulnerability in list.php in University of Queensland Library Fez 1.3 and 2.0 RC1 allows remote attackers to execute arbitrary SQL commands via the parent_id parameter in a subject action.

  • CVE-2008-6026Feb 3, 2009
    risk 0.03cvss epss 0.00

    SQL injection vulnerability in tienda.php in BlueCUBE CMS allows remote attackers to execute arbitrary SQL commands via the id parameter.

  • CVE-2009-0395Feb 3, 2009
    risk 0.03cvss epss 0.00

    SQL injection vulnerability in the login feature in NetArt Media Car Portal 1.0 allows remote attackers to execute arbitrary SQL commands via the (1) username and (2) password parameters.

  • CVE-2009-0394Feb 3, 2009
    risk 0.03cvss epss 0.00

    SQL injection vulnerability in login.php in Pre Lecture Exercises (PLEs) CMS 1.0 beta 4.2 allows remote attackers to execute arbitrary SQL commands via the school parameter.

  • CVE-2008-6019Feb 2, 2009
    risk 0.03cvss epss 0.00

    SQL injection vulnerability in index.php in EACOMM DO-CMS 3.0 allows remote attackers to execute arbitrary SQL commands via the p parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.

  • CVE-2008-6017Feb 2, 2009
    risk 0.03cvss epss 0.00

    SQL injection vulnerability in messages.php in I-Rater Basic allows remote attackers to execute arbitrary SQL commands via the idp parameter.

  • CVE-2009-0384Feb 2, 2009
    risk 0.03cvss epss 0.00

    SQL injection vulnerability in autor.php in OwnRS CMS 1.2 allows remote attackers to execute arbitrary SQL commands via the id parameter.

  • CVE-2009-0381Feb 2, 2009
    risk 0.03cvss epss 0.00

    SQL injection vulnerability in the BazaarBuilder Ecommerce Shopping Cart (com_prod) 5.0 component for Joomla! allows remote attackers to execute arbitrary SQL commands via the cid parameter in a products action to index.php.

  • CVE-2009-0380Feb 2, 2009
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in the Sigsiu Online Business Index 2 (SOBI2, com_sobi2) RC 2.8.2 component for Joomla! and Mambo allows remote attackers to execute arbitrary SQL commands via the bid parameter in a showbiz action to index.php, a different vector than CVE-2008-0607. NOTE: CVE disputes this issue, since neither "showbiz" nor "bid" appears in the source code for SOBI2