CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Description
The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-108 · CAPEC-109 · CAPEC-110 · CAPEC-470 · CAPEC-66 · CAPEC-7
CVEs mapped to this weakness (8,813)
page 322 of 441| CVE | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2008-5975 | 0.03 | — | 0.00 | Jan 27, 2009 | SQL injection vulnerability in links.asp in Active Price Comparison 4.0 allows remote attackers to execute arbitrary SQL commands via the linkid parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. | ||
| CVE-2008-5974 | 0.03 | — | 0.01 | Jan 27, 2009 | Multiple SQL injection vulnerabilities in login.aspx in Active Price Comparison 4.0 allow remote attackers to execute arbitrary SQL commands via the (1) password and (2) username fields. | ||
| CVE-2008-5973 | 0.03 | — | 0.00 | Jan 27, 2009 | SQL injection vulnerability in login.aspx in Active Web Mail 4.0 allows remote attackers to execute arbitrary SQL commands via the password parameter. | ||
| CVE-2008-5972 | 0.03 | — | 0.00 | Jan 27, 2009 | SQL injection vulnerability in default.asp in Active Business Directory 2 allows remote attackers to execute arbitrary SQL commands via the catid parameter. | ||
| CVE-2008-5970 | 0.03 | — | 0.00 | Jan 27, 2009 | SQL injection vulnerability in profile_social.php in i-Net Solution Orkut Clone allows remote authenticated users to execute arbitrary SQL commands via the id parameter. | ||
| CVE-2008-5969 | 0.03 | — | 0.00 | Jan 27, 2009 | SQL injection vulnerability in popupproduct.php in Sunbyte e-Flower allows remote attackers to execute arbitrary SQL commands via the id parameter. | ||
| CVE-2008-5959 | 0.03 | — | 0.00 | Jan 23, 2009 | Multiple SQL injection vulnerabilities in start.asp in Active Test 2.1 allow remote attackers to execute arbitrary SQL commands via the (1) useremail parameter (aka username field) or (2) password parameter (aka password field). NOTE: some of these details are obtained from third party information. | ||
| CVE-2008-5958 | 0.03 | — | 0.01 | Jan 23, 2009 | Multiple SQL injection vulnerabilities in Active Test 2.1 allow remote attackers to execute arbitrary SQL commands via the QuizID parameter to (1) questions.asp, (2) importquestions.asp, and (3) quiztakers.asp. | ||
| CVE-2008-5957 | 0.03 | — | 0.00 | Jan 23, 2009 | SQL injection vulnerability in the Mydyngallery (com_mydyngallery) component 1.4.2 for Joomla! allows remote attackers to execute arbitrary SQL commands via the directory parameter to index.php. | ||
| CVE-2008-5955 | 0.03 | — | 0.01 | Jan 23, 2009 | SQL injection vulnerability in show.php in Wbstreet (aka PHPSTREET Webboard) 1.0 allows remote attackers to execute arbitrary SQL commands via the id parameter. | ||
| CVE-2008-5954 | 0.03 | — | 0.00 | Jan 23, 2009 | SQL injection vulnerability in KTP Computer Customer Database (KTPCCD) CMS, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the lname parameter in a login action to an unspecified component. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. | ||
| CVE-2008-5952 | 0.03 | — | 0.00 | Jan 23, 2009 | SQL injection vulnerability in KTP Computer Customer Database (KTPCCD) CMS, when magic_quotes_gpc is disabled, allows remote authenticated users to execute arbitrary SQL commands via the tid parameter in a vtech action to the default URI. | ||
| CVE-2008-5950 | 0.03 | — | 0.00 | Jan 23, 2009 | SQL injection vulnerability in media/media_level.asp in ASP Template Creature allows remote attackers to execute arbitrary SQL commands via the mcatid parameter. | ||
| CVE-2009-0252 | 0.03 | — | 0.00 | Jan 22, 2009 | Multiple SQL injection vulnerabilities in default.asp in Enthrallweb eReservations allow remote attackers to execute arbitrary SQL commands via the (1) Login parameter (aka username field) or the (2) Password parameter (aka password field). NOTE: some of these details are obtained from third party information. | ||
| CVE-2008-5946 | 0.03 | — | 0.00 | Jan 22, 2009 | SQL injection vulnerability in readmore.php in PHP-Fusion 4.01 allows remote attackers to execute arbitrary SQL commands via the news_id parameter. | ||
| CVE-2008-5934 | 0.03 | — | 0.00 | Jan 21, 2009 | SQL injection vulnerability in index.php in CMS ISWEB 3.0 allows remote attackers to execute arbitrary SQL commands via the id_sezione parameter. | ||
| CVE-2008-5930 | 0.03 | — | 0.00 | Jan 21, 2009 | SQL injection vulnerability in admin/blog_comments.asp in The Net Guys ASPired2Blog allows remote attackers to execute arbitrary SQL commands via the BlogID parameter. | ||
| CVE-2008-5928 | 0.03 | — | 0.01 | Jan 21, 2009 | SQL injection vulnerability in redir.php in Free Links Directory Script (FLDS) 1.2a allows remote attackers to execute arbitrary SQL commands via the id parameter. | ||
| CVE-2008-5927 | 0.03 | — | 0.01 | Jan 21, 2009 | Multiple SQL injection vulnerabilities in admin/usercheck.php in FlexPHPNews 0.0.6 allow remote attackers to execute arbitrary SQL commands via the (1) checkuser parameter (aka username field) or (2) checkpass parameter (aka password field) to admin/index.php. NOTE: some of these details are obtained from third party information. | ||
| CVE-2008-5926 | 0.03 | — | 0.00 | Jan 21, 2009 | Multiple SQL injection vulnerabilities in login.asp in ASP-DEv Internal E-Mail System allow remote attackers to execute arbitrary SQL commands via the (1) login parameter (aka user field) or the (2) password parameter (aka pass field). NOTE: some of these details are obtained from third party information. |
- CVE-2008-5975Jan 27, 2009risk 0.03cvss —epss 0.00
SQL injection vulnerability in links.asp in Active Price Comparison 4.0 allows remote attackers to execute arbitrary SQL commands via the linkid parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
- CVE-2008-5974Jan 27, 2009risk 0.03cvss —epss 0.01
Multiple SQL injection vulnerabilities in login.aspx in Active Price Comparison 4.0 allow remote attackers to execute arbitrary SQL commands via the (1) password and (2) username fields.
- CVE-2008-5973Jan 27, 2009risk 0.03cvss —epss 0.00
SQL injection vulnerability in login.aspx in Active Web Mail 4.0 allows remote attackers to execute arbitrary SQL commands via the password parameter.
- CVE-2008-5972Jan 27, 2009risk 0.03cvss —epss 0.00
SQL injection vulnerability in default.asp in Active Business Directory 2 allows remote attackers to execute arbitrary SQL commands via the catid parameter.
- CVE-2008-5970Jan 27, 2009risk 0.03cvss —epss 0.00
SQL injection vulnerability in profile_social.php in i-Net Solution Orkut Clone allows remote authenticated users to execute arbitrary SQL commands via the id parameter.
- CVE-2008-5969Jan 27, 2009risk 0.03cvss —epss 0.00
SQL injection vulnerability in popupproduct.php in Sunbyte e-Flower allows remote attackers to execute arbitrary SQL commands via the id parameter.
- CVE-2008-5959Jan 23, 2009risk 0.03cvss —epss 0.00
Multiple SQL injection vulnerabilities in start.asp in Active Test 2.1 allow remote attackers to execute arbitrary SQL commands via the (1) useremail parameter (aka username field) or (2) password parameter (aka password field). NOTE: some of these details are obtained from third party information.
- CVE-2008-5958Jan 23, 2009risk 0.03cvss —epss 0.01
Multiple SQL injection vulnerabilities in Active Test 2.1 allow remote attackers to execute arbitrary SQL commands via the QuizID parameter to (1) questions.asp, (2) importquestions.asp, and (3) quiztakers.asp.
- CVE-2008-5957Jan 23, 2009risk 0.03cvss —epss 0.00
SQL injection vulnerability in the Mydyngallery (com_mydyngallery) component 1.4.2 for Joomla! allows remote attackers to execute arbitrary SQL commands via the directory parameter to index.php.
- CVE-2008-5955Jan 23, 2009risk 0.03cvss —epss 0.01
SQL injection vulnerability in show.php in Wbstreet (aka PHPSTREET Webboard) 1.0 allows remote attackers to execute arbitrary SQL commands via the id parameter.
- CVE-2008-5954Jan 23, 2009risk 0.03cvss —epss 0.00
SQL injection vulnerability in KTP Computer Customer Database (KTPCCD) CMS, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the lname parameter in a login action to an unspecified component. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
- CVE-2008-5952Jan 23, 2009risk 0.03cvss —epss 0.00
SQL injection vulnerability in KTP Computer Customer Database (KTPCCD) CMS, when magic_quotes_gpc is disabled, allows remote authenticated users to execute arbitrary SQL commands via the tid parameter in a vtech action to the default URI.
- CVE-2008-5950Jan 23, 2009risk 0.03cvss —epss 0.00
SQL injection vulnerability in media/media_level.asp in ASP Template Creature allows remote attackers to execute arbitrary SQL commands via the mcatid parameter.
- CVE-2009-0252Jan 22, 2009risk 0.03cvss —epss 0.00
Multiple SQL injection vulnerabilities in default.asp in Enthrallweb eReservations allow remote attackers to execute arbitrary SQL commands via the (1) Login parameter (aka username field) or the (2) Password parameter (aka password field). NOTE: some of these details are obtained from third party information.
- CVE-2008-5946Jan 22, 2009risk 0.03cvss —epss 0.00
SQL injection vulnerability in readmore.php in PHP-Fusion 4.01 allows remote attackers to execute arbitrary SQL commands via the news_id parameter.
- CVE-2008-5934Jan 21, 2009risk 0.03cvss —epss 0.00
SQL injection vulnerability in index.php in CMS ISWEB 3.0 allows remote attackers to execute arbitrary SQL commands via the id_sezione parameter.
- CVE-2008-5930Jan 21, 2009risk 0.03cvss —epss 0.00
SQL injection vulnerability in admin/blog_comments.asp in The Net Guys ASPired2Blog allows remote attackers to execute arbitrary SQL commands via the BlogID parameter.
- CVE-2008-5928Jan 21, 2009risk 0.03cvss —epss 0.01
SQL injection vulnerability in redir.php in Free Links Directory Script (FLDS) 1.2a allows remote attackers to execute arbitrary SQL commands via the id parameter.
- CVE-2008-5927Jan 21, 2009risk 0.03cvss —epss 0.01
Multiple SQL injection vulnerabilities in admin/usercheck.php in FlexPHPNews 0.0.6 allow remote attackers to execute arbitrary SQL commands via the (1) checkuser parameter (aka username field) or (2) checkpass parameter (aka password field) to admin/index.php. NOTE: some of these details are obtained from third party information.
- CVE-2008-5926Jan 21, 2009risk 0.03cvss —epss 0.00
Multiple SQL injection vulnerabilities in login.asp in ASP-DEv Internal E-Mail System allow remote attackers to execute arbitrary SQL commands via the (1) login parameter (aka user field) or the (2) password parameter (aka pass field). NOTE: some of these details are obtained from third party information.