VYPR

CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

BaseStableLikelihood: High

Description

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Hierarchy (View 1000)

Parents

Children

Related attack patterns (CAPEC)

CAPEC-108 · CAPEC-109 · CAPEC-110 · CAPEC-470 · CAPEC-66 · CAPEC-7

CVEs mapped to this weakness (8,813)

page 324 of 441
  • CVE-2008-5841Jan 5, 2009
    risk 0.03cvss epss 0.01

    Multiple SQL injection vulnerabilities in iGaming 1.5 and earlier allow remote attackers to execute arbitrary SQL commands via the browse parameter to (1) previews.php and (2) reviews.php, and the (3) id parameter to index.php in a viewarticle action.

  • CVE-2008-5838Jan 5, 2009
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in search_results.php in E-Php Scripts E-Shop (aka E-Php Shopping Cart) Shopping Cart Script allows remote attackers to execute arbitrary SQL commands via the cid parameter.

  • CVE-2008-5820Jan 2, 2009
    risk 0.03cvss epss 0.00

    SQL injection vulnerability in eDNews_view.php in eDreamers eDNews 2 allows remote attackers to execute arbitrary SQL commands via the newsid parameter.

  • CVE-2008-5817Jan 2, 2009
    risk 0.03cvss epss 0.01

    Multiple SQL injection vulnerabilities in index.php in Web Scribble Solutions webClassifieds 2005 allow remote attackers to execute arbitrary SQL commands via the (1) user and (2) password fields in a sign_in action.

  • CVE-2008-5816Jan 2, 2009
    risk 0.03cvss epss 0.00

    SQL injection vulnerability in repository.php in ILIAS 3.7.4 and earlier allows remote attackers to execute arbitrary SQL commands via the ref_id parameter.

  • CVE-2008-5815Jan 2, 2009
    risk 0.03cvss epss 0.00

    SQL injection vulnerability in Acomment.php in phpAlumni allows remote attackers to execute arbitrary SQL commands via the id parameter.

  • CVE-2008-5811Jan 2, 2009
    risk 0.03cvss epss 0.00

    SQL injection vulnerability in the PaxGallery (com_paxgallery) component 0.1 for Joomla! allows remote attackers to execute arbitrary SQL commands via the gid parameter in a table action to index.php.

  • CVE-2008-5806Dec 31, 2008
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in login.php in DeltaScripts PHP Classifieds 7.5 and earlier allows remote attackers to execute arbitrary SQL commands via the admin_username parameter (aka admin field). NOTE: some of these details are obtained from third party information.

  • CVE-2008-5805Dec 31, 2008
    risk 0.03cvss epss 0.00

    SQL injection vulnerability in detail.php in DeltaScripts PHP Classifieds 7.5 and earlier allows remote attackers to execute arbitrary SQL commands via the siteid parameter, a different vector than CVE-2006-5828.

  • CVE-2008-5804Dec 31, 2008
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in admin/admin_catalog.php in e-topbiz Number Links 1 Php Script allows remote attackers to execute arbitrary SQL commands via the id parameter in an edit action.

  • CVE-2008-5803Dec 31, 2008
    risk 0.03cvss epss 0.00

    SQL injection vulnerability in admin/login.php in E-topbiz Online Store 1.0 allows remote attackers to execute arbitrary SQL commands via the user parameter (aka username field). NOTE: some of these details are obtained from third party information.

  • CVE-2008-5802Dec 31, 2008
    risk 0.03cvss epss 0.00

    SQL injection vulnerability in index.php in E-topbiz Online Store 1.0 allows remote attackers to execute arbitrary SQL commands via the cat_id parameter.

  • CVE-2008-5788Dec 31, 2008
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in index.php in Domain Seller Pro 1.5 allows remote attackers to execute arbitrary SQL commands via the id parameter.

  • CVE-2008-5785Dec 31, 2008
    risk 0.03cvss epss 0.00

    SQL injection vulnerability in V3 Chat - Profiles/Dating Script 3.0.2 allows remote attackers to execute arbitrary SQL commands via the (1) username and (2) password fields.

  • CVE-2008-5782Dec 31, 2008
    risk 0.03cvss epss 0.00

    SQL injection vulnerability in bannerclick.php in ZeeMatri 3.0 allows remote attackers to execute arbitrary SQL commands via the adid parameter.

  • CVE-2008-5781Dec 30, 2008
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in right.php in Cant Find A Gaming CMS (CFAGCMS) 1.0 Beta 1 allows remote attackers to execute arbitrary SQL commands via the title parameter.

  • CVE-2008-5779Dec 30, 2008
    risk 0.03cvss epss 0.00

    SQL injection vulnerability in lpro.php in Free Links Directory Script (FLDS) 1.2a allows remote attackers to execute arbitrary SQL commands via the id parameter.

  • CVE-2008-5778Dec 30, 2008
    risk 0.03cvss epss 0.02

    SQL injection vulnerability in report.php in Free Links Directory Script (FLDS) 1.2a allows remote attackers to execute arbitrary SQL commands via the linkid parameter.

  • CVE-2008-5777Dec 30, 2008
    risk 0.03cvss epss 0.00

    SQL injection vulnerability in index.php in CadeNix allows remote attackers to execute arbitrary SQL commands via the cid parameter.

  • CVE-2008-5775Dec 30, 2008
    risk 0.03cvss epss 0.00

    SQL injection vulnerability in categories.php in Aperto Blog 0.1.1 allows remote attackers to execute arbitrary SQL commands via the id parameter.