CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Description
The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-108 · CAPEC-109 · CAPEC-110 · CAPEC-470 · CAPEC-66 · CAPEC-7
CVEs mapped to this weakness (8,813)
page 325 of 441| CVE | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2008-5774 | 0.03 | — | 0.00 | Dec 30, 2008 | Multiple SQL injection vulnerabilities in ASPSiteWare HomeBuilder 1.0 and 2.0 allow remote attackers to execute arbitrary SQL commands via the (1) iType parameter to (a) type.asp and (b) type2.asp and the (2) iPro parameter to (c) detail.asp. | ||
| CVE-2008-5772 | 0.03 | — | 0.01 | Dec 30, 2008 | Multiple SQL injection vulnerabilities in ASPSiteWare RealtyListings 1.0 and 2.0 allow remote attackers to execute arbitrary SQL commands via the (1) iType parameter to type.asp and the (2) iPro parameter to detail.asp. | ||
| CVE-2008-5768 | 0.03 | — | 0.00 | Dec 30, 2008 | SQL injection vulnerability in print.php in the AM Events (aka Amevents) module 0.22 for XOOPS allows remote attackers to execute arbitrary SQL commands via the id parameter. | ||
| CVE-2008-5767 | 0.03 | — | 0.00 | Dec 30, 2008 | SQL injection vulnerability in authors.asp in gNews Publisher allows remote attackers to execute arbitrary SQL commands via the authorID parameter. | ||
| CVE-2008-5766 | 0.03 | — | 0.00 | Dec 30, 2008 | SQL injection vulnerability in download.php in Farsi Script Faupload allows remote attackers to execute arbitrary SQL commands via the id parameter. | ||
| CVE-2008-5751 | 0.03 | — | 0.00 | Dec 30, 2008 | SQL injection vulnerability in index.php in AlstraSoft Web Email Script Enterprise (ESE) allows remote attackers to execute arbitrary SQL commands via the id parameter in a directory action. | ||
| CVE-2008-5739 | 0.03 | — | 0.00 | Dec 26, 2008 | SQL injection vulnerability in evb/check_url.php in Pligg CMS 9.9.5 Beta allows remote attackers to execute arbitrary SQL commands via the url parameter. | ||
| CVE-2008-5737 | 0.03 | — | 0.01 | Dec 26, 2008 | SQL injection vulnerability in index.php in Nodstrum MySQL Calendar 1.1 and 1.2 allows remote attackers to execute arbitrary SQL commands via the username parameter. | ||
| CVE-2008-5733 | 0.03 | — | 0.00 | Dec 26, 2008 | SQL injection vulnerability in blog.php in the Team Impact TI Blog System mod for PHP-Fusion allows remote attackers to execute arbitrary SQL commands via the id parameter. | ||
| CVE-2008-5727 | 0.03 | — | 0.00 | Dec 26, 2008 | SQL injection vulnerability in modules/auth/password_recovery.php in AIST NetCat 3.12 and earlier, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the query string. | ||
| CVE-2008-5726 | 0.03 | — | 0.00 | Dec 26, 2008 | SQL injection vulnerability in thread.php in stormBoards 1.0.1 allows remote attackers to execute arbitrary SQL commands via the id parameter. | ||
| CVE-2008-5707 | 0.03 | — | 0.00 | Dec 24, 2008 | SQL injection vulnerability in urunler.asp in Iltaweb Alisveris Sistemi allows remote attackers to execute arbitrary SQL commands via the catno parameter. | ||
| CVE-2008-1094 | 0.03 | — | 0.01 | Dec 19, 2008 | SQL injection vulnerability in index.cgi in the Account View page in Barracuda Spam Firewall (BSF) before 3.5.12.007 allows remote authenticated administrators to execute arbitrary SQL commands via a pattern_x parameter in a search_count_equals action, as demonstrated by the pattern_0 parameter. | ||
| CVE-2008-5665 | 0.03 | — | 0.00 | Dec 19, 2008 | SQL injection vulnerability in index.php in the xhresim module in XOOPS allows remote attackers to execute arbitrary SQL commands via the no parameter. | ||
| CVE-2008-5655 | 0.03 | — | 0.00 | Dec 17, 2008 | Multiple SQL injection vulnerabilities in MyioSoft EasyBookMarker 4.0 allow remote attackers to execute arbitrary SQL commands via the (1) delete_folder and (2) delete_link parameters to unspecified vectors, possibly to (a) plugins/bookmarker/bookmarker_backend.php or (b) ajaxp.php, different vectors than CVE-2008-5654. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. | ||
| CVE-2008-5654 | 0.03 | — | 0.00 | Dec 17, 2008 | SQL injection vulnerability in the loginADP function in ajaxp.php in MyioSoft EasyCalendar 4.0 allows remote attackers to execute arbitrary SQL commands via the rsargs parameter, as reachable through the username parameter, a different vector than CVE-2008-1344. NOTE: some of these details are obtained from third party information. | ||
| CVE-2008-5653 | 0.03 | — | 0.00 | Dec 17, 2008 | SQL injection vulnerability in the loginADP function in ajaxp.php in MyioSoft AjaxPortal 3.0 allows remote attackers to execute arbitrary SQL commands via the rsargs parameter, as reachable through the username parameter. NOTE: some of these details are obtained from third party information. | ||
| CVE-2008-5652 | 0.03 | — | 0.01 | Dec 17, 2008 | SQL injection vulnerability in the loginADP function in ajaxp.php in MyioSoft EasyBookMarker 4.0 allows remote attackers to execute arbitrary SQL commands via the rsargs parameter, as reachable through the username parameter. NOTE: some of these details are obtained from third party information. | ||
| CVE-2008-5651 | 0.03 | — | 0.01 | Dec 17, 2008 | SQL injection vulnerability in plugins/bookmarker/bookmarker_backend.php in MyioSoft EasyBookMarker 4.0 allows remote attackers to execute arbitrary SQL commands via the Parent parameter. | ||
| CVE-2008-5650 | 0.03 | — | 0.01 | Dec 17, 2008 | SQL injection vulnerability in the login directory in AlstraSoft Web Host Directory allows remote attackers to execute arbitrary SQL commands via the pwd parameter. |
- CVE-2008-5774Dec 30, 2008risk 0.03cvss —epss 0.00
Multiple SQL injection vulnerabilities in ASPSiteWare HomeBuilder 1.0 and 2.0 allow remote attackers to execute arbitrary SQL commands via the (1) iType parameter to (a) type.asp and (b) type2.asp and the (2) iPro parameter to (c) detail.asp.
- CVE-2008-5772Dec 30, 2008risk 0.03cvss —epss 0.01
Multiple SQL injection vulnerabilities in ASPSiteWare RealtyListings 1.0 and 2.0 allow remote attackers to execute arbitrary SQL commands via the (1) iType parameter to type.asp and the (2) iPro parameter to detail.asp.
- CVE-2008-5768Dec 30, 2008risk 0.03cvss —epss 0.00
SQL injection vulnerability in print.php in the AM Events (aka Amevents) module 0.22 for XOOPS allows remote attackers to execute arbitrary SQL commands via the id parameter.
- CVE-2008-5767Dec 30, 2008risk 0.03cvss —epss 0.00
SQL injection vulnerability in authors.asp in gNews Publisher allows remote attackers to execute arbitrary SQL commands via the authorID parameter.
- CVE-2008-5766Dec 30, 2008risk 0.03cvss —epss 0.00
SQL injection vulnerability in download.php in Farsi Script Faupload allows remote attackers to execute arbitrary SQL commands via the id parameter.
- CVE-2008-5751Dec 30, 2008risk 0.03cvss —epss 0.00
SQL injection vulnerability in index.php in AlstraSoft Web Email Script Enterprise (ESE) allows remote attackers to execute arbitrary SQL commands via the id parameter in a directory action.
- CVE-2008-5739Dec 26, 2008risk 0.03cvss —epss 0.00
SQL injection vulnerability in evb/check_url.php in Pligg CMS 9.9.5 Beta allows remote attackers to execute arbitrary SQL commands via the url parameter.
- CVE-2008-5737Dec 26, 2008risk 0.03cvss —epss 0.01
SQL injection vulnerability in index.php in Nodstrum MySQL Calendar 1.1 and 1.2 allows remote attackers to execute arbitrary SQL commands via the username parameter.
- CVE-2008-5733Dec 26, 2008risk 0.03cvss —epss 0.00
SQL injection vulnerability in blog.php in the Team Impact TI Blog System mod for PHP-Fusion allows remote attackers to execute arbitrary SQL commands via the id parameter.
- CVE-2008-5727Dec 26, 2008risk 0.03cvss —epss 0.00
SQL injection vulnerability in modules/auth/password_recovery.php in AIST NetCat 3.12 and earlier, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the query string.
- CVE-2008-5726Dec 26, 2008risk 0.03cvss —epss 0.00
SQL injection vulnerability in thread.php in stormBoards 1.0.1 allows remote attackers to execute arbitrary SQL commands via the id parameter.
- CVE-2008-5707Dec 24, 2008risk 0.03cvss —epss 0.00
SQL injection vulnerability in urunler.asp in Iltaweb Alisveris Sistemi allows remote attackers to execute arbitrary SQL commands via the catno parameter.
- CVE-2008-1094Dec 19, 2008risk 0.03cvss —epss 0.01
SQL injection vulnerability in index.cgi in the Account View page in Barracuda Spam Firewall (BSF) before 3.5.12.007 allows remote authenticated administrators to execute arbitrary SQL commands via a pattern_x parameter in a search_count_equals action, as demonstrated by the pattern_0 parameter.
- CVE-2008-5665Dec 19, 2008risk 0.03cvss —epss 0.00
SQL injection vulnerability in index.php in the xhresim module in XOOPS allows remote attackers to execute arbitrary SQL commands via the no parameter.
- CVE-2008-5655Dec 17, 2008risk 0.03cvss —epss 0.00
Multiple SQL injection vulnerabilities in MyioSoft EasyBookMarker 4.0 allow remote attackers to execute arbitrary SQL commands via the (1) delete_folder and (2) delete_link parameters to unspecified vectors, possibly to (a) plugins/bookmarker/bookmarker_backend.php or (b) ajaxp.php, different vectors than CVE-2008-5654. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
- CVE-2008-5654Dec 17, 2008risk 0.03cvss —epss 0.00
SQL injection vulnerability in the loginADP function in ajaxp.php in MyioSoft EasyCalendar 4.0 allows remote attackers to execute arbitrary SQL commands via the rsargs parameter, as reachable through the username parameter, a different vector than CVE-2008-1344. NOTE: some of these details are obtained from third party information.
- CVE-2008-5653Dec 17, 2008risk 0.03cvss —epss 0.00
SQL injection vulnerability in the loginADP function in ajaxp.php in MyioSoft AjaxPortal 3.0 allows remote attackers to execute arbitrary SQL commands via the rsargs parameter, as reachable through the username parameter. NOTE: some of these details are obtained from third party information.
- CVE-2008-5652Dec 17, 2008risk 0.03cvss —epss 0.01
SQL injection vulnerability in the loginADP function in ajaxp.php in MyioSoft EasyBookMarker 4.0 allows remote attackers to execute arbitrary SQL commands via the rsargs parameter, as reachable through the username parameter. NOTE: some of these details are obtained from third party information.
- CVE-2008-5651Dec 17, 2008risk 0.03cvss —epss 0.01
SQL injection vulnerability in plugins/bookmarker/bookmarker_backend.php in MyioSoft EasyBookMarker 4.0 allows remote attackers to execute arbitrary SQL commands via the Parent parameter.
- CVE-2008-5650Dec 17, 2008risk 0.03cvss —epss 0.01
SQL injection vulnerability in the login directory in AlstraSoft Web Host Directory allows remote attackers to execute arbitrary SQL commands via the pwd parameter.