CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Description
The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-108 · CAPEC-109 · CAPEC-110 · CAPEC-470 · CAPEC-66 · CAPEC-7
CVEs mapped to this weakness (8,813)
page 326 of 441| CVE | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2008-5649 | 0.03 | — | 0.01 | Dec 17, 2008 | SQL injection vulnerability in admin/admin.php in AlstraSoft Article Manager Pro 1.6 allows remote attackers to execute arbitrary SQL commands via the username parameter. | ||
| CVE-2008-5648 | 0.03 | — | 0.00 | Dec 17, 2008 | SQL injection vulnerability in admin/login.php in DeltaScripts PHP Shop 1.0 allows remote attackers to execute arbitrary SQL commands via the admin_username parameter. NOTE: some of these details are obtained from third party information. | ||
| CVE-2008-5643 | 0.03 | — | 0.00 | Dec 17, 2008 | SQL injection vulnerability in the Books (com_books) component for Joomla! allows remote attackers to execute arbitrary SQL commands via the book_id parameter in a book_details action to index.php. | ||
| CVE-2008-5641 | 0.03 | — | 0.00 | Dec 17, 2008 | SQL injection vulnerability in account.asp in Active Photo Gallery 6.2 allows remote attackers to execute arbitrary SQL commands via the (1) username and (2) password parameters. | ||
| CVE-2008-5640 | 0.03 | — | 0.01 | Dec 17, 2008 | SQL injection vulnerability in bidhistory.asp in Active Bids 3.5 allows remote attackers to execute arbitrary SQL commands via the ItemID parameter. | ||
| CVE-2008-5638 | 0.03 | — | 0.00 | Dec 17, 2008 | Multiple SQL injection vulnerabilities in Active Price Comparison 4 allow remote attackers to execute arbitrary SQL commands via the (1) ProductID parameter to reviews.aspx or the (2) linkid parameter to links.asp. | ||
| CVE-2008-5637 | 0.03 | — | 0.00 | Dec 17, 2008 | SQL injection vulnerability in blog.asp in ParsBlogger (Pb) allows remote attackers to execute arbitrary SQL commands via the wr parameter. | ||
| CVE-2008-5636 | 0.03 | — | 0.01 | Dec 17, 2008 | SQL injection vulnerability in cate.php in Lito Lite CMS, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the cid parameter. | ||
| CVE-2008-5635 | 0.03 | — | 0.00 | Dec 17, 2008 | SQL injection vulnerability in account.asp in Active Membership 2.0 allows remote attackers to execute arbitrary SQL commands via the (1) username and (2) password parameters, possibly related to start.asp. NOTE: some of these details are obtained from third party information. | ||
| CVE-2008-5634 | 0.03 | — | 0.00 | Dec 17, 2008 | SQL injection vulnerability in account.asp in Active Force Matrix 2.0 allows remote attackers to execute arbitrary SQL commands via the (1) username and (2) password parameters, possibly related to start.asp. NOTE: some of these details are obtained from third party information. | ||
| CVE-2008-5633 | 0.03 | — | 0.00 | Dec 17, 2008 | SQL injection vulnerability in register.asp in ActiveVotes 2.2 allows remote attackers to execute arbitrary SQL commands via the (1) username and (2) password parameters, possibly related to start.asp. NOTE: some of these details are obtained from third party information. | ||
| CVE-2008-5632 | 0.03 | — | 0.01 | Dec 17, 2008 | SQL injection vulnerability in Account.asp in Active Time Billing 3.2 allows remote attackers to execute arbitrary SQL commands via the (1) username and (2) password parameters, possibly related to start.asp. NOTE: some of these details are obtained from third party information. | ||
| CVE-2008-5631 | 0.03 | — | 0.00 | Dec 17, 2008 | SQL injection vulnerability in start.asp in Active eWebquiz 8.0 allows remote attackers to execute arbitrary SQL commands via the (1) useremail parameter (aka username field) or the (2) password parameter. NOTE: some of these details are obtained from third party information. | ||
| CVE-2008-5630 | 0.03 | — | 0.01 | Dec 17, 2008 | SQL injection vulnerability in merchants/index.php in Post Affiliate Pro 3 and 3.1.4 allows remote attackers to execute arbitrary SQL commands via the umprof_status parameter. | ||
| CVE-2008-5629 | 0.03 | — | 0.01 | Dec 17, 2008 | SQL injection vulnerability in index.php in Turnkey Arcade Script allows remote attackers to execute arbitrary SQL commands via the id parameter in a play action. | ||
| CVE-2008-5628 | 0.03 | — | 0.00 | Dec 17, 2008 | SQL injection vulnerability in index.php in CMS little 0.0.1 allows remote attackers to execute arbitrary SQL commands via the term parameter. | ||
| CVE-2008-5627 | 0.03 | — | 0.00 | Dec 17, 2008 | SQL injection vulnerability in account.asp in Active Trade 2 allows remote attackers to execute arbitrary SQL commands via the (1) username parameter (aka Email field) or the (2) password parameter. NOTE: some of these details are obtained from third party information. | ||
| CVE-2008-5607 | 0.03 | — | 0.00 | Dec 16, 2008 | SQL injection vulnerability in the JMovies (aka JM or com_jmovies) component 1.1 for Joomla! allows remote attackers to execute arbitrary SQL commands via the id parameter to index.php. | ||
| CVE-2008-5605 | 0.03 | — | 0.00 | Dec 16, 2008 | Multiple SQL injection vulnerabilities in ASP Portal allow remote attackers to execute arbitrary SQL commands via the (1) ItemID parameter to classifieds.asp and the (2) ID parameter to Events.asp. | ||
| CVE-2008-5599 | 0.03 | — | 0.00 | Dec 16, 2008 | SQL injection vulnerability in default.asp in Merlix Teamworx Server allows remote attackers to execute arbitrary SQL commands via the password parameter (aka passwd field) in a login action. NOTE: some of these details are obtained from third party information. |
- CVE-2008-5649Dec 17, 2008risk 0.03cvss —epss 0.01
SQL injection vulnerability in admin/admin.php in AlstraSoft Article Manager Pro 1.6 allows remote attackers to execute arbitrary SQL commands via the username parameter.
- CVE-2008-5648Dec 17, 2008risk 0.03cvss —epss 0.00
SQL injection vulnerability in admin/login.php in DeltaScripts PHP Shop 1.0 allows remote attackers to execute arbitrary SQL commands via the admin_username parameter. NOTE: some of these details are obtained from third party information.
- CVE-2008-5643Dec 17, 2008risk 0.03cvss —epss 0.00
SQL injection vulnerability in the Books (com_books) component for Joomla! allows remote attackers to execute arbitrary SQL commands via the book_id parameter in a book_details action to index.php.
- CVE-2008-5641Dec 17, 2008risk 0.03cvss —epss 0.00
SQL injection vulnerability in account.asp in Active Photo Gallery 6.2 allows remote attackers to execute arbitrary SQL commands via the (1) username and (2) password parameters.
- CVE-2008-5640Dec 17, 2008risk 0.03cvss —epss 0.01
SQL injection vulnerability in bidhistory.asp in Active Bids 3.5 allows remote attackers to execute arbitrary SQL commands via the ItemID parameter.
- CVE-2008-5638Dec 17, 2008risk 0.03cvss —epss 0.00
Multiple SQL injection vulnerabilities in Active Price Comparison 4 allow remote attackers to execute arbitrary SQL commands via the (1) ProductID parameter to reviews.aspx or the (2) linkid parameter to links.asp.
- CVE-2008-5637Dec 17, 2008risk 0.03cvss —epss 0.00
SQL injection vulnerability in blog.asp in ParsBlogger (Pb) allows remote attackers to execute arbitrary SQL commands via the wr parameter.
- CVE-2008-5636Dec 17, 2008risk 0.03cvss —epss 0.01
SQL injection vulnerability in cate.php in Lito Lite CMS, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the cid parameter.
- CVE-2008-5635Dec 17, 2008risk 0.03cvss —epss 0.00
SQL injection vulnerability in account.asp in Active Membership 2.0 allows remote attackers to execute arbitrary SQL commands via the (1) username and (2) password parameters, possibly related to start.asp. NOTE: some of these details are obtained from third party information.
- CVE-2008-5634Dec 17, 2008risk 0.03cvss —epss 0.00
SQL injection vulnerability in account.asp in Active Force Matrix 2.0 allows remote attackers to execute arbitrary SQL commands via the (1) username and (2) password parameters, possibly related to start.asp. NOTE: some of these details are obtained from third party information.
- CVE-2008-5633Dec 17, 2008risk 0.03cvss —epss 0.00
SQL injection vulnerability in register.asp in ActiveVotes 2.2 allows remote attackers to execute arbitrary SQL commands via the (1) username and (2) password parameters, possibly related to start.asp. NOTE: some of these details are obtained from third party information.
- CVE-2008-5632Dec 17, 2008risk 0.03cvss —epss 0.01
SQL injection vulnerability in Account.asp in Active Time Billing 3.2 allows remote attackers to execute arbitrary SQL commands via the (1) username and (2) password parameters, possibly related to start.asp. NOTE: some of these details are obtained from third party information.
- CVE-2008-5631Dec 17, 2008risk 0.03cvss —epss 0.00
SQL injection vulnerability in start.asp in Active eWebquiz 8.0 allows remote attackers to execute arbitrary SQL commands via the (1) useremail parameter (aka username field) or the (2) password parameter. NOTE: some of these details are obtained from third party information.
- CVE-2008-5630Dec 17, 2008risk 0.03cvss —epss 0.01
SQL injection vulnerability in merchants/index.php in Post Affiliate Pro 3 and 3.1.4 allows remote attackers to execute arbitrary SQL commands via the umprof_status parameter.
- CVE-2008-5629Dec 17, 2008risk 0.03cvss —epss 0.01
SQL injection vulnerability in index.php in Turnkey Arcade Script allows remote attackers to execute arbitrary SQL commands via the id parameter in a play action.
- CVE-2008-5628Dec 17, 2008risk 0.03cvss —epss 0.00
SQL injection vulnerability in index.php in CMS little 0.0.1 allows remote attackers to execute arbitrary SQL commands via the term parameter.
- CVE-2008-5627Dec 17, 2008risk 0.03cvss —epss 0.00
SQL injection vulnerability in account.asp in Active Trade 2 allows remote attackers to execute arbitrary SQL commands via the (1) username parameter (aka Email field) or the (2) password parameter. NOTE: some of these details are obtained from third party information.
- CVE-2008-5607Dec 16, 2008risk 0.03cvss —epss 0.00
SQL injection vulnerability in the JMovies (aka JM or com_jmovies) component 1.1 for Joomla! allows remote attackers to execute arbitrary SQL commands via the id parameter to index.php.
- CVE-2008-5605Dec 16, 2008risk 0.03cvss —epss 0.00
Multiple SQL injection vulnerabilities in ASP Portal allow remote attackers to execute arbitrary SQL commands via the (1) ItemID parameter to classifieds.asp and the (2) ID parameter to Events.asp.
- CVE-2008-5599Dec 16, 2008risk 0.03cvss —epss 0.00
SQL injection vulnerability in default.asp in Merlix Teamworx Server allows remote attackers to execute arbitrary SQL commands via the password parameter (aka passwd field) in a login action. NOTE: some of these details are obtained from third party information.