VYPR

CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

BaseStableLikelihood: High

Description

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Hierarchy (View 1000)

Parents

Children

Related attack patterns (CAPEC)

CAPEC-108 · CAPEC-109 · CAPEC-110 · CAPEC-470 · CAPEC-66 · CAPEC-7

CVEs mapped to this weakness (8,813)

page 327 of 441
  • CVE-2008-5595Dec 16, 2008
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in detail.asp in ASP AutoDealer allows remote attackers to execute arbitrary SQL commands via the ID parameter.

  • CVE-2008-5590Dec 16, 2008
    risk 0.03cvss epss 0.00

    SQL injection vulnerability in customer.forumtopic.php in Kalptaru Infotech Product Sale Framework 0.1 beta allows remote attackers to execute arbitrary SQL commands via the forum_topic_id parameter.

  • CVE-2008-5589Dec 16, 2008
    risk 0.03cvss epss 0.00

    SQL injection vulnerability in processlogin.asp in Katy Whitton RankEm allows remote attackers to execute arbitrary SQL commands via the (1) txtusername parameter (aka username field) or the (2) txtpassword parameter (aka password field). NOTE: some of these details are obtained from third party information.

  • CVE-2008-5588Dec 16, 2008
    risk 0.03cvss epss 0.00

    SQL injection vulnerability in rankup.asp in Katy Whitton RankEm allows remote attackers to execute arbitrary SQL commands via the siteID parameter.

  • CVE-2008-5586Dec 16, 2008
    risk 0.03cvss epss 0.00

    SQL injection vulnerability in findoffice.php in Check Up New Generation (aka Check New) 4.52, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the search parameter.

  • CVE-2008-5582Dec 15, 2008
    risk 0.03cvss epss 0.00

    SQL injection vulnerability in utilities/login.asp in Nukedit 4.9.x, and possibly earlier, allows remote attackers to execute arbitrary SQL commands via the email parameter.

  • CVE-2008-5578Dec 15, 2008
    risk 0.03cvss epss 0.00

    Multiple SQL injection vulnerabilities in index.php in sCssBoard 1.0, 1.1, 1.11, and 1.12 allow remote attackers to execute arbitrary SQL commands via (1) the f parameter in a showforum action, (2) the u parameter in a profile action, (3) the viewcat parameter, or (4) a combination of scb_uid and scb_ident cookie values.

  • CVE-2008-5574Dec 15, 2008
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in member.php in Webmaster Marketplace allows remote attackers to execute arbitrary SQL commands via the u parameter.

  • CVE-2008-5573Dec 15, 2008
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in the login feature in Poll Pro 2.0 allows remote attackers to execute arbitrary SQL commands via the (1) Password and (2) username parameters.

  • CVE-2008-5571Dec 15, 2008
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in admin/login.asp in Professional Download Assistant 0.1 allows remote attackers to execute arbitrary SQL commands via the (1) uname parameter (aka user field) or the (2) psw parameter (aka passwd field). NOTE: some of these details are obtained from third party information.

  • CVE-2008-5561Dec 15, 2008
    risk 0.03cvss epss 0.00

    SQL injection vulnerability in Netref 4.0 allows remote attackers to execute arbitrary SQL commands via the id parameter to (1) fiche_product.php and (2) presentation.php.

  • CVE-2008-5559Dec 15, 2008
    risk 0.03cvss epss 0.00

    SQL injection vulnerability in sendcard.cfm in PostEcards allows remote attackers to execute arbitrary SQL commands via the cid parameter.

  • CVE-2008-5496Dec 12, 2008
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in showcategory.php in PozScripts Business Directory Script allows remote attackers to execute arbitrary SQL commands via the cid parameter.

  • CVE-2008-5494Dec 12, 2008
    risk 0.03cvss epss 0.00

    SQL injection vulnerability in the Contact Information Module (com_contactinfo) component 1.0 for Joomla! allows remote attackers to execute arbitrary SQL commands via the catid parameter to index.php.

  • CVE-2008-5493Dec 12, 2008
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in track.php in PHPStore Wholesales (aka Wholesale) allows remote attackers to execute arbitrary SQL commands via the id parameter.

  • CVE-2008-5491Dec 12, 2008
    risk 0.03cvss epss 0.00

    SQL injection vulnerability in edit.php in SlimCMS 1.0.0 and earlier allows remote attackers to execute arbitrary SQL commands via the pageID parameter.

  • CVE-2008-5490Dec 12, 2008
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in index.php in PHPStore Yahoo Answers allows remote attackers to execute arbitrary SQL commands via the id parameter.

  • CVE-2008-5489Dec 12, 2008
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in channel_detail.php in ClipShare Pro 4, and 2006 through 2007, allows remote attackers to execute arbitrary SQL commands via the chid parameter.

  • CVE-2008-5486Dec 12, 2008
    risk 0.03cvss epss 0.00

    SQL injection vulnerability in admin.php in TurnkeyForms Text Link Sales allows remote attackers to execute arbitrary SQL commands via the id parameter.

  • CVE-2008-5365Dec 8, 2008
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in VoteHistory.asp in ActiveWebSoftwares ActiveVotes 2.2 allows remote attackers to execute arbitrary SQL commands via the AccountID parameter.