VYPR

CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

BaseStableLikelihood: High

Description

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Hierarchy (View 1000)

Parents

Children

Related attack patterns (CAPEC)

CAPEC-108 · CAPEC-109 · CAPEC-110 · CAPEC-470 · CAPEC-66 · CAPEC-7

CVEs mapped to this weakness (8,813)

page 328 of 441
  • CVE-2008-5337Dec 5, 2008
    risk 0.03cvss epss 0.00

    SQL injection vulnerability in lyrics.php in Bandwebsite (aka Bandsite portal system) 1.5 allows remote attackers to execute arbitrary SQL commands via the id parameter.

  • CVE-2008-5336Dec 5, 2008
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in index.php in WebStudio CMS allows remote attackers to execute arbitrary SQL commands via the pageid parameter.

  • CVE-2008-5335Dec 5, 2008
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in messages.php in PHP-Fusion 6.01.15 and 7.00.1, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the subject and msg_send parameters, a different vector than CVE-2005-3157, CVE-2005-3158, CVE-2005-3159, CVE-2005-4005, and CVE-2006-2459.

  • CVE-2008-5333Dec 5, 2008
    risk 0.03cvss epss 0.00

    SQL injection vulnerability in members.php in NitroTech 0.0.3a allows remote attackers to execute arbitrary SQL commands via the id parameter.

  • CVE-2008-5321Dec 3, 2008
    risk 0.03cvss epss 0.00

    SQL injection vulnerability in index.php in GesGaleri, a module for XOOPS, allows remote attackers to execute arbitrary SQL commands via the no parameter.

  • CVE-2008-5320Dec 3, 2008
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in usersettings.php in e107 0.7.13 and earlier allows remote authenticated users to execute arbitrary SQL commands via the ue[] parameter.

  • CVE-2008-3058Dec 3, 2008
    risk 0.03cvss epss 0.01

    Multiple SQL injection vulnerabilities in Octeth Oempro 3.5.5.1, and possibly other versions before 4, allow remote attackers to execute arbitrary SQL commands via the FormValue_Email parameter (aka Email field) to index.php in (1) member/, (2) client/, or (3) admin/; or (4) the FormValue_SearchKeywords parameter to client/campaign_track.php.

  • CVE-2008-5311Dec 2, 2008
    risk 0.03cvss epss 0.00

    SQL injection vulnerability in image.php in NetArt Media Blog System 1.5 allows remote attackers to execute arbitrary SQL commands via the id parameter.

  • CVE-2008-5310Dec 2, 2008
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in image.php in NetArt Media Car Portal 2.0 allows remote attackers to execute arbitrary SQL commands via the id parameter.

  • CVE-2008-5309Dec 2, 2008
    risk 0.03cvss epss 0.00

    SQL injection vulnerability in NetArt Media Real Estate Portal 1.2 allows remote attackers to execute arbitrary SQL commands via the ad_id parameter in the re_send_email module to index.php.

  • CVE-2008-5307Dec 2, 2008
    risk 0.03cvss epss 0.02

    SQL injection vulnerability in admin/index.php in PG Roommate Finder Solution allows remote attackers to execute arbitrary SQL commands via the login_lg parameter. NOTE: some of these details are obtained from third party information.

  • CVE-2008-5306Dec 2, 2008
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in admin/index.php in PG Real Estate Solution allows remote attackers to execute arbitrary SQL commands via the login_lg parameter (username). NOTE: some of these details are obtained from third party information.

  • CVE-2008-5295Dec 1, 2008
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in index.php in Jamit Job Board 3.4.10 allows remote attackers to execute arbitrary SQL commands via the show_emp parameter.

  • CVE-2008-5294Dec 1, 2008
    risk 0.03cvss epss 0.00

    SQL injection vulnerability in index.php in WebStudio eCatalogue allows remote attackers to execute arbitrary SQL commands via the pageid parameter.

  • CVE-2008-5293Dec 1, 2008
    risk 0.03cvss epss 0.00

    SQL injection vulnerability in index.php in WebStudio eHotel allows remote attackers to execute arbitrary SQL commands via the pageid parameter.

  • CVE-2008-5292Dec 1, 2008
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in view_snaps.php in VideoGirls BiZ allows remote attackers to execute arbitrary SQL commands via the type parameter.

  • CVE-2008-5289Dec 1, 2008
    risk 0.03cvss epss 0.02

    SQL injection vulnerability in full_txt.php in Werner Hilversum Clean CMS 1.5 allows remote attackers to execute arbitrary SQL commands via the id parameter.

  • CVE-2008-5287Dec 1, 2008
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in catagorie.php in Werner Hilversum FAQ Manager 1.2 allows remote attackers to execute arbitrary SQL commands via the cat_id parameter.

  • CVE-2008-5273Nov 28, 2008
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in viewnews.asp in Todd Woolums ASP News Management 2.2 allows remote attackers to execute arbitrary SQL commands via the newsID parameter.

  • CVE-2008-5270Nov 28, 2008
    risk 0.03cvss epss 0.00

    SQL injection vulnerability in view.topics.php in Yuhhu Superstar 2008 allows remote attackers to execute arbitrary SQL commands via the board parameter.