CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Description
The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-108 · CAPEC-109 · CAPEC-110 · CAPEC-470 · CAPEC-66 · CAPEC-7
CVEs mapped to this weakness (8,813)
page 329 of 441| CVE | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2008-5269 | 0.03 | — | 0.00 | Nov 28, 2008 | SQL injection vulnerability in index.php in pSys 0.7.0 alpha allows remote attackers to execute arbitrary SQL commands via the shownews parameter. | ||
| CVE-2008-5268 | 0.03 | — | 0.00 | Nov 28, 2008 | SQL injection vulnerability in content/forums/reply.asp in ASPPortal allows remote attackers to execute arbitrary SQL commands via the Topic_Id parameter. | ||
| CVE-2008-5267 | 0.03 | — | 0.00 | Nov 28, 2008 | SQL injection vulnerability in answer.php in Experts 1.0.0, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the question_id parameter. | ||
| CVE-2008-5226 | 0.03 | — | 0.00 | Nov 25, 2008 | SQL injection vulnerability in the MambAds (com_mambads) component 1.0 RC1 Beta and 1.0 RC1 for Mambo allows remote attackers to execute arbitrary SQL commands via the ma_cat parameter in a view action to index.php, a different vector than CVE-2007-5177. | ||
| CVE-2008-5223 | 0.03 | — | 0.00 | Nov 25, 2008 | SQL injection vulnerability in index.php in Airvae Commerce 3.0 allows remote attackers to execute arbitrary SQL commands via the pid parameter. | ||
| CVE-2008-5222 | 0.03 | — | 0.00 | Nov 25, 2008 | SQL injection vulnerability in login.asp in Dvbbs 8.2.0 allows remote attackers to execute arbitrary SQL commands via the username parameter. | ||
| CVE-2008-5216 | 0.03 | — | 0.00 | Nov 24, 2008 | SQL injection vulnerability in category_list.php in AJ Square ZeusCart 2.0 and earlier allows remote attackers to execute arbitrary SQL commands via the cid parameter. | ||
| CVE-2008-5215 | 0.03 | — | 0.00 | Nov 24, 2008 | SQL injection vulnerability in service/profil.php in ClanLite 2.2006.05.20 allows remote attackers to execute arbitrary SQL commands via the link parameter. | ||
| CVE-2008-5213 | 0.03 | — | 0.00 | Nov 24, 2008 | SQL injection vulnerability in featured_article.php in AJ Article 1.0 allows remote attackers to execute arbitrary SQL commands via the artid parameter in a search detail action. | ||
| CVE-2008-5212 | 0.03 | — | 0.00 | Nov 24, 2008 | SQL injection vulnerability in classifide_ad.php in AJ Auction 6.2.1 and earlier allows remote attackers to execute arbitrary SQL commands via the item_id parameter. | ||
| CVE-2008-5208 | 0.03 | — | 0.00 | Nov 24, 2008 | SQL injection vulnerability in sub_votepic.php in the Datsogallery (com_datsogallery) module 1.6 for Joomla! allows remote attackers to execute arbitrary SQL commands via the User-Agent HTTP header. | ||
| CVE-2008-5200 | 0.03 | — | 0.00 | Nov 21, 2008 | SQL injection vulnerability in the Xe webtv (com_xewebtv) component for Joomla! allows remote attackers to execute arbitrary SQL commands via the id parameter in a detail action to index.php. | ||
| CVE-2008-5198 | 0.03 | — | 0.00 | Nov 21, 2008 | SQL injection vulnerability in memberlist.php in Acmlmboard 1.A2 allows remote attackers to execute arbitrary SQL commands via the pow parameter. | ||
| CVE-2008-5197 | 0.03 | — | 0.01 | Nov 21, 2008 | SQL injection vulnerability in classifieds.php in PHP-Fusion allows remote attackers to execute arbitrary SQL commands via the lid parameter in a detail_adverts action. | ||
| CVE-2008-5196 | 0.03 | — | 0.00 | Nov 21, 2008 | SQL injection vulnerability in kroax.php in the Kroax (the_kroax) 4.42 and earlier module for PHP-Fusion allows remote attackers to execute arbitrary SQL commands via the category parameter. | ||
| CVE-2008-5195 | 0.03 | — | 0.00 | Nov 21, 2008 | Multiple SQL injection vulnerabilities in SebracCMS (sbcms) 0.4 allow remote attackers to execute arbitrary SQL commands via (1) the recid parameter to cms/form/read.php, (2) the uname parameter to cms/index.php, and other unspecified vectors. | ||
| CVE-2008-5194 | 0.03 | — | 0.01 | Nov 21, 2008 | SQL injection vulnerability in checkavail.php in SoftVisions Software Online Booking Manager (obm) 2.2 allows remote attackers to execute arbitrary SQL commands via the id parameter. | ||
| CVE-2008-5192 | 0.03 | — | 0.00 | Nov 21, 2008 | SQL injection vulnerability in forum.asp in W1L3D4 Philboard 1.14 and 1.2 allows remote attackers to execute arbitrary SQL commands via the forumid parameter. NOTE: this might overlap CVE-2008-2334, CVE-2008-1939, CVE-2007-2641, or CVE-2007-0920. | ||
| CVE-2008-5190 | 0.03 | — | 0.01 | Nov 21, 2008 | SQL injection vulnerability in index.php in eSHOP100 allows remote attackers to execute arbitrary SQL commands via the SUB parameter. | ||
| CVE-2008-5174 | 0.03 | — | 0.00 | Nov 19, 2008 | SQL injection vulnerability in joke.php in Jokes Complete Website 2.1.3 allows remote attackers to execute arbitrary SQL commands via the jokeid parameter. |
- CVE-2008-5269Nov 28, 2008risk 0.03cvss —epss 0.00
SQL injection vulnerability in index.php in pSys 0.7.0 alpha allows remote attackers to execute arbitrary SQL commands via the shownews parameter.
- CVE-2008-5268Nov 28, 2008risk 0.03cvss —epss 0.00
SQL injection vulnerability in content/forums/reply.asp in ASPPortal allows remote attackers to execute arbitrary SQL commands via the Topic_Id parameter.
- CVE-2008-5267Nov 28, 2008risk 0.03cvss —epss 0.00
SQL injection vulnerability in answer.php in Experts 1.0.0, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the question_id parameter.
- CVE-2008-5226Nov 25, 2008risk 0.03cvss —epss 0.00
SQL injection vulnerability in the MambAds (com_mambads) component 1.0 RC1 Beta and 1.0 RC1 for Mambo allows remote attackers to execute arbitrary SQL commands via the ma_cat parameter in a view action to index.php, a different vector than CVE-2007-5177.
- CVE-2008-5223Nov 25, 2008risk 0.03cvss —epss 0.00
SQL injection vulnerability in index.php in Airvae Commerce 3.0 allows remote attackers to execute arbitrary SQL commands via the pid parameter.
- CVE-2008-5222Nov 25, 2008risk 0.03cvss —epss 0.00
SQL injection vulnerability in login.asp in Dvbbs 8.2.0 allows remote attackers to execute arbitrary SQL commands via the username parameter.
- CVE-2008-5216Nov 24, 2008risk 0.03cvss —epss 0.00
SQL injection vulnerability in category_list.php in AJ Square ZeusCart 2.0 and earlier allows remote attackers to execute arbitrary SQL commands via the cid parameter.
- CVE-2008-5215Nov 24, 2008risk 0.03cvss —epss 0.00
SQL injection vulnerability in service/profil.php in ClanLite 2.2006.05.20 allows remote attackers to execute arbitrary SQL commands via the link parameter.
- CVE-2008-5213Nov 24, 2008risk 0.03cvss —epss 0.00
SQL injection vulnerability in featured_article.php in AJ Article 1.0 allows remote attackers to execute arbitrary SQL commands via the artid parameter in a search detail action.
- CVE-2008-5212Nov 24, 2008risk 0.03cvss —epss 0.00
SQL injection vulnerability in classifide_ad.php in AJ Auction 6.2.1 and earlier allows remote attackers to execute arbitrary SQL commands via the item_id parameter.
- CVE-2008-5208Nov 24, 2008risk 0.03cvss —epss 0.00
SQL injection vulnerability in sub_votepic.php in the Datsogallery (com_datsogallery) module 1.6 for Joomla! allows remote attackers to execute arbitrary SQL commands via the User-Agent HTTP header.
- CVE-2008-5200Nov 21, 2008risk 0.03cvss —epss 0.00
SQL injection vulnerability in the Xe webtv (com_xewebtv) component for Joomla! allows remote attackers to execute arbitrary SQL commands via the id parameter in a detail action to index.php.
- CVE-2008-5198Nov 21, 2008risk 0.03cvss —epss 0.00
SQL injection vulnerability in memberlist.php in Acmlmboard 1.A2 allows remote attackers to execute arbitrary SQL commands via the pow parameter.
- CVE-2008-5197Nov 21, 2008risk 0.03cvss —epss 0.01
SQL injection vulnerability in classifieds.php in PHP-Fusion allows remote attackers to execute arbitrary SQL commands via the lid parameter in a detail_adverts action.
- CVE-2008-5196Nov 21, 2008risk 0.03cvss —epss 0.00
SQL injection vulnerability in kroax.php in the Kroax (the_kroax) 4.42 and earlier module for PHP-Fusion allows remote attackers to execute arbitrary SQL commands via the category parameter.
- CVE-2008-5195Nov 21, 2008risk 0.03cvss —epss 0.00
Multiple SQL injection vulnerabilities in SebracCMS (sbcms) 0.4 allow remote attackers to execute arbitrary SQL commands via (1) the recid parameter to cms/form/read.php, (2) the uname parameter to cms/index.php, and other unspecified vectors.
- CVE-2008-5194Nov 21, 2008risk 0.03cvss —epss 0.01
SQL injection vulnerability in checkavail.php in SoftVisions Software Online Booking Manager (obm) 2.2 allows remote attackers to execute arbitrary SQL commands via the id parameter.
- CVE-2008-5192Nov 21, 2008risk 0.03cvss —epss 0.00
SQL injection vulnerability in forum.asp in W1L3D4 Philboard 1.14 and 1.2 allows remote attackers to execute arbitrary SQL commands via the forumid parameter. NOTE: this might overlap CVE-2008-2334, CVE-2008-1939, CVE-2007-2641, or CVE-2007-0920.
- CVE-2008-5190Nov 21, 2008risk 0.03cvss —epss 0.01
SQL injection vulnerability in index.php in eSHOP100 allows remote attackers to execute arbitrary SQL commands via the SUB parameter.
- CVE-2008-5174Nov 19, 2008risk 0.03cvss —epss 0.00
SQL injection vulnerability in joke.php in Jokes Complete Website 2.1.3 allows remote attackers to execute arbitrary SQL commands via the jokeid parameter.