VYPR

CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

BaseStableLikelihood: High

Description

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Hierarchy (View 1000)

Parents

Children

Related attack patterns (CAPEC)

CAPEC-108 · CAPEC-109 · CAPEC-110 · CAPEC-470 · CAPEC-66 · CAPEC-7

CVEs mapped to this weakness (10,236)

page 33 of 512
  • CVE-2021-3854CriMar 2, 2023
    risk 0.64cvss 9.8epss 0.01

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Glox Technology Useroam Hotspot allows SQL Injection. This issue affects Useroam Hotspot: before 5.1.0.15.

  • CVE-2023-1064CriMar 1, 2023
    risk 0.64cvss 9.8epss 0.01

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Uzay Baskul Weighbridge Automation Software allows SQL Injection. This issue affects Weighbridge Automation Software: before 1.1.

  • CVE-2022-2504CriFeb 23, 2023
    risk 0.64cvss 9.8epss 0.01

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in SDD Computer Software SDD-Baro allows SQL Injection. This issue affects SDD-Baro: before 2.8.432.

  • CVE-2023-0939CriFeb 23, 2023
    risk 0.64cvss 9.8epss 0.01

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in NTN Information Technologies Online Services Software allows SQL Injection. This issue affects Online Services Software: before 1.17.

  • CVE-2023-25157CriFeb 21, 2023
    risk 0.64cvss 9.8epss 0.85

    GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. GeoServer includes support for the OGC Filter expression language and the OGC Common Query Language (CQL) as part of the Web Feature Service (WFS) and Web Map Service…

  • CVE-2022-4557CriFeb 12, 2023
    risk 0.64cvss 9.8epss 0.01

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Group Arge Energy and Control Systems Smartpower Web allows SQL Injection. This issue affects Smartpower Web: before 23.01.01.

  • CVE-2022-4422CriJan 10, 2023
    risk 0.64cvss 9.8epss 0.01

    Call Center System developed by Bulutses Information Technologies before version 3.0 has an unauthenticated Sql Injection vulnerability. This has been fixed in the version 3.0

  • CVE-2022-2807CriDec 2, 2022
    risk 0.64cvss 9.8epss 0.01

    SQL Injection vulnerability in Algan Software Prens Student Information System allows SQL Injection. This issue affects Prens Student Information System: before 2.1.11.

  • CVE-2022-42122CriNov 15, 2022
    risk 0.64cvss 9.8epss 0.01

    A SQL injection vulnerability in the Friendly Url module in Liferay Portal 7.3.7, and Liferay DXP 7.3 fix pack 2 through update 4 allows attackers to execute arbitrary SQL commands via a crafted payload injected into the `title` field of a friendly URL.

  • CVE-2022-40315CriSep 30, 2022
    risk 0.64cvss 9.8epss 0.01

    A limited SQL injection risk was identified in the "browse list of users" site administration page.

  • CVE-2022-37223CriAug 23, 2022
    risk 0.64cvss 9.8epss 0.01

    JFinal CMS 5.1.0 is vulnerable to SQL Injection via /jfinal_cms/system/role/list.

  • CVE-2022-37199CriAug 23, 2022
    risk 0.64cvss 9.8epss 0.01

    JFinal CMS 5.1.0 is vulnerable to SQL Injection via /jfinal_cms/system/user/list.

  • CVE-2022-36599CriAug 16, 2022
    risk 0.64cvss 9.8epss 0.01

    Mingsoft MCMS 5.2.8 was discovered to contain a SQL injection vulnerability in /mdiy/model/delete URI via models Lists.

  • CVE-2022-36272CriAug 16, 2022
    risk 0.64cvss 9.8epss 0.01

    Mingsoft MCMS 5.2.8 was discovered to contain a SQL injection vulnerability in /mdiy/page/verify URI via fieldName parameter.

  • CVE-2022-30500CriMay 26, 2022
    risk 0.64cvss 9.8epss 0.01

    Jfinal cms 5.1.0 is vulnerable to SQL Injection.

  • CVE-2022-1505CriMay 10, 2022
    risk 0.64cvss 9.8epss 0.02

    The RSVPMaker plugin for WordPress is vulnerable to unauthenticated SQL Injection due to missing SQL escaping and parameterization on user supplied data passed to a SQL query in the rsvpmaker-api-endpoints.php file. This makes it possible for unauthenticated attackers to steal…

  • CVE-2022-27479CriApr 13, 2022
    risk 0.64cvss 9.8epss 0.03

    Apache Superset before 1.4.2 is vulnerable to SQL injection in chart data requests. Users should update to 1.4.2 or higher which addresses this issue.

  • CVE-2021-44135CriApr 1, 2022
    risk 0.64cvss 9.8epss 0.02

    pagekit all versions, as of 15-10-2021, is vulnerable to SQL Injection via Comment listing.

  • CVE-2022-23899CriMar 3, 2022
    risk 0.64cvss 9.8epss 0.01

    MCMS v5.2.5 was discovered to contain a SQL injection vulnerability via search.do in the file /web/MCmsAction.java.

  • CVE-2022-23898CriMar 3, 2022
    risk 0.64cvss 9.8epss 0.08

    MCMS v5.2.5 was discovered to contain a SQL injection vulnerability via the categoryId parameter in the file IContentDao.xml.