CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Description
The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-108 · CAPEC-109 · CAPEC-110 · CAPEC-470 · CAPEC-66 · CAPEC-7
CVEs mapped to this weakness (10,236)
page 33 of 512| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2021-3854 | Cri | 0.64 | 9.8 | 0.01 | Mar 2, 2023 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Glox Technology Useroam Hotspot allows SQL Injection. This issue affects Useroam Hotspot: before 5.1.0.15. | ||
| CVE-2023-1064 | Cri | 0.64 | 9.8 | 0.01 | Mar 1, 2023 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Uzay Baskul Weighbridge Automation Software allows SQL Injection. This issue affects Weighbridge Automation Software: before 1.1. | ||
| CVE-2022-2504 | Cri | 0.64 | 9.8 | 0.01 | Feb 23, 2023 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in SDD Computer Software SDD-Baro allows SQL Injection. This issue affects SDD-Baro: before 2.8.432. | ||
| CVE-2023-0939 | Cri | 0.64 | 9.8 | 0.01 | Feb 23, 2023 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in NTN Information Technologies Online Services Software allows SQL Injection. This issue affects Online Services Software: before 1.17. | ||
| CVE-2023-25157 | Cri | 0.64 | 9.8 | 0.85 | Feb 21, 2023 | GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. GeoServer includes support for the OGC Filter expression language and the OGC Common Query Language (CQL) as part of the Web Feature Service (WFS) and Web Map Service… | ||
| CVE-2022-4557 | Cri | 0.64 | 9.8 | 0.01 | Feb 12, 2023 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Group Arge Energy and Control Systems Smartpower Web allows SQL Injection. This issue affects Smartpower Web: before 23.01.01. | ||
| CVE-2022-4422 | Cri | 0.64 | 9.8 | 0.01 | Jan 10, 2023 | Call Center System developed by Bulutses Information Technologies before version 3.0 has an unauthenticated Sql Injection vulnerability. This has been fixed in the version 3.0 | ||
| CVE-2022-2807 | Cri | 0.64 | 9.8 | 0.01 | Dec 2, 2022 | SQL Injection vulnerability in Algan Software Prens Student Information System allows SQL Injection. This issue affects Prens Student Information System: before 2.1.11. | ||
| CVE-2022-42122 | — | Cri | 0.64 | 9.8 | 0.01 | Nov 15, 2022 | A SQL injection vulnerability in the Friendly Url module in Liferay Portal 7.3.7, and Liferay DXP 7.3 fix pack 2 through update 4 allows attackers to execute arbitrary SQL commands via a crafted payload injected into the `title` field of a friendly URL. | |
| CVE-2022-40315 | — | Cri | 0.64 | 9.8 | 0.01 | Sep 30, 2022 | A limited SQL injection risk was identified in the "browse list of users" site administration page. | |
| CVE-2022-37223 | — | Cri | 0.64 | 9.8 | 0.01 | Aug 23, 2022 | JFinal CMS 5.1.0 is vulnerable to SQL Injection via /jfinal_cms/system/role/list. | |
| CVE-2022-37199 | — | Cri | 0.64 | 9.8 | 0.01 | Aug 23, 2022 | JFinal CMS 5.1.0 is vulnerable to SQL Injection via /jfinal_cms/system/user/list. | |
| CVE-2022-36599 | Cri | 0.64 | 9.8 | 0.01 | Aug 16, 2022 | Mingsoft MCMS 5.2.8 was discovered to contain a SQL injection vulnerability in /mdiy/model/delete URI via models Lists. | ||
| CVE-2022-36272 | Cri | 0.64 | 9.8 | 0.01 | Aug 16, 2022 | Mingsoft MCMS 5.2.8 was discovered to contain a SQL injection vulnerability in /mdiy/page/verify URI via fieldName parameter. | ||
| CVE-2022-30500 | Cri | 0.64 | 9.8 | 0.01 | May 26, 2022 | Jfinal cms 5.1.0 is vulnerable to SQL Injection. | ||
| CVE-2022-1505 | Cri | 0.64 | 9.8 | 0.02 | May 10, 2022 | The RSVPMaker plugin for WordPress is vulnerable to unauthenticated SQL Injection due to missing SQL escaping and parameterization on user supplied data passed to a SQL query in the rsvpmaker-api-endpoints.php file. This makes it possible for unauthenticated attackers to steal… | ||
| CVE-2022-27479 | Cri | 0.64 | 9.8 | 0.03 | Apr 13, 2022 | Apache Superset before 1.4.2 is vulnerable to SQL injection in chart data requests. Users should update to 1.4.2 or higher which addresses this issue. | ||
| CVE-2021-44135 | Cri | 0.64 | 9.8 | 0.02 | Apr 1, 2022 | pagekit all versions, as of 15-10-2021, is vulnerable to SQL Injection via Comment listing. | ||
| CVE-2022-23899 | — | Cri | 0.64 | 9.8 | 0.01 | Mar 3, 2022 | MCMS v5.2.5 was discovered to contain a SQL injection vulnerability via search.do in the file /web/MCmsAction.java. | |
| CVE-2022-23898 | — | Cri | 0.64 | 9.8 | 0.08 | Mar 3, 2022 | MCMS v5.2.5 was discovered to contain a SQL injection vulnerability via the categoryId parameter in the file IContentDao.xml. |
- risk 0.64cvss 9.8epss 0.01
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Glox Technology Useroam Hotspot allows SQL Injection. This issue affects Useroam Hotspot: before 5.1.0.15.
- risk 0.64cvss 9.8epss 0.01
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Uzay Baskul Weighbridge Automation Software allows SQL Injection. This issue affects Weighbridge Automation Software: before 1.1.
- risk 0.64cvss 9.8epss 0.01
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in SDD Computer Software SDD-Baro allows SQL Injection. This issue affects SDD-Baro: before 2.8.432.
- risk 0.64cvss 9.8epss 0.01
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in NTN Information Technologies Online Services Software allows SQL Injection. This issue affects Online Services Software: before 1.17.
- risk 0.64cvss 9.8epss 0.85
GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. GeoServer includes support for the OGC Filter expression language and the OGC Common Query Language (CQL) as part of the Web Feature Service (WFS) and Web Map Service…
- risk 0.64cvss 9.8epss 0.01
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Group Arge Energy and Control Systems Smartpower Web allows SQL Injection. This issue affects Smartpower Web: before 23.01.01.
- risk 0.64cvss 9.8epss 0.01
Call Center System developed by Bulutses Information Technologies before version 3.0 has an unauthenticated Sql Injection vulnerability. This has been fixed in the version 3.0
- risk 0.64cvss 9.8epss 0.01
SQL Injection vulnerability in Algan Software Prens Student Information System allows SQL Injection. This issue affects Prens Student Information System: before 2.1.11.
- risk 0.64cvss 9.8epss 0.01
A SQL injection vulnerability in the Friendly Url module in Liferay Portal 7.3.7, and Liferay DXP 7.3 fix pack 2 through update 4 allows attackers to execute arbitrary SQL commands via a crafted payload injected into the `title` field of a friendly URL.
- risk 0.64cvss 9.8epss 0.01
A limited SQL injection risk was identified in the "browse list of users" site administration page.
- risk 0.64cvss 9.8epss 0.01
JFinal CMS 5.1.0 is vulnerable to SQL Injection via /jfinal_cms/system/role/list.
- risk 0.64cvss 9.8epss 0.01
JFinal CMS 5.1.0 is vulnerable to SQL Injection via /jfinal_cms/system/user/list.
- risk 0.64cvss 9.8epss 0.01
Mingsoft MCMS 5.2.8 was discovered to contain a SQL injection vulnerability in /mdiy/model/delete URI via models Lists.
- risk 0.64cvss 9.8epss 0.01
Mingsoft MCMS 5.2.8 was discovered to contain a SQL injection vulnerability in /mdiy/page/verify URI via fieldName parameter.
- risk 0.64cvss 9.8epss 0.01
Jfinal cms 5.1.0 is vulnerable to SQL Injection.
- risk 0.64cvss 9.8epss 0.02
The RSVPMaker plugin for WordPress is vulnerable to unauthenticated SQL Injection due to missing SQL escaping and parameterization on user supplied data passed to a SQL query in the rsvpmaker-api-endpoints.php file. This makes it possible for unauthenticated attackers to steal…
- risk 0.64cvss 9.8epss 0.03
Apache Superset before 1.4.2 is vulnerable to SQL injection in chart data requests. Users should update to 1.4.2 or higher which addresses this issue.
- risk 0.64cvss 9.8epss 0.02
pagekit all versions, as of 15-10-2021, is vulnerable to SQL Injection via Comment listing.
- risk 0.64cvss 9.8epss 0.01
MCMS v5.2.5 was discovered to contain a SQL injection vulnerability via search.do in the file /web/MCmsAction.java.
- risk 0.64cvss 9.8epss 0.08
MCMS v5.2.5 was discovered to contain a SQL injection vulnerability via the categoryId parameter in the file IContentDao.xml.