VYPR

CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

BaseStableLikelihood: High

Description

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Hierarchy (View 1000)

Parents

Children

Related attack patterns (CAPEC)

CAPEC-108 · CAPEC-109 · CAPEC-110 · CAPEC-470 · CAPEC-66 · CAPEC-7

CVEs mapped to this weakness (8,813)

page 331 of 441
  • CVE-2008-5046Nov 13, 2008
    risk 0.03cvss epss 0.00

    SQL injection vulnerability in index.php in Mole Group Pizza Script allows remote attackers to execute arbitrary SQL commands via the manufacturers_id parameter.

  • CVE-2008-5037Nov 12, 2008
    risk 0.03cvss epss 0.00

    SQL injection vulnerability in view.php in ElkaGroup Image Gallery 1.0 allows remote attackers to execute arbitrary SQL commands via the cid parameter.

  • CVE-2008-5004Nov 10, 2008
    risk 0.03cvss epss 0.00

    SQL injection vulnerability in genscode.php in myWebland Bloggie Lite 0.0.2 beta allows remote attackers to execute arbitrary SQL commands via a crafted cookie.

  • CVE-2008-5003Nov 10, 2008
    risk 0.03cvss epss 0.00

    SQL injection vulnerability in ndetail.php in Shahrood allows remote attackers to execute arbitrary SQL commands via the id parameter.

  • CVE-2008-5000Nov 10, 2008
    risk 0.03cvss epss 0.00

    SQL injection vulnerability in admin/includes/news.inc.php in PHPX 3.5.16, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via uppercase characters in the news_id parameter.

  • CVE-2008-4906Nov 4, 2008
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in lyrics_song.php in the Lyrics (lyrics_menu) plugin 0.42 for e107 allows remote attackers to execute arbitrary SQL commands via the l_id parameter. NOTE: some of these details are obtained from third party information.

  • CVE-2008-4902Nov 4, 2008
    risk 0.03cvss epss 0.00

    SQL injection vulnerability in contact_author.php in Article Publisher Pro 1.5 allows remote attackers to execute arbitrary SQL commands via the userid parameter.

  • CVE-2008-4901Nov 4, 2008
    risk 0.03cvss epss 0.00

    SQL injection vulnerability in admin/admin.php in Article Publisher Pro 1.5 allows remote attackers to execute arbitrary SQL commands via the username parameter.

  • CVE-2008-4900Nov 4, 2008
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in tr.php in YourFreeWorld Classifieds Blaster Script allows remote attackers to execute arbitrary SQL commands via the id parameter.

  • CVE-2008-4897Nov 4, 2008
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in fichiers/add_url.php in Logz podcast CMS 1.3.1, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the art parameter.

  • CVE-2008-4895Nov 4, 2008
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in tr.php in YourFreeWorld Downline Builder allows remote attackers to execute arbitrary SQL commands via the id parameter.

  • CVE-2008-4912Nov 4, 2008
    risk 0.03cvss epss 0.00

    SQL injection vulnerability in popup_img.php in the fotogalerie module in RS MAXSOFT allows remote attackers to execute arbitrary SQL commands via the fotoID parameter. NOTE: this issue was disclosed by an unreliable researcher, so it might be incorrect.

  • CVE-2008-4890Nov 4, 2008
    risk 0.03cvss epss 0.00

    SQL injection vulnerability in products.php in 1st News 4 Professional (PR 1) allows remote attackers to execute arbitrary SQL commands via the id parameter.

  • CVE-2008-4889Nov 4, 2008
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in index.php in deV!L'z Clanportal (DZCP) 1.4.9.6 and earlier allows remote attackers to execute arbitrary SQL commands via the users parameter in an addbuddy operation in a buddys action.

  • CVE-2008-4887Nov 4, 2008
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in index.php in NetRisk 2.0 and earlier allows remote attackers to execute arbitrary SQL commands via the id parameter in a (1) profile page (profile.php) or (2) game page (game.php). NOTE: some of these details are obtained from third party information.

  • CVE-2008-4886Nov 4, 2008
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in index.php in YourFreeWorld Shopping Cart Script allows remote attackers to execute arbitrary SQL commands via the c parameter.

  • CVE-2008-4885Nov 4, 2008
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in tr1.php in YourFreeWorld Scrolling Text Ads Script allows remote attackers to execute arbitrary SQL commands via the id parameter.

  • CVE-2008-4884Nov 4, 2008
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in tr.php in YourFreeWorld Classifieds Hosting Script allows remote attackers to execute arbitrary SQL commands via the id parameter.

  • CVE-2008-4883Nov 4, 2008
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in tr.php in YourFreeWorld Blog Blaster Script allows remote attackers to execute arbitrary SQL commands via the id parameter.

  • CVE-2008-4882Nov 4, 2008
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in tr.php in YourFreeWorld Autoresponder Hosting Script allows remote attackers to execute arbitrary SQL commands via the id parameter.