VYPR

CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

BaseStableLikelihood: High

Description

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Hierarchy (View 1000)

Parents

Children

Related attack patterns (CAPEC)

CAPEC-108 · CAPEC-109 · CAPEC-110 · CAPEC-470 · CAPEC-66 · CAPEC-7

CVEs mapped to this weakness (8,813)

page 332 of 441
  • CVE-2008-4881Nov 4, 2008
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in tr.php in YourFreeWorld Reminder Service Script allows remote attackers to execute arbitrary SQL commands via the id parameter.

  • CVE-2008-4880Nov 4, 2008
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in prodshow.php in Maran PHP Shop allows remote attackers to execute arbitrary SQL commands via the id parameter, a different vector than CVE-2008-4879.

  • CVE-2008-4879Nov 4, 2008
    risk 0.03cvss epss 0.00

    SQL injection vulnerability in prod.php in Maran PHP Shop allows remote attackers to execute arbitrary SQL commands via the cat parameter, a different vector than CVE-2008-4880.

  • CVE-2008-4877Nov 1, 2008
    risk 0.03cvss epss 0.00

    SQL injection vulnerability in admin.php in WebCards 1.3, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the user parameter. NOTE: some of these details are obtained from third party information.

  • CVE-2008-4786Oct 29, 2008
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in easyshop.php in the EasyShop plugin for e107 allows remote attackers to execute arbitrary SQL commands via the category_id parameter.

  • CVE-2008-4785Oct 29, 2008
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in newuser.php in the alternate_profiles plugin, possibly 0.2, for e107 allows remote attackers to execute arbitrary SQL commands via the id parameter.

  • CVE-2008-4782Oct 29, 2008
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in public/code/cp_polls_results.php in All In One Control Panel (AIOCP) 1.4 allows remote attackers to execute arbitrary SQL commands via the poll_id parameter.

  • CVE-2008-4778Oct 29, 2008
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in the gallery module in Koobi CMS 4.3.0 allows remote attackers to execute arbitrary SQL commands via the galid parameter in a showimages action.

  • CVE-2008-4777Oct 29, 2008
    risk 0.03cvss epss 0.00

    SQL injection vulnerability in the Showroom Joomlearn LMS (com_lms) component for Joomla! and Mambo allows remote attackers to execute arbitrary SQL commands via the cat parameter in a showTests task.

  • CVE-2008-4772Oct 28, 2008
    risk 0.03cvss epss 0.00

    SQL injection vulnerability in main/main.php in QuestCMS allows remote attackers to execute arbitrary SQL commands via the obj parameter.

  • CVE-2008-4768Oct 28, 2008
    risk 0.03cvss epss 0.00

    SQL injection vulnerability in TLM CMS 3.1 allows remote attackers to execute arbitrary SQL commands via the nom parameter to a-b-membres.php. NOTE: the goodies.php vector is already covered by CVE-2007-4808. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.

  • CVE-2008-4765Oct 28, 2008
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in pollBooth.php in osCommerce Poll Booth Add-On 2.0 allows remote attackers to execute arbitrary SQL commands via the pollID parameter in a results operation. NOTE: this issue was disclosed by an unreliable researcher, so it might be incorrect.

  • CVE-2008-4760Oct 28, 2008
    risk 0.03cvss epss 0.00

    SQL injection vulnerability in lecture.php in Graphiks MyForum 1.3, when register_globals is enabled, allows remote attackers to execute arbitrary SQL commands via the id parameter.

  • CVE-2008-4757Oct 28, 2008
    risk 0.03cvss epss 0.00

    Multiple SQL injection vulnerabilities in PHP-Daily allow remote attackers to execute arbitrary SQL commands via the (1) id parameter to (a) add_postit.php (b) delete.php, and (c) mod_prest_date.php; and the (2) prev parameter to (d) prest_detail.php.

  • CVE-2008-4755Oct 28, 2008
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in gotourl.php in PozScripts Classified Auctions Script allows remote attackers to execute arbitrary SQL commands via the id parameter.

  • CVE-2008-4754Oct 27, 2008
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in forum.php in Scripts for Sites (SFS) Ez Forum allows remote attackers to execute arbitrary SQL commands via the forum parameter.

  • CVE-2008-4753Oct 27, 2008
    risk 0.03cvss epss 0.00

    SQL injection vulnerability in EditUrl.php in AJ Square RSS Reader allows remote attackers to execute arbitrary SQL commands via the url parameter.

  • CVE-2008-4744Oct 27, 2008
    risk 0.03cvss epss 0.00

    SQL injection vulnerability in product_detail.php in DXShopCart 4.30mc allows remote attackers to execute arbitrary SQL commands via the pid parameter.

  • CVE-2008-4743Oct 27, 2008
    risk 0.03cvss epss 0.00

    SQL injection vulnerability in index.php in QuidaScript FAQ Management Script allows remote attackers to execute arbitrary SQL commands via the catid parameter.

  • CVE-2008-4738Oct 24, 2008
    risk 0.03cvss epss 0.00

    SQL injection vulnerability in gallery.php in MyCard 1.0.2 allows remote attackers to execute arbitrary SQL commands via the id parameter.