VYPR

CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

BaseStableLikelihood: High

Description

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Hierarchy (View 1000)

Parents

Children

Related attack patterns (CAPEC)

CAPEC-108 · CAPEC-109 · CAPEC-110 · CAPEC-470 · CAPEC-66 · CAPEC-7

CVEs mapped to this weakness (8,813)

page 333 of 441
  • CVE-2008-4736Oct 24, 2008
    risk 0.03cvss epss 0.00

    SQL injection vulnerability in index.php in RPG.Board 0.8 Beta2 and earlier allows remote attackers to execute arbitrary SQL commands via the showtopic parameter.

  • CVE-2008-4732Oct 24, 2008
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in ajax_comments.php in the WP Comment Remix plugin before 1.4.4 for WordPress allows remote attackers to execute arbitrary SQL commands via the p parameter.

  • CVE-2008-4717Oct 23, 2008
    risk 0.03cvss epss 0.00

    SQL injection vulnerability in bannerclick.php in ZEELYRICS 2.0 allows remote attackers to execute arbitrary SQL commands via the adid parameter.

  • CVE-2008-4716Oct 23, 2008
    risk 0.03cvss epss 0.00

    SQL injection vulnerability in show.php in BitmixSoft PHP-Lance 1.52 allows remote attackers to execute arbitrary SQL commands via the catid parameter.

  • CVE-2008-4715Oct 23, 2008
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in the Jpad (com_jpad) 1.0 component for Joomla! allows remote attackers to execute arbitrary SQL commands via the cid parameter to index.php.

  • CVE-2008-4713Oct 23, 2008
    risk 0.03cvss epss 0.00

    SQL injection vulnerability in view.php in 212cafe Board 0.07 allows remote attackers to execute arbitrary SQL commands via the qID parameter.

  • CVE-2008-4711Oct 23, 2008
    risk 0.03cvss epss 0.00

    SQL injection vulnerability in Joovili 3.0 and earlier, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the id parameter to (1) view.blog.php, (2) view.event.php, (3) view.group.php, (4) view.music.php, (5) view.picture.php, and (6) view.video.php.

  • CVE-2008-4709Oct 23, 2008
    risk 0.03cvss epss 0.00

    SQL injection vulnerability in news_read.php in Pilot Group (PG) eTraining allows remote attackers to execute arbitrary SQL commands via the id parameter.

  • CVE-2008-4706Oct 23, 2008
    risk 0.03cvss epss 0.00

    SQL injection vulnerability in VBGooglemap Hotspot Edition 1.0.3, a vBulletin module, allows remote attackers to execute arbitrary SQL commands via the mapid parameter in a showdetails action to (1) vbgooglemaphse.php and (2) mapa.php.

  • CVE-2008-4705Oct 23, 2008
    risk 0.03cvss epss 0.00

    SQL injection vulnerability in success_story.php in php Online Dating Software MyPHPDating allows remote attackers to execute arbitrary SQL commands via the id parameter.

  • CVE-2008-4703Oct 23, 2008
    risk 0.03cvss epss 0.00

    SQL injection vulnerability in news.php in BosDev BosNews 4.0 allows remote attackers to execute arbitrary SQL commands via the article parameter.

  • CVE-2008-4701Oct 22, 2008
    risk 0.03cvss epss 0.00

    SQL injection vulnerability in admin.php in Libera CMS 1.12, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the libera_staff_user cookie parameter, a different vector than CVE-2008-4700. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.

  • CVE-2008-4700Oct 22, 2008
    risk 0.03cvss epss 0.00

    SQL injection vulnerability in admin.php in Libera CMS 1.12 and earlier, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the libera_staff_pass cookie parameter.

  • CVE-2008-4675Oct 22, 2008
    risk 0.03cvss epss 0.00

    SQL injection vulnerability in index.php in PHPcounter 1.3.2 and earlier allows remote attackers to execute arbitrary SQL commands via the name parameter.

  • CVE-2008-4674Oct 22, 2008
    risk 0.03cvss epss 0.00

    SQL injection vulnerability in realestate-index.php in Conkurent Real Estate Manager 1.01 allows remote attackers to execute arbitrary SQL commands via the cat_id parameter in browse mode.

  • CVE-2008-4666Oct 22, 2008
    risk 0.03cvss epss 0.00

    SQL injection vulnerability in webboard.php in Ultimate Webboard 3.00 allows remote attackers to execute arbitrary SQL commands via the Category parameter.

  • CVE-2008-4665Oct 22, 2008
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in PG Matchmaking allows remote attackers to execute arbitrary SQL commands via the id parameter to (1) news_read.php and (2) gifts_show.php.

  • CVE-2008-4653Oct 22, 2008
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in makale.php in Makale 0.26 and possibly other versions, a module for XOOPS, allows remote attackers to execute arbitrary SQL commands via the id parameter. NOTE: some of these details are obtained from third party information.

  • CVE-2008-4651Oct 22, 2008
    risk 0.03cvss epss 0.00

    Multiple SQL injection vulnerabilities in Jetbox CMS 2.1 allow remote authenticated users to execute arbitrary SQL commands via the (1) orderby parameter to admin/cms/images.php and the (2) nav_id parameter in an editrecord action to admin/cms/nav.php.

  • CVE-2008-4650Oct 22, 2008
    risk 0.03cvss epss 0.00

    SQL injection vulnerability in viewevent.php in myEvent 1.6 allows remote attackers to execute arbitrary SQL commands via the eventdate parameter.