CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Description
The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-108 · CAPEC-109 · CAPEC-110 · CAPEC-470 · CAPEC-66 · CAPEC-7
CVEs mapped to this weakness (8,813)
page 334 of 441| CVE | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2008-4643 | 0.03 | — | 0.01 | Oct 22, 2008 | SQL injection vulnerability in hits.php in myWebland myStats allows remote attackers to execute arbitrary SQL commands via the sortby parameter. | ||
| CVE-2008-4642 | 0.03 | — | 0.01 | Oct 21, 2008 | SQL injection vulnerability in profile.php in AstroSPACES 1.1.1 allows remote attackers to execute arbitrary SQL commands via the id parameter in a view action. | ||
| CVE-2008-4628 | 0.03 | — | 0.00 | Oct 21, 2008 | SQL injection vulnerability in del.php in myWebland miniBloggie 1.0 allows remote attackers to execute arbitrary SQL commands via the post_id parameter. | ||
| CVE-2008-4627 | 0.03 | — | 0.00 | Oct 21, 2008 | SQL injection vulnerability in the rGallery plugin 1.09 for WoltLab Burning Board (WBB) allows remote attackers to execute arbitrary SQL commands via the itemID parameter in the RGalleryImageWrapper page in index.php. | ||
| CVE-2008-4625 | 0.03 | — | 0.01 | Oct 21, 2008 | SQL injection vulnerability in stnl_iframe.php in the ShiftThis Newsletter (st_newsletter) plugin for WordPress allows remote attackers to execute arbitrary SQL commands via the newsletter parameter, a different vector than CVE-2008-0683. | ||
| CVE-2008-4623 | 0.03 | — | 0.01 | Oct 21, 2008 | SQL injection vulnerability in the DS-Syndicate (com_ds-syndicate) component 1.1.1 for Joomla allows remote attackers to execute arbitrary SQL commands via the feed_id parameter to index2.php. | ||
| CVE-2008-4621 | 0.03 | — | 0.01 | Oct 21, 2008 | SQL injection vulnerability in bannerclick.php in ZeeScripts Zeeproperty allows remote attackers to execute arbitrary SQL commands via the adid parameter. | ||
| CVE-2008-4620 | 0.03 | — | 0.00 | Oct 21, 2008 | SQL injection vulnerability in Meeting Room Booking System (MRBS) before 1.4 allows remote attackers to execute arbitrary SQL commands via the area parameter to (1) month.php, and possibly (2) day.php and (3) week.php. | ||
| CVE-2008-4617 | 0.03 | — | 0.00 | Oct 20, 2008 | SQL injection vulnerability in the actualite module 1.0 for Joomla! allows remote attackers to execute arbitrary SQL commands via the id parameter. | ||
| CVE-2008-4613 | 0.03 | — | 0.01 | Oct 20, 2008 | SQL injection vulnerability in forums.asp in PortalApp 4.0 allows remote attackers to execute arbitrary SQL commands via the sortby parameter. | ||
| CVE-2008-4611 | 0.03 | — | 0.00 | Oct 20, 2008 | SQL injection vulnerability in index.php in PHP Arsivimiz Php Ziyaretci Defteri allows remote attackers to execute arbitrary SQL commands via the sayfa parameter. | ||
| CVE-2008-4606 | 0.03 | — | 0.01 | Oct 18, 2008 | Multiple SQL injection vulnerabilities in IP Reg 0.4 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) location_id parameter to locationdel.php and (2) vlan_id parameter to vlanedit.php. NOTE: the vlanview.php and vlandel.php vectors are already covered by CVE-2007-6579. | ||
| CVE-2008-4605 | 0.03 | — | 0.01 | Oct 18, 2008 | SQL injection vulnerability in CafeEngine allows remote attackers to execute arbitrary SQL commands via the id parameter to (1) dish.php and (2) menu.php. | ||
| CVE-2008-4604 | 0.03 | — | 0.00 | Oct 18, 2008 | SQL injection vulnerability in index.php in Easy CafeEngine 1.1 allows remote attackers to execute arbitrary SQL commands via the itemid parameter. | ||
| CVE-2008-4603 | 0.03 | — | 0.00 | Oct 18, 2008 | SQL injection vulnerability in search.php in iGaming CMS 2.0 Alpha 1 allows remote attackers to execute arbitrary SQL commands via the keywords parameter in a search_games action. | ||
| CVE-2008-4599 | 0.03 | — | 0.01 | Oct 18, 2008 | SQL injection vulnerability in category.php in Mosaic Commerce allows remote attackers to execute arbitrary SQL commands via the cid parameter. | ||
| CVE-2008-4590 | 0.03 | — | 0.00 | Oct 16, 2008 | Multiple SQL injection vulnerabilities in Stash 1.0.3 allow remote attackers to execute arbitrary SQL commands via (1) the username parameter to admin/login.php and (2) the post parameter to admin/news.php. | ||
| CVE-2008-4574 | 0.03 | — | 0.00 | Oct 15, 2008 | SQL injection vulnerability in default.asp in Ayco Okul Portali allows remote attackers to execute arbitrary SQL commands via the linkid parameter. | ||
| CVE-2008-4573 | 0.03 | — | 0.01 | Oct 15, 2008 | SQL injection vulnerability in kategori.asp in MunzurSoft Wep Portal W3 allows remote attackers to execute arbitrary SQL commands via the kat parameter. | ||
| CVE-2008-4570 | 0.03 | — | 0.01 | Oct 15, 2008 | SQL injection vulnerability in index.php in Real Estate Classifieds allows remote attackers to execute arbitrary SQL commands via the cat parameter. |
- CVE-2008-4643Oct 22, 2008risk 0.03cvss —epss 0.01
SQL injection vulnerability in hits.php in myWebland myStats allows remote attackers to execute arbitrary SQL commands via the sortby parameter.
- CVE-2008-4642Oct 21, 2008risk 0.03cvss —epss 0.01
SQL injection vulnerability in profile.php in AstroSPACES 1.1.1 allows remote attackers to execute arbitrary SQL commands via the id parameter in a view action.
- CVE-2008-4628Oct 21, 2008risk 0.03cvss —epss 0.00
SQL injection vulnerability in del.php in myWebland miniBloggie 1.0 allows remote attackers to execute arbitrary SQL commands via the post_id parameter.
- CVE-2008-4627Oct 21, 2008risk 0.03cvss —epss 0.00
SQL injection vulnerability in the rGallery plugin 1.09 for WoltLab Burning Board (WBB) allows remote attackers to execute arbitrary SQL commands via the itemID parameter in the RGalleryImageWrapper page in index.php.
- CVE-2008-4625Oct 21, 2008risk 0.03cvss —epss 0.01
SQL injection vulnerability in stnl_iframe.php in the ShiftThis Newsletter (st_newsletter) plugin for WordPress allows remote attackers to execute arbitrary SQL commands via the newsletter parameter, a different vector than CVE-2008-0683.
- CVE-2008-4623Oct 21, 2008risk 0.03cvss —epss 0.01
SQL injection vulnerability in the DS-Syndicate (com_ds-syndicate) component 1.1.1 for Joomla allows remote attackers to execute arbitrary SQL commands via the feed_id parameter to index2.php.
- CVE-2008-4621Oct 21, 2008risk 0.03cvss —epss 0.01
SQL injection vulnerability in bannerclick.php in ZeeScripts Zeeproperty allows remote attackers to execute arbitrary SQL commands via the adid parameter.
- CVE-2008-4620Oct 21, 2008risk 0.03cvss —epss 0.00
SQL injection vulnerability in Meeting Room Booking System (MRBS) before 1.4 allows remote attackers to execute arbitrary SQL commands via the area parameter to (1) month.php, and possibly (2) day.php and (3) week.php.
- CVE-2008-4617Oct 20, 2008risk 0.03cvss —epss 0.00
SQL injection vulnerability in the actualite module 1.0 for Joomla! allows remote attackers to execute arbitrary SQL commands via the id parameter.
- CVE-2008-4613Oct 20, 2008risk 0.03cvss —epss 0.01
SQL injection vulnerability in forums.asp in PortalApp 4.0 allows remote attackers to execute arbitrary SQL commands via the sortby parameter.
- CVE-2008-4611Oct 20, 2008risk 0.03cvss —epss 0.00
SQL injection vulnerability in index.php in PHP Arsivimiz Php Ziyaretci Defteri allows remote attackers to execute arbitrary SQL commands via the sayfa parameter.
- CVE-2008-4606Oct 18, 2008risk 0.03cvss —epss 0.01
Multiple SQL injection vulnerabilities in IP Reg 0.4 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) location_id parameter to locationdel.php and (2) vlan_id parameter to vlanedit.php. NOTE: the vlanview.php and vlandel.php vectors are already covered by CVE-2007-6579.
- CVE-2008-4605Oct 18, 2008risk 0.03cvss —epss 0.01
SQL injection vulnerability in CafeEngine allows remote attackers to execute arbitrary SQL commands via the id parameter to (1) dish.php and (2) menu.php.
- CVE-2008-4604Oct 18, 2008risk 0.03cvss —epss 0.00
SQL injection vulnerability in index.php in Easy CafeEngine 1.1 allows remote attackers to execute arbitrary SQL commands via the itemid parameter.
- CVE-2008-4603Oct 18, 2008risk 0.03cvss —epss 0.00
SQL injection vulnerability in search.php in iGaming CMS 2.0 Alpha 1 allows remote attackers to execute arbitrary SQL commands via the keywords parameter in a search_games action.
- CVE-2008-4599Oct 18, 2008risk 0.03cvss —epss 0.01
SQL injection vulnerability in category.php in Mosaic Commerce allows remote attackers to execute arbitrary SQL commands via the cid parameter.
- CVE-2008-4590Oct 16, 2008risk 0.03cvss —epss 0.00
Multiple SQL injection vulnerabilities in Stash 1.0.3 allow remote attackers to execute arbitrary SQL commands via (1) the username parameter to admin/login.php and (2) the post parameter to admin/news.php.
- CVE-2008-4574Oct 15, 2008risk 0.03cvss —epss 0.00
SQL injection vulnerability in default.asp in Ayco Okul Portali allows remote attackers to execute arbitrary SQL commands via the linkid parameter.
- CVE-2008-4573Oct 15, 2008risk 0.03cvss —epss 0.01
SQL injection vulnerability in kategori.asp in MunzurSoft Wep Portal W3 allows remote attackers to execute arbitrary SQL commands via the kat parameter.
- CVE-2008-4570Oct 15, 2008risk 0.03cvss —epss 0.01
SQL injection vulnerability in index.php in Real Estate Classifieds allows remote attackers to execute arbitrary SQL commands via the cat parameter.