CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Description
The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-108 · CAPEC-109 · CAPEC-110 · CAPEC-470 · CAPEC-66 · CAPEC-7
CVEs mapped to this weakness (8,813)
page 336 of 441| CVE | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2008-4464 | 0.03 | — | 0.00 | Oct 7, 2008 | SQL injection vulnerability in view_mags.php in Vastal I-Tech Mag Zone allows remote attackers to execute arbitrary SQL commands via the cat_id parameter. | ||
| CVE-2008-4463 | 0.03 | — | 0.00 | Oct 7, 2008 | SQL injection vulnerability in view_news.php in Vastal I-Tech Jobs Zone allows remote attackers to execute arbitrary SQL commands via the news_id parameter. | ||
| CVE-2008-4462 | 0.03 | — | 0.00 | Oct 7, 2008 | SQL injection vulnerability in view_news.php in Vastal I-Tech Visa Zone allows remote attackers to execute arbitrary SQL commands via the news_id parameter. | ||
| CVE-2008-4461 | 0.03 | — | 0.00 | Oct 7, 2008 | SQL injection vulnerability in advanced_search_results.php in Vastal I-Tech Dating Zone, possibly 0.9.9, allows remote attackers to execute arbitrary SQL commands via the fage parameter. | ||
| CVE-2008-4460 | 0.03 | — | 0.00 | Oct 7, 2008 | SQL injection vulnerability in game.php in Vastal I-Tech MMORPG Zone allows remote attackers to execute arbitrary SQL commands via the game_id parameter. | ||
| CVE-2008-4459 | 0.03 | — | 0.00 | Oct 7, 2008 | SQL injection vulnerability in pick_users.php in the groups module in eXtrovert Thyme 1.3 allows remote attackers to execute arbitrary SQL commands via the uname_search parameter. NOTE: some of these details are obtained from third party information. | ||
| CVE-2008-4458 | 0.03 | — | 0.00 | Oct 7, 2008 | SQL injection vulnerability in listings.php in E-Php B2B Trading Marketplace Script allows remote attackers to execute arbitrary SQL commands via the cid parameter in a product action. | ||
| CVE-2008-4457 | 0.03 | — | 0.01 | Oct 7, 2008 | SQL injection vulnerability in inc/inc_statistics.php in MemHT Portal 3.9.0 and earlier, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via a stats_res cookie to index.php. | ||
| CVE-2008-4436 | 0.03 | — | 0.00 | Oct 3, 2008 | SQL injection vulnerability in bblog_plugins/builtin.help.php in bBlog 0.7.6 allows remote attackers to execute arbitrary SQL commands via the mod parameter. | ||
| CVE-2008-4423 | 0.03 | — | 0.01 | Oct 3, 2008 | SQL injection vulnerability in index.php in Ovidentia 6.6.5 allows remote attackers to execute arbitrary SQL commands via the item parameter in a contact modify action. | ||
| CVE-2008-4379 | 0.03 | — | 0.03 | Oct 1, 2008 | Cross-site scripting (XSS) vulnerability in report.php in Mr. CGI Guy Hot Links SQL-PHP 3.0 and earlier allows remote attackers to inject arbitrary web script or HTML via the id parameter. | ||
| CVE-2008-4378 | 0.03 | — | 0.00 | Oct 1, 2008 | SQL injection vulnerability in report.php in Mr. CGI Guy Hot Links SQL-PHP 3.0 and earlier allows remote attackers to execute arbitrary SQL commands via the id parameter. | ||
| CVE-2008-4377 | 0.03 | — | 0.01 | Oct 1, 2008 | SQL injection vulnerability in index.asp in Creative Mind Creator CMS 5.0 allows remote attackers to execute arbitrary SQL commands via the sideid parameter. | ||
| CVE-2008-4376 | 0.03 | — | 0.00 | Oct 1, 2008 | SQL injection vulnerability in index.php in Live TV Script allows remote attackers to execute arbitrary SQL commands via the mid parameter. | ||
| CVE-2008-4375 | 0.03 | — | 0.00 | Oct 1, 2008 | SQL injection vulnerability in viewprofile.php in Availscript Classmate Script allows remote attackers to execute arbitrary SQL commands via the p parameter. | ||
| CVE-2008-4374 | 0.03 | — | 0.01 | Oct 1, 2008 | SQL injection vulnerability in index.php in CMS Buzz allows remote attackers to execute arbitrary SQL commands via the id parameter in a playgame action. | ||
| CVE-2008-4373 | 0.03 | — | 0.00 | Oct 1, 2008 | SQL injection vulnerability in job_seeker/applynow.php in AvailScript Job Portal Script allows remote attackers to execute arbitrary SQL commands via the jid parameter. | ||
| CVE-2008-4371 | 0.03 | — | 0.00 | Oct 1, 2008 | SQL injection vulnerability in articles.php in AvailScript Article Script allows remote attackers to execute arbitrary SQL commands via the aIDS parameter. | ||
| CVE-2008-4369 | 0.03 | — | 0.00 | Oct 1, 2008 | SQL injection vulnerability in pics.php in Availscript Photo Album allows remote attackers to execute arbitrary SQL commands via the sid parameter. | ||
| CVE-2008-4364 | 0.03 | — | 0.01 | Sep 30, 2008 | SQL injection vulnerability in default.aspx in ParsaGostar ParsaWeb CMS allows remote attackers to execute arbitrary SQL commands via the (1) id parameter in the "page" page and (2) txtSearch parameter in the "Search" page. |
- CVE-2008-4464Oct 7, 2008risk 0.03cvss —epss 0.00
SQL injection vulnerability in view_mags.php in Vastal I-Tech Mag Zone allows remote attackers to execute arbitrary SQL commands via the cat_id parameter.
- CVE-2008-4463Oct 7, 2008risk 0.03cvss —epss 0.00
SQL injection vulnerability in view_news.php in Vastal I-Tech Jobs Zone allows remote attackers to execute arbitrary SQL commands via the news_id parameter.
- CVE-2008-4462Oct 7, 2008risk 0.03cvss —epss 0.00
SQL injection vulnerability in view_news.php in Vastal I-Tech Visa Zone allows remote attackers to execute arbitrary SQL commands via the news_id parameter.
- CVE-2008-4461Oct 7, 2008risk 0.03cvss —epss 0.00
SQL injection vulnerability in advanced_search_results.php in Vastal I-Tech Dating Zone, possibly 0.9.9, allows remote attackers to execute arbitrary SQL commands via the fage parameter.
- CVE-2008-4460Oct 7, 2008risk 0.03cvss —epss 0.00
SQL injection vulnerability in game.php in Vastal I-Tech MMORPG Zone allows remote attackers to execute arbitrary SQL commands via the game_id parameter.
- CVE-2008-4459Oct 7, 2008risk 0.03cvss —epss 0.00
SQL injection vulnerability in pick_users.php in the groups module in eXtrovert Thyme 1.3 allows remote attackers to execute arbitrary SQL commands via the uname_search parameter. NOTE: some of these details are obtained from third party information.
- CVE-2008-4458Oct 7, 2008risk 0.03cvss —epss 0.00
SQL injection vulnerability in listings.php in E-Php B2B Trading Marketplace Script allows remote attackers to execute arbitrary SQL commands via the cid parameter in a product action.
- CVE-2008-4457Oct 7, 2008risk 0.03cvss —epss 0.01
SQL injection vulnerability in inc/inc_statistics.php in MemHT Portal 3.9.0 and earlier, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via a stats_res cookie to index.php.
- CVE-2008-4436Oct 3, 2008risk 0.03cvss —epss 0.00
SQL injection vulnerability in bblog_plugins/builtin.help.php in bBlog 0.7.6 allows remote attackers to execute arbitrary SQL commands via the mod parameter.
- CVE-2008-4423Oct 3, 2008risk 0.03cvss —epss 0.01
SQL injection vulnerability in index.php in Ovidentia 6.6.5 allows remote attackers to execute arbitrary SQL commands via the item parameter in a contact modify action.
- CVE-2008-4379Oct 1, 2008risk 0.03cvss —epss 0.03
Cross-site scripting (XSS) vulnerability in report.php in Mr. CGI Guy Hot Links SQL-PHP 3.0 and earlier allows remote attackers to inject arbitrary web script or HTML via the id parameter.
- CVE-2008-4378Oct 1, 2008risk 0.03cvss —epss 0.00
SQL injection vulnerability in report.php in Mr. CGI Guy Hot Links SQL-PHP 3.0 and earlier allows remote attackers to execute arbitrary SQL commands via the id parameter.
- CVE-2008-4377Oct 1, 2008risk 0.03cvss —epss 0.01
SQL injection vulnerability in index.asp in Creative Mind Creator CMS 5.0 allows remote attackers to execute arbitrary SQL commands via the sideid parameter.
- CVE-2008-4376Oct 1, 2008risk 0.03cvss —epss 0.00
SQL injection vulnerability in index.php in Live TV Script allows remote attackers to execute arbitrary SQL commands via the mid parameter.
- CVE-2008-4375Oct 1, 2008risk 0.03cvss —epss 0.00
SQL injection vulnerability in viewprofile.php in Availscript Classmate Script allows remote attackers to execute arbitrary SQL commands via the p parameter.
- CVE-2008-4374Oct 1, 2008risk 0.03cvss —epss 0.01
SQL injection vulnerability in index.php in CMS Buzz allows remote attackers to execute arbitrary SQL commands via the id parameter in a playgame action.
- CVE-2008-4373Oct 1, 2008risk 0.03cvss —epss 0.00
SQL injection vulnerability in job_seeker/applynow.php in AvailScript Job Portal Script allows remote attackers to execute arbitrary SQL commands via the jid parameter.
- CVE-2008-4371Oct 1, 2008risk 0.03cvss —epss 0.00
SQL injection vulnerability in articles.php in AvailScript Article Script allows remote attackers to execute arbitrary SQL commands via the aIDS parameter.
- CVE-2008-4369Oct 1, 2008risk 0.03cvss —epss 0.00
SQL injection vulnerability in pics.php in Availscript Photo Album allows remote attackers to execute arbitrary SQL commands via the sid parameter.
- CVE-2008-4364Sep 30, 2008risk 0.03cvss —epss 0.01
SQL injection vulnerability in default.aspx in ParsaGostar ParsaWeb CMS allows remote attackers to execute arbitrary SQL commands via the (1) id parameter in the "page" page and (2) txtSearch parameter in the "Search" page.