CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Description
The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-108 · CAPEC-109 · CAPEC-110 · CAPEC-470 · CAPEC-66 · CAPEC-7
CVEs mapped to this weakness (8,813)
page 337 of 441| CVE | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2008-4357 | 0.03 | — | 0.00 | Sep 30, 2008 | SQL injection vulnerability in linkto.php in Powie pLink 2.07 allows remote attackers to execute arbitrary SQL commands via the id parameter. | ||
| CVE-2008-4356 | 0.03 | — | 0.00 | Sep 30, 2008 | Multiple SQL injection vulnerabilities in Kasseler CMS 1.1.0 and 1.2.0 allow remote attackers to execute arbitrary SQL commands via (1) the nid parameter to index.php in a View action to the News module; (2) the vid parameter to index.php in a Result action to the Voting module; (3) the fid parameter to index.php in a ShowForum action to the Forum module; (4) the tid parameter to index.php in a ShowTopic action to the Forum module; (5) the uname parameter to index.php in a UserInfo action to the Account module; or (6) the module parameter to index.php, probably related to the TopSites module. | ||
| CVE-2008-4355 | 0.03 | — | 0.00 | Sep 30, 2008 | SQL injection vulnerability in showprofil.php in Powie PSCRIPT Forum (aka PHP Forum or pForum) 1.30 and earlier allows remote attackers to execute arbitrary SQL commands via the id parameter. | ||
| CVE-2008-4354 | 0.03 | — | 0.00 | Sep 30, 2008 | SQL injection vulnerability in the products module in NetArt Media iBoutique 4.0 allows remote attackers to execute arbitrary SQL commands via the cat parameter to index.php. | ||
| CVE-2008-4353 | 0.03 | — | 0.00 | Sep 30, 2008 | SQL injection vulnerability in link.php in Linkarity allows remote attackers to execute arbitrary SQL commands via the cat_id parameter. NOTE: although one component of Linkarity is distributable PHP code, this issue might be site-specific. If so, it should not be included in CVE. | ||
| CVE-2008-4352 | 0.03 | — | 0.00 | Sep 30, 2008 | SQL injection vulnerability in inc/pages/viewprofile.php in phpSmartCom 0.2 allows remote attackers to execute arbitrary SQL commands via the uid parameter in a viewprofile action to index.php. | ||
| CVE-2008-4350 | 0.03 | — | 0.01 | Sep 30, 2008 | SQL injection vulnerability in main.php in vbLOGIX Tutorial Script 1.0 and earlier allows remote attackers to execute arbitrary SQL commands via the cat_id parameter in a list action. | ||
| CVE-2008-4347 | 0.03 | — | 0.00 | Sep 30, 2008 | SQL injection vulnerability in newskom.php in Powie pNews 2.03 allows remote attackers to execute arbitrary SQL commands via the newsid parameter. | ||
| CVE-2008-4345 | 0.03 | — | 0.00 | Sep 30, 2008 | SQL injection vulnerability in download.php in WebPortal CMS 0.7.4 and earlier allows remote attackers to execute arbitrary SQL commands via the aid parameter. | ||
| CVE-2008-4344 | 0.03 | — | 0.00 | Sep 30, 2008 | SQL injection vulnerability in cat.php in 6rbScript allows remote attackers to execute arbitrary SQL commands via the CatID parameter. | ||
| CVE-2008-4335 | 0.03 | — | 0.01 | Sep 30, 2008 | SQL injection vulnerability in album.php in Atomic Photo Album (APA) 1.1.0pre4 allows remote attackers to execute arbitrary SQL commands via the apa_album_ID parameter. | ||
| CVE-2008-4332 | 0.03 | — | 0.00 | Sep 30, 2008 | SQL injection vulnerability in the showjavatopic function in func.php in PHP infoBoard V.7 Plus allows remote attackers to execute arbitrary SQL commands via the idcat parameter to showtopic.php. | ||
| CVE-2008-4328 | 0.03 | — | 0.00 | Sep 30, 2008 | SQL injection vulnerability in site_search.php in EasyRealtorPRO 2008 allows remote attackers to execute arbitrary SQL commands via the (1) item, (2) search_ordermethod, and (3) search_order parameters. | ||
| CVE-2008-4241 | 0.03 | — | 0.00 | Sep 25, 2008 | SQL injection vulnerability in CJ Ultra Plus 1.0.4 and earlier allows remote attackers to execute arbitrary SQL commands via an SID cookie. | ||
| CVE-2008-4205 | 0.03 | — | 0.01 | Sep 24, 2008 | SQL injection vulnerability in search.php Attachmax Dolphin 2.1.0 and earlier allows remote attackers to execute arbitrary SQL commands via the category parameter in a Search action to index.php. NOTE: some of these details are obtained from third party information. | ||
| CVE-2008-4204 | 0.03 | — | 0.00 | Sep 24, 2008 | SQL injection vulnerability in city.asp in SoftAcid Hotel Reservation System (HRS) allows remote attackers to execute arbitrary SQL commands via the city parameter. | ||
| CVE-2008-4203 | 0.03 | — | 0.00 | Sep 24, 2008 | SQL injection vulnerability in cn_users.php in CzarNews 1.20 and earlier allows remote attackers to execute arbitrary SQL commands via a recook cookie. | ||
| CVE-2008-4202 | 0.03 | — | 0.00 | Sep 24, 2008 | SQL injection vulnerability in index.php in Gonafish LinksCaffePRO 4.5 allows remote attackers to execute arbitrary SQL commands via the idd parameter in a deadlink action. | ||
| CVE-2008-4150 | 0.03 | — | 0.00 | Sep 24, 2008 | SQL injection vulnerability in picture_category.php in Diesel Joke Site allows remote attackers to execute arbitrary SQL commands via the id parameter, a different vector than CVE-2006-3763. | ||
| CVE-2008-4145 | 0.03 | — | 0.00 | Sep 24, 2008 | SQL injection vulnerability in user_read_links.php in Addalink 1.0 beta 4 and earlier, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the category_id parameter. |
- CVE-2008-4357Sep 30, 2008risk 0.03cvss —epss 0.00
SQL injection vulnerability in linkto.php in Powie pLink 2.07 allows remote attackers to execute arbitrary SQL commands via the id parameter.
- CVE-2008-4356Sep 30, 2008risk 0.03cvss —epss 0.00
Multiple SQL injection vulnerabilities in Kasseler CMS 1.1.0 and 1.2.0 allow remote attackers to execute arbitrary SQL commands via (1) the nid parameter to index.php in a View action to the News module; (2) the vid parameter to index.php in a Result action to the Voting module; (3) the fid parameter to index.php in a ShowForum action to the Forum module; (4) the tid parameter to index.php in a ShowTopic action to the Forum module; (5) the uname parameter to index.php in a UserInfo action to the Account module; or (6) the module parameter to index.php, probably related to the TopSites module.
- CVE-2008-4355Sep 30, 2008risk 0.03cvss —epss 0.00
SQL injection vulnerability in showprofil.php in Powie PSCRIPT Forum (aka PHP Forum or pForum) 1.30 and earlier allows remote attackers to execute arbitrary SQL commands via the id parameter.
- CVE-2008-4354Sep 30, 2008risk 0.03cvss —epss 0.00
SQL injection vulnerability in the products module in NetArt Media iBoutique 4.0 allows remote attackers to execute arbitrary SQL commands via the cat parameter to index.php.
- CVE-2008-4353Sep 30, 2008risk 0.03cvss —epss 0.00
SQL injection vulnerability in link.php in Linkarity allows remote attackers to execute arbitrary SQL commands via the cat_id parameter. NOTE: although one component of Linkarity is distributable PHP code, this issue might be site-specific. If so, it should not be included in CVE.
- CVE-2008-4352Sep 30, 2008risk 0.03cvss —epss 0.00
SQL injection vulnerability in inc/pages/viewprofile.php in phpSmartCom 0.2 allows remote attackers to execute arbitrary SQL commands via the uid parameter in a viewprofile action to index.php.
- CVE-2008-4350Sep 30, 2008risk 0.03cvss —epss 0.01
SQL injection vulnerability in main.php in vbLOGIX Tutorial Script 1.0 and earlier allows remote attackers to execute arbitrary SQL commands via the cat_id parameter in a list action.
- CVE-2008-4347Sep 30, 2008risk 0.03cvss —epss 0.00
SQL injection vulnerability in newskom.php in Powie pNews 2.03 allows remote attackers to execute arbitrary SQL commands via the newsid parameter.
- CVE-2008-4345Sep 30, 2008risk 0.03cvss —epss 0.00
SQL injection vulnerability in download.php in WebPortal CMS 0.7.4 and earlier allows remote attackers to execute arbitrary SQL commands via the aid parameter.
- CVE-2008-4344Sep 30, 2008risk 0.03cvss —epss 0.00
SQL injection vulnerability in cat.php in 6rbScript allows remote attackers to execute arbitrary SQL commands via the CatID parameter.
- CVE-2008-4335Sep 30, 2008risk 0.03cvss —epss 0.01
SQL injection vulnerability in album.php in Atomic Photo Album (APA) 1.1.0pre4 allows remote attackers to execute arbitrary SQL commands via the apa_album_ID parameter.
- CVE-2008-4332Sep 30, 2008risk 0.03cvss —epss 0.00
SQL injection vulnerability in the showjavatopic function in func.php in PHP infoBoard V.7 Plus allows remote attackers to execute arbitrary SQL commands via the idcat parameter to showtopic.php.
- CVE-2008-4328Sep 30, 2008risk 0.03cvss —epss 0.00
SQL injection vulnerability in site_search.php in EasyRealtorPRO 2008 allows remote attackers to execute arbitrary SQL commands via the (1) item, (2) search_ordermethod, and (3) search_order parameters.
- CVE-2008-4241Sep 25, 2008risk 0.03cvss —epss 0.00
SQL injection vulnerability in CJ Ultra Plus 1.0.4 and earlier allows remote attackers to execute arbitrary SQL commands via an SID cookie.
- CVE-2008-4205Sep 24, 2008risk 0.03cvss —epss 0.01
SQL injection vulnerability in search.php Attachmax Dolphin 2.1.0 and earlier allows remote attackers to execute arbitrary SQL commands via the category parameter in a Search action to index.php. NOTE: some of these details are obtained from third party information.
- CVE-2008-4204Sep 24, 2008risk 0.03cvss —epss 0.00
SQL injection vulnerability in city.asp in SoftAcid Hotel Reservation System (HRS) allows remote attackers to execute arbitrary SQL commands via the city parameter.
- CVE-2008-4203Sep 24, 2008risk 0.03cvss —epss 0.00
SQL injection vulnerability in cn_users.php in CzarNews 1.20 and earlier allows remote attackers to execute arbitrary SQL commands via a recook cookie.
- CVE-2008-4202Sep 24, 2008risk 0.03cvss —epss 0.00
SQL injection vulnerability in index.php in Gonafish LinksCaffePRO 4.5 allows remote attackers to execute arbitrary SQL commands via the idd parameter in a deadlink action.
- CVE-2008-4150Sep 24, 2008risk 0.03cvss —epss 0.00
SQL injection vulnerability in picture_category.php in Diesel Joke Site allows remote attackers to execute arbitrary SQL commands via the id parameter, a different vector than CVE-2006-3763.
- CVE-2008-4145Sep 24, 2008risk 0.03cvss —epss 0.00
SQL injection vulnerability in user_read_links.php in Addalink 1.0 beta 4 and earlier, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the category_id parameter.