VYPR

CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

BaseStableLikelihood: High

Description

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Hierarchy (View 1000)

Parents

Children

Related attack patterns (CAPEC)

CAPEC-108 · CAPEC-109 · CAPEC-110 · CAPEC-470 · CAPEC-66 · CAPEC-7

CVEs mapped to this weakness (8,813)

page 338 of 441
  • CVE-2008-4144Sep 24, 2008
    risk 0.03cvss epss 0.00

    SQL injection vulnerability in index.php in ACG-ScriptShop E-Gold Script Shop allows remote attackers to execute arbitrary SQL commands via the cid parameter in a showcat action.

  • CVE-2008-4142Sep 24, 2008
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in article.php in E-Php CMS allows remote attackers to execute arbitrary SQL commands via the es_id parameter.

  • CVE-2008-4186Sep 23, 2008
    risk 0.03cvss epss 0.00

    SQL injection vulnerability in index.php in webCMS Portal Edition allows remote attackers to execute arbitrary SQL commands via the id_doc parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.

  • CVE-2008-4185Sep 23, 2008
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in index.php in webCMS Portal Edition allows remote attackers to execute arbitrary SQL commands via the id parameter in a documentos action, a different vector than CVE-2008-3213.

  • CVE-2008-4178Sep 23, 2008
    risk 0.03cvss epss 0.04

    SQL injection vulnerability in tr.php in DownlineGoldmine Special Category Addon, Downline Builder Pro, New Addon, and Downline Goldmine Builder allows remote attackers to execute arbitrary SQL commands via the id parameter. NOTE: some of these details are obtained from third party information.

  • CVE-2008-4177Sep 23, 2008
    risk 0.03cvss epss 0.00

    SQL injection vulnerability in search.php in Pre Real Estate Listings allows remote attackers to execute arbitrary SQL commands via the c parameter.

  • CVE-2008-4176Sep 23, 2008
    risk 0.03cvss epss 0.00

    SQL injection vulnerability in izle.asp in FoT Video scripti 1.1 beta allows remote attackers to execute arbitrary SQL commands via the oyun parameter.

  • CVE-2008-4175Sep 23, 2008
    risk 0.03cvss epss 0.01

    Multiple SQL injection vulnerabilities in Link Bid Script 1.5 allow remote attackers to execute arbitrary SQL commands via the (1) ucat parameter to upgrade.php and the (2) id parameter to linkadmin/edit.php.

  • CVE-2008-4161Sep 22, 2008
    risk 0.03cvss epss 0.00

    SQL injection vulnerability in search_inv.php in Assetman 2.5b allows remote attackers to execute arbitrary SQL commands and conduct session fixation attacks via a combination of crafted order and order_by parameters in a search_all action.

  • CVE-2008-4173Sep 22, 2008
    risk 0.03cvss epss 0.00

    SQL injection vulnerability in ProArcadeScript 1.3 allows remote attackers to execute arbitrary SQL commands via the random parameter to the default URI.

  • CVE-2008-4172Sep 22, 2008
    risk 0.03cvss epss 0.00

    SQL injection vulnerability in page.php in Cars & Vehicle (aka Cars-Vehicle Script) allows remote attackers to execute arbitrary SQL commands via the lnkid parameter.

  • CVE-2008-4169Sep 22, 2008
    risk 0.03cvss epss 0.00

    SQL injection vulnerability in detaillist.php in iScripts EasyIndex, possibly 1.0, allows remote attackers to execute arbitrary SQL commands via the produid parameter.

  • CVE-2008-4159Sep 22, 2008
    risk 0.03cvss epss 0.00

    SQL injection vulnerability in index.php in Jaw Portal and Zanfi CMS lite and allows remote attackers to execute arbitrary SQL commands via the page (pageid) parameter.

  • CVE-2008-4157Sep 22, 2008
    risk 0.03cvss epss 0.03

    SQL injection vulnerability in groups.php in Vastal I-Tech phpVID 1.1 allows remote attackers to execute arbitrary SQL commands via the cat parameter, a different vector than CVE-2007-3610. NOTE: it was later reported that 1.2.3 is also affected.

  • CVE-2008-4156Sep 19, 2008
    risk 0.03cvss epss 0.00

    SQL injection vulnerability in print.php in CustomCms (CCMS) Gaming Portal 4.0, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the id parameter.

  • CVE-2008-4154Sep 19, 2008
    risk 0.03cvss epss 0.00

    SQL injection vulnerability in living-e webEdition CMS allows remote attackers to execute arbitrary SQL commands via the we_objectID parameter.

  • CVE-2008-4093Sep 15, 2008
    risk 0.03cvss epss 0.00

    SQL injection vulnerability in memberstats.php in YourOwnBux 3.1 and 3.2 beta, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the user parameter.

  • CVE-2008-4092Sep 15, 2008
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in printfeature.php in myPHPNuke (MPN) before 1.8.8_8rc2 allows remote attackers to execute arbitrary SQL commands via the artid parameter.

  • CVE-2008-4091Sep 15, 2008
    risk 0.03cvss epss 0.00

    SQL injection vulnerability in index.php in Web Directory Script 1.5.3 allows remote attackers to execute arbitrary SQL commands via the site parameter in an open action.

  • CVE-2008-4090Sep 15, 2008
    risk 0.03cvss epss 0.00

    SQL injection vulnerability in index.php in PHP Coupon Script 4.0 allows remote attackers to execute arbitrary SQL commands via the id parameter in an addtocart action, a different vector than CVE-2007-2672.