VYPR

CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

BaseStableLikelihood: High

Description

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Hierarchy (View 1000)

Parents

Children

Related attack patterns (CAPEC)

CAPEC-108 · CAPEC-109 · CAPEC-110 · CAPEC-470 · CAPEC-66 · CAPEC-7

CVEs mapped to this weakness (12,807)

page 339 of 641
  • CVE-2021-35487MedMay 25, 2022
    risk 0.42cvss 6.5epss 0.01

    Nokia Broadcast Message Center through 11.1.0 allows an authenticated user to perform a Boolean Blind SQL Injection attack on the endpoint /owui/block/send-receive-updates (for the Manage Alerts page) via the extIdentifier HTTP POST parameter. This allows an attacker to obtain…

  • CVE-2013-10003MedMay 24, 2022
    risk 0.42cvss 6.5epss 0.01

    A vulnerability classified as critical has been found in Telecommunication Software SAMwin Contact Center Suite 5.1. This affects the function getCurrentDBVersion in the library SAMwinLIBVB.dll of the database handler. The manipulation leads to sql injection. The exploit has…

  • CVE-2022-29498HigApr 21, 2022
    risk 0.42cvss 7.5epss 0.01

    Blazer before 2.6.0 allows SQL Injection. In certain circumstances, an attacker could get a user to run a query they would not have normally run.

  • CVE-2022-1339HigApr 13, 2022
    risk 0.42cvss 7.5epss 0.05

    SQL injection in ElementController.php in GitHub repository pimcore/pimcore prior to 10.3.5. This vulnerability is capable of steal the data

  • CVE-2022-27127MedApr 10, 2022
    risk 0.42cvss 6.5epss 0.01

    zbzcms v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /php/ajax.php.

  • CVE-2022-1219HigApr 8, 2022
    risk 0.42cvss 7.5epss 0.01

    SQL injection in RecyclebinController.php in GitHub repository pimcore/pimcore prior to 10.3.5. This vulnerability is capable of steal the data

  • CVE-2021-40645MedMar 30, 2022
    risk 0.42cvss 6.5epss 0.01

    An SQL Injection vulnerability exists in glorylion JFinalOA as of 9/7/2021 in the defkey parameter getHaveDoneTaskDataList method of the FlowTaskController.

  • CVE-2021-40644MedMar 30, 2022
    risk 0.42cvss 6.5epss 0.01

    An SQL Injection vulnerability exists in oasys oa_system as of 9/7/2021 in resources/mappers/notice-mapper.xml.

  • CVE-2022-24956MedMar 29, 2022
    risk 0.42cvss 6.5epss 0.01

    An issue was discovered in Shopware B2B-Suite through 4.4.1. The sort-by parameter of the search functionality of b2border and b2borderlist allows SQL injection. Possible techniques are boolean-based blind, time-based blind, and potentially stacked queries. The vulnerability…

  • CVE-2021-43091HigMar 25, 2022
    risk 0.42cvss 7.5epss 0.01

    An SQL Injection vlnerability exits in Yeswiki doryphore 20211012 via the email parameter in the registration form.

  • CVE-2022-0153HigMar 24, 2022
    risk 0.42cvss 7.5epss 0.01

    SQL Injection in GitHub repository forkcms/forkcms prior to 5.11.1.

  • CVE-2022-25506MedMar 11, 2022
    risk 0.42cvss 6.5epss 0.01

    FreeTAKServer-UI v1.9.8 was discovered to contain a SQL injection vulnerability via the API endpoint /AuthenticateUser.

  • CVE-2021-43969MedMar 10, 2022
    risk 0.42cvss 6.5epss 0.01

    The login.jsp page of Quicklert for Digium 10.0.0 (1043) is affected by both Blind SQL Injection with Out-of-Band Interaction (DNS) and Blind Time-Based SQL Injections. Exploitation can be used to disclose all data within the database (up to and including the administrative…

  • CVE-2021-24928MedFeb 7, 2022
    risk 0.42cvss 6.5epss 0.01

    The Rearrange Woocommerce Products WordPress plugin before 3.0.8 does not have proper access controls in the save_all_order AJAX action, nor validation and escaping when inserting user data in SQL statement, leading to an SQL injection, and allowing any authenticated user, such…

  • CVE-2021-21937MedDec 22, 2021
    risk 0.42cvss 6.5epss 0.01

    A specially-crafted HTTP request can lead to SQL injection. An attacker can make authenticated HTTP requests to trigger this vulnerability at ‘host_alt_filter’ parameter. This can be done as any authenticated user or through cross-site request forgery.

  • CVE-2021-21935MedDec 22, 2021
    risk 0.42cvss 6.5epss 0.01

    A specially-crafted HTTP request can lead to SQL injection. An attacker can make authenticated HTTP requests to trigger this vulnerability at ‘host_alt_filter2’ parameter. This can be done as any authenticated user or through cross-site request forgery.

  • CVE-2021-21934MedDec 22, 2021
    risk 0.42cvss 6.5epss 0.01

    A specially-crafted HTTP request can lead to SQL injection. An attacker can make authenticated HTTP requests to trigger this at ‘imei_filter’ parameter. This can be done as any authenticated user or through cross-site request forgery.

  • CVE-2021-21933MedDec 22, 2021
    risk 0.42cvss 6.5epss 0.01

    A specially-crafted HTTP request can lead to SQL injection. An attacker can make authenticated HTTP requests to trigger this at ‘esn_filter’ parameter. This can be done as any authenticated user or through cross-site request forgery.

  • CVE-2021-21932MedDec 22, 2021
    risk 0.42cvss 6.5epss 0.01

    A specially-crafted HTTP request can lead to SQL injection. An attacker can make authenticated HTTP requests to trigger this at ‘name_filter’ parameter. This can be done as any authenticated user or through cross-site request forgery.

  • CVE-2021-21931MedDec 22, 2021
    risk 0.42cvss 6.5epss 0.01

    A specially-crafted HTTP request can lead to SQL injection. An attacker can make authenticated HTTP requests at‘ stat_filter’ parameter to trigger this vulnerability. This can be done as any authenticated user or through cross-site request forgery.