VYPR

CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

BaseStableLikelihood: High

Description

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Hierarchy (View 1000)

Parents

Children

Related attack patterns (CAPEC)

CAPEC-108 · CAPEC-109 · CAPEC-110 · CAPEC-470 · CAPEC-66 · CAPEC-7

CVEs mapped to this weakness (8,813)

page 339 of 441
  • CVE-2008-4088Sep 15, 2008
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in print.php in myPHPNuke (MPN) before 1.8.8_8rc2 allows remote attackers to execute arbitrary SQL commands via the sid parameter.

  • CVE-2008-4086Sep 15, 2008
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in index.php in Reciprocal Links Manager 1.1 allows remote attackers to execute arbitrary SQL commands via the site parameter in an open action.

  • CVE-2008-4084Sep 15, 2008
    risk 0.03cvss epss 0.00

    SQL injection vulnerability in staticpages/easyclassifields/index.php in MyioSoft EasyClassifields 3.0 allows remote attackers to execute arbitrary SQL commands via the go parameter in a browse action.

  • CVE-2008-4082Sep 15, 2008
    risk 0.03cvss epss 0.00

    SQL injection vulnerability in the Tasks plugin in Brim 2.0.0, when magic_quotes_gpc is disabled, allows remote authenticated users to execute arbitrary SQL commands via an arbitrary field in a search action to index.php.

  • CVE-2008-4080Sep 15, 2008
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in Stash 1.0.3, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the (1) username parameter to admin/library/authenticate.php and the (2) download parameter to downloadmp3.php. NOTE: some of these details are obtained from third party information.

  • CVE-2008-4074Sep 15, 2008
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in index.php in Zanfi Autodealers CMS AutOnline allows remote attackers to execute arbitrary SQL commands via the id parameter in a detail action.

  • CVE-2008-4073Sep 15, 2008
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in index.php in Zanfi Autodealers CMS AutOnline allows remote attackers to execute arbitrary SQL commands via the pageid parameter in a DBpAGE action.

  • CVE-2008-4072Sep 15, 2008
    risk 0.03cvss epss 0.01

    Multiple SQL injection vulnerabilities in index.php in phsBlog 0.2 allow remote attackers to execute arbitrary SQL commands via (1) the sid parameter in a pickup action or (2) the sql_cid parameter, different vectors than CVE-2008-3588.

  • CVE-2008-4055Sep 11, 2008
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in tops_top.php in Million Pixel Ad Script (Million Pixel Script) allows remote attackers to execute arbitrary SQL commands via the id_cat parameter.

  • CVE-2008-4054Sep 11, 2008
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in indir.php in Kolifa.net Download Script 1.2 allows remote attackers to execute arbitrary SQL commands via the id parameter.

  • CVE-2008-4046Sep 11, 2008
    risk 0.03cvss epss 0.00

    SQL injection vulnerability in index.php in eliteCMS 1.0 allows remote attackers to execute arbitrary SQL commands via the page parameter.

  • CVE-2008-4044Sep 11, 2008
    risk 0.03cvss epss 0.00

    SQL injection vulnerability in article/readarticle.php in AJ Square aj-hyip (aka AJ HYIP Acme) allows remote attackers to execute arbitrary SQL commands via the artid parameter.

  • CVE-2008-4043Sep 11, 2008
    risk 0.03cvss epss 0.00

    Multiple SQL injection vulnerabilities in AJ Square AJ HYIP Acme allow remote attackers to execute arbitrary SQL commands via the artid parameter to (1) acme/article/comment.php and (2) prime/article/comment.php.

  • CVE-2008-4039Sep 11, 2008
    risk 0.03cvss epss 0.00

    SQL injection vulnerability in index.php in Spice Classifieds allows remote attackers to execute arbitrary SQL commands via the cat_path parameter.

  • CVE-2008-3955Sep 11, 2008
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in index.php in Masir Camp E-Shop Module 3.0 and earlier allows remote attackers to execute arbitrary SQL commands via the ordercode parameter in a veiworderstatus page.

  • CVE-2008-3954Sep 11, 2008
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in index.php in AlstraSoft Forum Pay Per Post Exchange allows remote attackers to execute arbitrary SQL commands via the cat parameter in a showcat action.

  • CVE-2008-3953Sep 11, 2008
    risk 0.03cvss epss 0.00

    SQL injection vulnerability in keyword_search_action.php in Vastal I-Tech Shaadi Zone 1.0.9 allows remote attackers to execute arbitrary SQL commands via the tage parameter.

  • CVE-2008-3952Sep 11, 2008
    risk 0.03cvss epss 0.00

    SQL injection vulnerability in questions.php in EsFaq 2.0 allows remote attackers to execute arbitrary SQL commands via the idcat parameter.

  • CVE-2008-3951Sep 11, 2008
    risk 0.03cvss epss 0.00

    SQL injection vulnerability in view_ann.php in Vastal I-Tech Agent Zone (aka The Real Estate Script) allows remote attackers to execute arbitrary SQL commands via the ann_id parameter.

  • CVE-2008-3943Sep 5, 2008
    risk 0.03cvss epss 0.00

    SQL injection vulnerability in listtest.php in eZoneScripts Living Local 1.1 allows remote attackers to execute arbitrary SQL commands via the r parameter.