CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Description
The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-108 · CAPEC-109 · CAPEC-110 · CAPEC-470 · CAPEC-66 · CAPEC-7
CVEs mapped to this weakness (8,813)
page 341 of 441| CVE | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2008-3765 | 0.03 | — | 0.00 | Aug 21, 2008 | SQL injection vulnerability in code.php in Quick Poll Script allows remote attackers to execute arbitrary SQL commands via the id parameter. | ||
| CVE-2008-3752 | 0.03 | — | 0.00 | Aug 21, 2008 | SQL injection vulnerability in tr.php in YourFreeWorld Ad-Exchange Script allows remote attackers to execute arbitrary SQL commands via the id parameter. | ||
| CVE-2008-3754 | 0.03 | — | 0.00 | Aug 21, 2008 | SQL injection vulnerability in trl.php in YourFreeWorld Stylish Text Ads Script allows remote attackers to execute arbitrary SQL commands via the id parameter. | ||
| CVE-2008-3748 | 0.03 | — | 0.01 | Aug 21, 2008 | SQL injection vulnerability in view_group.php in Active PHP Bookmarks (APB) 1.1.02 and 1.2.06 allows remote attackers to execute arbitrary SQL commands via the id parameter. | ||
| CVE-2008-3749 | 0.03 | — | 0.01 | Aug 21, 2008 | SQL injection vulnerability in tr.php in YourFreeWorld Banner Management Script allows remote attackers to execute arbitrary SQL commands via the id parameter. | ||
| CVE-2008-3750 | 0.03 | — | 0.00 | Aug 21, 2008 | SQL injection vulnerability in tr.php in YourFreeWorld URL Rotator Script allows remote attackers to execute arbitrary SQL commands via the id parameter. | ||
| CVE-2008-3755 | 0.03 | — | 0.01 | Aug 21, 2008 | SQL injection vulnerability in view.php in YourFreeWorld Classifieds Script allows remote attackers to execute arbitrary SQL commands via the category parameter. | ||
| CVE-2008-3720 | 0.03 | — | 0.00 | Aug 20, 2008 | SQL injection vulnerability in index.php in DeeEmm CMS (DMCMS) 0.7.4 allows remote attackers to execute arbitrary SQL commands via the page parameter. NOTE: the id vector is already covered by CVE-2007-5679. | ||
| CVE-2008-3718 | 0.03 | — | 0.00 | Aug 20, 2008 | Multiple SQL injection vulnerabilities in cyberBB 0.6 allow remote authenticated users to execute arbitrary SQL commands via the (1) id parameter to show_topic.php and the (2) user parameter to profile.php. | ||
| CVE-2008-3719 | 0.03 | — | 0.01 | Aug 20, 2008 | SQL injection vulnerability in directory.php in SFS Affiliate Directory allows remote attackers to execute arbitrary SQL commands via the id parameter in a deadlink action. | ||
| CVE-2008-3725 | 0.03 | — | 0.01 | Aug 20, 2008 | SQL injection vulnerability in trr.php in YourFreeWorld Ad Board Script allows remote attackers to execute arbitrary SQL commands via the id parameter. | ||
| CVE-2008-3722 | 0.03 | — | 0.00 | Aug 20, 2008 | SQL injection vulnerability in forum/neu.asp in fipsCMS 2.1 allows remote attackers to execute arbitrary SQL commands via the kat parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. | ||
| CVE-2008-3713 | 0.03 | — | 0.00 | Aug 19, 2008 | SQL injection vulnerability in product.php in PHPBasket allows remote attackers to execute arbitrary SQL commands via the pro_id parameter. | ||
| CVE-2008-3711 | 0.03 | — | 0.00 | Aug 19, 2008 | SQL injection vulnerability in index.php in PHPArcadeScript (PHP Arcade Script) 4.0 allows remote attackers to execute arbitrary SQL commands via the cat parameter in a browse action. | ||
| CVE-2008-3706 | 0.03 | — | 0.00 | Aug 19, 2008 | SQL injection vulnerability in bannerclick.php in ZEEJOBSITE 2.0 allows remote attackers to execute arbitrary SQL commands via the adid parameter. | ||
| CVE-2008-3701 | 0.03 | — | 0.00 | Aug 15, 2008 | SQL injection vulnerability in staff/index.php in Kayako SupportSuite 3.20.02 and earlier allows remote authenticated users to execute arbitrary SQL commands via the customfieldlinkid parameter in a delcflink action. | ||
| CVE-2008-3682 | 0.03 | — | 0.00 | Aug 14, 2008 | SQL injection vulnerability in dpage.php in YPN PHP Realty allows remote attackers to execute arbitrary SQL commands via the docID parameter. | ||
| CVE-2008-3673 | 0.03 | — | 0.01 | Aug 13, 2008 | SQL injection vulnerability in browsecats.php in PozScripts Classified Ads allows remote attackers to execute arbitrary SQL commands via the cid parameter, a different vector than CVE-2008-3672. | ||
| CVE-2008-3674 | 0.03 | — | 0.01 | Aug 13, 2008 | SQL injection vulnerability in ugroups.php in PozScripts TubeGuru Video Sharing Script allows remote attackers to execute arbitrary SQL commands via the UID parameter. | ||
| CVE-2008-3669 | 0.03 | — | 0.01 | Aug 13, 2008 | SQL injection vulnerability in comments.php in ZeeScripts Reviews Opinions Rating Posting Engine Web-Site PHP Script (aka ZeeReviews) allows remote attackers to execute arbitrary SQL commands via the ItemID parameter. |
- CVE-2008-3765Aug 21, 2008risk 0.03cvss —epss 0.00
SQL injection vulnerability in code.php in Quick Poll Script allows remote attackers to execute arbitrary SQL commands via the id parameter.
- CVE-2008-3752Aug 21, 2008risk 0.03cvss —epss 0.00
SQL injection vulnerability in tr.php in YourFreeWorld Ad-Exchange Script allows remote attackers to execute arbitrary SQL commands via the id parameter.
- CVE-2008-3754Aug 21, 2008risk 0.03cvss —epss 0.00
SQL injection vulnerability in trl.php in YourFreeWorld Stylish Text Ads Script allows remote attackers to execute arbitrary SQL commands via the id parameter.
- CVE-2008-3748Aug 21, 2008risk 0.03cvss —epss 0.01
SQL injection vulnerability in view_group.php in Active PHP Bookmarks (APB) 1.1.02 and 1.2.06 allows remote attackers to execute arbitrary SQL commands via the id parameter.
- CVE-2008-3749Aug 21, 2008risk 0.03cvss —epss 0.01
SQL injection vulnerability in tr.php in YourFreeWorld Banner Management Script allows remote attackers to execute arbitrary SQL commands via the id parameter.
- CVE-2008-3750Aug 21, 2008risk 0.03cvss —epss 0.00
SQL injection vulnerability in tr.php in YourFreeWorld URL Rotator Script allows remote attackers to execute arbitrary SQL commands via the id parameter.
- CVE-2008-3755Aug 21, 2008risk 0.03cvss —epss 0.01
SQL injection vulnerability in view.php in YourFreeWorld Classifieds Script allows remote attackers to execute arbitrary SQL commands via the category parameter.
- CVE-2008-3720Aug 20, 2008risk 0.03cvss —epss 0.00
SQL injection vulnerability in index.php in DeeEmm CMS (DMCMS) 0.7.4 allows remote attackers to execute arbitrary SQL commands via the page parameter. NOTE: the id vector is already covered by CVE-2007-5679.
- CVE-2008-3718Aug 20, 2008risk 0.03cvss —epss 0.00
Multiple SQL injection vulnerabilities in cyberBB 0.6 allow remote authenticated users to execute arbitrary SQL commands via the (1) id parameter to show_topic.php and the (2) user parameter to profile.php.
- CVE-2008-3719Aug 20, 2008risk 0.03cvss —epss 0.01
SQL injection vulnerability in directory.php in SFS Affiliate Directory allows remote attackers to execute arbitrary SQL commands via the id parameter in a deadlink action.
- CVE-2008-3725Aug 20, 2008risk 0.03cvss —epss 0.01
SQL injection vulnerability in trr.php in YourFreeWorld Ad Board Script allows remote attackers to execute arbitrary SQL commands via the id parameter.
- CVE-2008-3722Aug 20, 2008risk 0.03cvss —epss 0.00
SQL injection vulnerability in forum/neu.asp in fipsCMS 2.1 allows remote attackers to execute arbitrary SQL commands via the kat parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
- CVE-2008-3713Aug 19, 2008risk 0.03cvss —epss 0.00
SQL injection vulnerability in product.php in PHPBasket allows remote attackers to execute arbitrary SQL commands via the pro_id parameter.
- CVE-2008-3711Aug 19, 2008risk 0.03cvss —epss 0.00
SQL injection vulnerability in index.php in PHPArcadeScript (PHP Arcade Script) 4.0 allows remote attackers to execute arbitrary SQL commands via the cat parameter in a browse action.
- CVE-2008-3706Aug 19, 2008risk 0.03cvss —epss 0.00
SQL injection vulnerability in bannerclick.php in ZEEJOBSITE 2.0 allows remote attackers to execute arbitrary SQL commands via the adid parameter.
- CVE-2008-3701Aug 15, 2008risk 0.03cvss —epss 0.00
SQL injection vulnerability in staff/index.php in Kayako SupportSuite 3.20.02 and earlier allows remote authenticated users to execute arbitrary SQL commands via the customfieldlinkid parameter in a delcflink action.
- CVE-2008-3682Aug 14, 2008risk 0.03cvss —epss 0.00
SQL injection vulnerability in dpage.php in YPN PHP Realty allows remote attackers to execute arbitrary SQL commands via the docID parameter.
- CVE-2008-3673Aug 13, 2008risk 0.03cvss —epss 0.01
SQL injection vulnerability in browsecats.php in PozScripts Classified Ads allows remote attackers to execute arbitrary SQL commands via the cid parameter, a different vector than CVE-2008-3672.
- CVE-2008-3674Aug 13, 2008risk 0.03cvss —epss 0.01
SQL injection vulnerability in ugroups.php in PozScripts TubeGuru Video Sharing Script allows remote attackers to execute arbitrary SQL commands via the UID parameter.
- CVE-2008-3669Aug 13, 2008risk 0.03cvss —epss 0.01
SQL injection vulnerability in comments.php in ZeeScripts Reviews Opinions Rating Posting Engine Web-Site PHP Script (aka ZeeReviews) allows remote attackers to execute arbitrary SQL commands via the ItemID parameter.