VYPR

CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

BaseStableLikelihood: High

Description

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Hierarchy (View 1000)

Parents

Children

Related attack patterns (CAPEC)

CAPEC-108 · CAPEC-109 · CAPEC-110 · CAPEC-470 · CAPEC-66 · CAPEC-7

CVEs mapped to this weakness (12,807)

page 341 of 641
  • CVE-2021-24185MedApr 5, 2021
    risk 0.42cvss 6.5epss 0.01

    The tutor_place_rating AJAX action from the Tutor LMS – eLearning and online course solution WordPress plugin before 1.7.7 was vulnerable to blind and time based SQL injections that could be exploited by students.

  • CVE-2021-24183MedApr 5, 2021
    risk 0.42cvss 6.5epss 0.02

    The tutor_quiz_builder_get_question_form AJAX action from the Tutor LMS – eLearning and online course solution WordPress plugin before 1.8.3 was vulnerable to UNION based SQL injection that could be exploited by students.

  • CVE-2021-24182MedApr 5, 2021
    risk 0.42cvss 6.5epss 0.02

    The tutor_quiz_builder_get_answers_by_question AJAX action from the Tutor LMS – eLearning and online course solution WordPress plugin before 1.8.3 was vulnerable to UNION based SQL injection that could be exploited by students.

  • CVE-2021-24181MedApr 5, 2021
    risk 0.42cvss 6.5epss 0.01

    The tutor_mark_answer_as_correct AJAX action from the Tutor LMS – eLearning and online course solution WordPress plugin before 1.7.7 was vulnerable to blind and time based SQL injections that could be exploited by students.

  • CVE-2021-28970MedApr 1, 2021
    risk 0.42cvss 6.5epss 0.01

    eMPS 9.0.1.923211 on the Central Management of FireEye EX 3500 devices allows remote authenticated users to conduct SQL injection attacks via the job_id parameter to the email search feature. According to the vendor, the issue is fixed in 9.0.3.

  • CVE-2021-28969MedApr 1, 2021
    risk 0.42cvss 6.5epss 0.01

    eMPS 9.0.1.923211 on FireEye EX 3500 devices allows remote authenticated users to conduct SQL injection attacks via the sort_by parameter to the email search feature. According to the vendor, the issue is fixed in 9.0.3. NOTE: this is different from CVE-2020-25034 and affects…

  • CVE-2021-26966MedMar 5, 2021
    risk 0.42cvss 6.5epss 0.01

    A remote authenticated sql injection vulnerability was discovered in Aruba AirWave Management Platform version(s): Prior to 8.2.12.0. Multiple vulnerabilities in the API of AirWave could allow an authenticated remote attacker to conduct SQL injection attacks against the AirWave…

  • CVE-2021-26965MedMar 5, 2021
    risk 0.42cvss 6.5epss 0.01

    A remote authenticated sql injection vulnerability was discovered in Aruba AirWave Management Platform version(s): Prior to 8.2.12.0. Multiple vulnerabilities in the API of AirWave could allow an authenticated remote attacker to conduct SQL injection attacks against the AirWave…

  • CVE-2020-35329MedMar 4, 2021
    risk 0.42cvss 6.5epss 0.01

    Courier Management System 1.0 1.0 is affected by SQL Injection via 'MULTIPART street '.

  • CVE-2020-35327MedMar 4, 2021
    risk 0.42cvss 6.5epss 0.01

    SQL injection vulnerability was discovered in Courier Management System 1.0, which can be exploited via the ref_no (POST) parameter to admin_class.php

  • CVE-2021-26686MedFeb 23, 2021
    risk 0.42cvss 6.5epss 0.01

    A remote authenticated SQL Injection vulnerabilitiy was discovered in Aruba ClearPass Policy Manager version(s): Prior to 6.9.5, 6.8.8-HF1, 6.7.14-HF1. A vulnerability in the web-based management interface API of ClearPass could allow an authenticated remote attacker to conduct…

  • CVE-2021-26685MedFeb 23, 2021
    risk 0.42cvss 6.5epss 0.01

    A remote authenticated SQL Injection vulnerabilitiy was discovered in Aruba ClearPass Policy Manager version(s): Prior to 6.9.5, 6.8.8-HF1, 6.7.14-HF1. A vulnerability in the web-based management interface API of ClearPass could allow an authenticated remote attacker to conduct…

  • CVE-2021-1364MedJan 20, 2021
    risk 0.42cvss 6.5epss 0.01

    Multiple vulnerabilities in Cisco Unified Communications Manager IM & Presence Service (Unified CM IM&P) could allow an attacker to conduct path traversal attacks and SQL injection attacks on an affected system. One of the SQL injection vulnerabilities that affects…

  • CVE-2021-1355MedJan 20, 2021
    risk 0.42cvss 6.5epss 0.01

    Multiple vulnerabilities in Cisco Unified Communications Manager IM & Presence Service (Unified CM IM&P) could allow an attacker to conduct path traversal attacks and SQL injection attacks on an affected system. One of the SQL injection vulnerabilities that affects…

  • CVE-2021-1282MedJan 20, 2021
    risk 0.42cvss 6.5epss 0.01

    Multiple vulnerabilities in Cisco Unified Communications Manager IM & Presence Service (Unified CM IM&P) could allow an attacker to conduct path traversal attacks and SQL injection attacks on an affected system. One of the SQL injection vulnerabilities that affects…

  • CVE-2021-23837MedJan 15, 2021
    risk 0.42cvss 6.5epss 0.01

    An issue was discovered in flatCore before 2.0.0 build 139. A time-based blind SQL injection was identified in the selected_folder HTTP request body parameter for the acp interface. The affected parameter (which retrieves the file contents of the specified folder) was found to…

  • CVE-2020-4003MedNov 24, 2020
    risk 0.42cvss 6.5epss 0.01

    VMware SD-WAN Orchestrator 3.3.2 prior to 3.3.2 P3, 3.4.x prior to 3.4.4, and 4.0.x prior to 4.0.1 was found to be vulnerable to SQL-injection attacks allowing for potential information disclosure. An authenticated SD-WAN Orchestrator user may inject code into SQL queries which…

  • CVE-2020-25034MedOct 26, 2020
    risk 0.42cvss 6.5epss 0.01

    eMPS prior to eMPS 9.0 FireEye EX 3500 devices allows remote authenticated users to conduct SQL injection attacks via the sort, sort_by, search{URL], or search[attachment] parameter to the email search feature.

  • CVE-2020-7383MedOct 14, 2020
    risk 0.42cvss 6.5epss 0.01

    A SQL Injection issue in Rapid7 Nexpose version prior to 6.6.49 that may have allowed an authenticated user with a low permission level to access resources & make changes they should not have been able to access.

  • CVE-2020-24568MedOct 2, 2020
    risk 0.42cvss 6.5epss 0.01

    An issue was discovered in MB CONNECT LINE mymbCONNECT24 and mbCONNECT24 through 2.6.1. There is a blind SQL injection in the lancompenent component, allowing logged-in attackers to discover arbitrary information.