CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Description
The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-108 · CAPEC-109 · CAPEC-110 · CAPEC-470 · CAPEC-66 · CAPEC-7
CVEs mapped to this weakness (8,813)
page 344 of 441| CVE | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2008-3413 | 0.03 | — | 0.01 | Jul 31, 2008 | SQL injection vulnerability in category.php in Greatclone GC Auction Platinum allows remote attackers to execute arbitrary SQL commands via the cate_id parameter. | ||
| CVE-2008-3406 | 0.03 | — | 0.00 | Jul 31, 2008 | SQL injection vulnerability in showcat.php in phpLinkat 0.1 allows remote attackers to execute arbitrary SQL commands via the catid parameter. | ||
| CVE-2008-3403 | 0.03 | — | 0.01 | Jul 31, 2008 | SQL injection vulnerability in mojoClassified.cgi in MojoPersonals allows remote attackers to execute arbitrary SQL commands via the cat parameter. | ||
| CVE-2008-3388 | 0.03 | — | 0.00 | Jul 30, 2008 | Multiple SQL injection vulnerabilities in Def-Blog 1.0.3 allow remote attackers to execute arbitrary SQL commands via the article parameter to (1) comaddok.php and (2) comlook.php. | ||
| CVE-2008-3387 | 0.03 | — | 0.00 | Jul 30, 2008 | SQL injection vulnerability in show.php in PHPFootball 1.6 allows remote attackers to execute arbitrary SQL commands via the dbtable parameter. | ||
| CVE-2008-3386 | 0.03 | — | 0.01 | Jul 30, 2008 | SQL injection vulnerability in album.php in AlstraSoft Video Share Enterprise 4.51 allows remote attackers to execute arbitrary SQL commands via the UID parameter, a different vector than CVE-2007-4086. | ||
| CVE-2008-3383 | 0.03 | — | 0.00 | Jul 30, 2008 | SQL injection vulnerability in mojoAuto.cgi in MojoAuto allows remote attackers to execute arbitrary SQL commands via the cat_a parameter in a browse action. | ||
| CVE-2008-3382 | 0.03 | — | 0.00 | Jul 30, 2008 | SQL injection vulnerability in mojoClassified.cgi in MojoClassifieds 2.0 allows remote attackers to execute arbitrary SQL commands via the cat_a parameter. | ||
| CVE-2008-3378 | 0.03 | — | 0.00 | Jul 30, 2008 | SQL injection vulnerability in comment.php in Fizzmedia 1.51.2 allows remote attackers to execute arbitrary SQL commands via the mid parameter. | ||
| CVE-2008-3377 | 0.03 | — | 0.00 | Jul 30, 2008 | SQL injection vulnerability in picture.php in phpTest 0.6.3 allows remote attackers to execute arbitrary SQL commands via the image_id parameter. | ||
| CVE-2008-3374 | 0.03 | — | 0.01 | Jul 30, 2008 | SQL injection vulnerability in ajax.php in Gregarius 0.5.4 and earlier allows remote attackers to execute arbitrary SQL commands via the rsargs array parameter in an __exp__getFeedContent action. | ||
| CVE-2008-3372 | 0.03 | — | 0.00 | Jul 30, 2008 | SQL injection vulnerability in search_form.php in Getacoder Clone allows remote attackers to execute arbitrary SQL commands via the sb_protype parameter. | ||
| CVE-2008-3370 | 0.03 | — | 0.01 | Jul 30, 2008 | SQL injection vulnerability in the CUA Login Module in EMC Centera Universal Access (CUA) 4.0_4735.p4 allows remote attackers to execute arbitrary SQL commands via the user (user name) field. | ||
| CVE-2008-3369 | 0.03 | — | 0.02 | Jul 30, 2008 | SQL injection vulnerability in products_rss.php in ViArt Shop 3.5 and earlier allows remote attackers to execute arbitrary SQL commands via the category_id parameter. | ||
| CVE-2008-3366 | 0.03 | — | 0.00 | Jul 30, 2008 | SQL injection vulnerability in story.php in Pligg CMS Beta 9.9.0 allows remote attackers to execute arbitrary SQL commands via the id parameter. NOTE: this might overlap CVE-2008-1774. | ||
| CVE-2008-3351 | 0.03 | — | 0.01 | Jul 28, 2008 | SQL injection vulnerability in atomPhotoBlog.php in Atom PhotoBlog 1.0.9.1 and 1.1.5b1 allows remote attackers to execute arbitrary SQL commands via the photoId parameter in a show action. | ||
| CVE-2008-3355 | 0.03 | — | 0.00 | Jul 28, 2008 | SQL injection vulnerability in sitemap.xml.php in Camera Life 2.6.2 allows remote attackers to execute arbitrary SQL commands via the id parameter in a photos action. | ||
| CVE-2008-3352 | 0.03 | — | 0.00 | Jul 28, 2008 | SQL injection vulnerability in index.php in Live Music Plus 1.1.0 allows remote attackers to execute arbitrary SQL commands via the id parameter in a Singer action. | ||
| CVE-2008-3347 | 0.03 | — | 0.01 | Jul 28, 2008 | SQL injection vulnerability in staticpages/easycalendar/index.php in MyioSoft EasyDynamicPages 3.0 trial edition (tr) allows remote attackers to execute arbitrary SQL commands via the read parameter. | ||
| CVE-2008-3346 | 0.03 | — | 0.01 | Jul 28, 2008 | SQL injection vulnerability in product_detail.php in ShopCart DX allows remote attackers to execute arbitrary SQL commands via the pid parameter. |
- CVE-2008-3413Jul 31, 2008risk 0.03cvss —epss 0.01
SQL injection vulnerability in category.php in Greatclone GC Auction Platinum allows remote attackers to execute arbitrary SQL commands via the cate_id parameter.
- CVE-2008-3406Jul 31, 2008risk 0.03cvss —epss 0.00
SQL injection vulnerability in showcat.php in phpLinkat 0.1 allows remote attackers to execute arbitrary SQL commands via the catid parameter.
- CVE-2008-3403Jul 31, 2008risk 0.03cvss —epss 0.01
SQL injection vulnerability in mojoClassified.cgi in MojoPersonals allows remote attackers to execute arbitrary SQL commands via the cat parameter.
- CVE-2008-3388Jul 30, 2008risk 0.03cvss —epss 0.00
Multiple SQL injection vulnerabilities in Def-Blog 1.0.3 allow remote attackers to execute arbitrary SQL commands via the article parameter to (1) comaddok.php and (2) comlook.php.
- CVE-2008-3387Jul 30, 2008risk 0.03cvss —epss 0.00
SQL injection vulnerability in show.php in PHPFootball 1.6 allows remote attackers to execute arbitrary SQL commands via the dbtable parameter.
- CVE-2008-3386Jul 30, 2008risk 0.03cvss —epss 0.01
SQL injection vulnerability in album.php in AlstraSoft Video Share Enterprise 4.51 allows remote attackers to execute arbitrary SQL commands via the UID parameter, a different vector than CVE-2007-4086.
- CVE-2008-3383Jul 30, 2008risk 0.03cvss —epss 0.00
SQL injection vulnerability in mojoAuto.cgi in MojoAuto allows remote attackers to execute arbitrary SQL commands via the cat_a parameter in a browse action.
- CVE-2008-3382Jul 30, 2008risk 0.03cvss —epss 0.00
SQL injection vulnerability in mojoClassified.cgi in MojoClassifieds 2.0 allows remote attackers to execute arbitrary SQL commands via the cat_a parameter.
- CVE-2008-3378Jul 30, 2008risk 0.03cvss —epss 0.00
SQL injection vulnerability in comment.php in Fizzmedia 1.51.2 allows remote attackers to execute arbitrary SQL commands via the mid parameter.
- CVE-2008-3377Jul 30, 2008risk 0.03cvss —epss 0.00
SQL injection vulnerability in picture.php in phpTest 0.6.3 allows remote attackers to execute arbitrary SQL commands via the image_id parameter.
- CVE-2008-3374Jul 30, 2008risk 0.03cvss —epss 0.01
SQL injection vulnerability in ajax.php in Gregarius 0.5.4 and earlier allows remote attackers to execute arbitrary SQL commands via the rsargs array parameter in an __exp__getFeedContent action.
- CVE-2008-3372Jul 30, 2008risk 0.03cvss —epss 0.00
SQL injection vulnerability in search_form.php in Getacoder Clone allows remote attackers to execute arbitrary SQL commands via the sb_protype parameter.
- CVE-2008-3370Jul 30, 2008risk 0.03cvss —epss 0.01
SQL injection vulnerability in the CUA Login Module in EMC Centera Universal Access (CUA) 4.0_4735.p4 allows remote attackers to execute arbitrary SQL commands via the user (user name) field.
- CVE-2008-3369Jul 30, 2008risk 0.03cvss —epss 0.02
SQL injection vulnerability in products_rss.php in ViArt Shop 3.5 and earlier allows remote attackers to execute arbitrary SQL commands via the category_id parameter.
- CVE-2008-3366Jul 30, 2008risk 0.03cvss —epss 0.00
SQL injection vulnerability in story.php in Pligg CMS Beta 9.9.0 allows remote attackers to execute arbitrary SQL commands via the id parameter. NOTE: this might overlap CVE-2008-1774.
- CVE-2008-3351Jul 28, 2008risk 0.03cvss —epss 0.01
SQL injection vulnerability in atomPhotoBlog.php in Atom PhotoBlog 1.0.9.1 and 1.1.5b1 allows remote attackers to execute arbitrary SQL commands via the photoId parameter in a show action.
- CVE-2008-3355Jul 28, 2008risk 0.03cvss —epss 0.00
SQL injection vulnerability in sitemap.xml.php in Camera Life 2.6.2 allows remote attackers to execute arbitrary SQL commands via the id parameter in a photos action.
- CVE-2008-3352Jul 28, 2008risk 0.03cvss —epss 0.00
SQL injection vulnerability in index.php in Live Music Plus 1.1.0 allows remote attackers to execute arbitrary SQL commands via the id parameter in a Singer action.
- CVE-2008-3347Jul 28, 2008risk 0.03cvss —epss 0.01
SQL injection vulnerability in staticpages/easycalendar/index.php in MyioSoft EasyDynamicPages 3.0 trial edition (tr) allows remote attackers to execute arbitrary SQL commands via the read parameter.
- CVE-2008-3346Jul 28, 2008risk 0.03cvss —epss 0.01
SQL injection vulnerability in product_detail.php in ShopCart DX allows remote attackers to execute arbitrary SQL commands via the pid parameter.