VYPR

CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

BaseStableLikelihood: High

Description

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Hierarchy (View 1000)

Parents

Children

Related attack patterns (CAPEC)

CAPEC-108 · CAPEC-109 · CAPEC-110 · CAPEC-470 · CAPEC-66 · CAPEC-7

CVEs mapped to this weakness (8,813)

page 346 of 441
  • CVE-2008-3212Jul 18, 2008
    risk 0.03cvss epss 0.00

    Multiple SQL injection vulnerabilities in Scripteen Free Image Hosting Script 1.2.1 allow remote attackers to execute arbitrary SQL commands via the (1) username or (2) password parameter to admin/login.php, or the (3) uname or (4) pass parameter to login.php. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.

  • CVE-2008-3213Jul 18, 2008
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in secciones/tablon/tablon.php in WebCMS Portal Edition allows remote attackers to execute arbitrary SQL commands via the id parameter to portal/index.php in a tablon action. NOTE: some of these details are obtained from third party information.

  • CVE-2008-3200Jul 17, 2008
    risk 0.03cvss epss 0.00

    SQL injection vulnerability in vlc_forum.php in Avlc Forum as of 20080715 allows remote attackers to execute arbitrary SQL commands via the id parameter in an affich_message action.

  • CVE-2008-3204Jul 17, 2008
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in tops_top.php in E-topbiz Million Pixels 3 allows remote attackers to execute arbitrary SQL commands via the id_cat parameter.

  • CVE-2008-3193Jul 16, 2008
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in jSite 1.0 OE allows remote attackers to execute arbitrary SQL commands via the page parameter to the default URI.

  • CVE-2008-3191Jul 16, 2008
    risk 0.03cvss epss 0.01

    Multiple SQL injection vulnerabilities in usercp.php in mForum 0.1a, when magic_quotes_gpc is disabled, allow remote attackers to execute arbitrary SQL commands via the (1) City, (2) Interest, (3) Email, (4) Icq, (5) msn, or (6) Yahoo Messenger field in an edit_profile action.

  • CVE-2008-3189Jul 16, 2008
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in dreamnews-rss.php in DreamNews Manager allows remote attackers to execute arbitrary SQL commands via the id parameter.

  • CVE-2008-3185Jul 15, 2008
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in index.php in Relative Real Estate Systems 3.0 and earlier allows remote attackers to execute arbitrary SQL commands via the listing_id parameter in a listings action.

  • CVE-2008-3152Jul 11, 2008
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in directory.php in SmartPPC and SmartPPC Pro allows remote attackers to execute arbitrary SQL commands via the idDirectory parameter.

  • CVE-2008-3154Jul 11, 2008
    risk 0.03cvss epss 0.00

    SQL injection vulnerability in index.php in WebBlizzard CMS allows remote attackers to execute arbitrary SQL commands via the page parameter.

  • CVE-2008-3151Jul 11, 2008
    risk 0.03cvss epss 0.00

    SQL injection vulnerability in the 4ndvddb 0.91 module for PHP-Nuke allows remote attackers to execute arbitrary SQL commands via the id parameter in a show_dvd action.

  • CVE-2008-3153Jul 11, 2008
    risk 0.03cvss epss 0.00

    SQL injection vulnerability in Triton CMS Pro allows remote attackers to execute arbitrary SQL commands via the X-Forwarded-For HTTP header.

  • CVE-2008-3129Jul 10, 2008
    risk 0.03cvss epss 0.00

    Multiple SQL injection vulnerabilities in index.php in Catviz 0.4 beta 1 allow remote attackers to execute arbitrary SQL commands via the (1) foreign_key_value parameter in the news page and (2) webpage parameter in the webpage_multi_edit form.

  • CVE-2008-3136Jul 10, 2008
    risk 0.03cvss epss 0.00

    SQL injection vulnerability in catalogue.php in AShop Deluxe 4.x allows remote attackers to execute arbitrary SQL commands via the cat parameter.

  • CVE-2008-3133Jul 10, 2008
    risk 0.03cvss epss 0.00

    SQL injection vulnerability in admin/index.php in BareNuked CMS 1.1.0, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the password parameter.

  • CVE-2008-3132Jul 10, 2008
    risk 0.03cvss epss 0.00

    SQL injection vulnerability in the beamospetition (com_beamospetition) component for Joomla! allows remote attackers to execute arbitrary SQL commands via the pet parameter to index.php.

  • CVE-2008-3131Jul 10, 2008
    risk 0.03cvss epss 0.00

    SQL injection vulnerability in chatbox.php in pSys 0.7.0 Alpha, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the showid parameter.

  • CVE-2008-3125Jul 10, 2008
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in index.php in Mole Group Lastminute Script 4.0 allows remote attackers to execute arbitrary SQL commands via the cid parameter.

  • CVE-2008-3119Jul 10, 2008
    risk 0.03cvss epss 0.00

    SQL injection vulnerability in index.php in DreamPics Builder allows remote attackers to execute arbitrary SQL commands via the page parameter.

  • CVE-2008-3124Jul 10, 2008
    risk 0.03cvss epss 0.00

    SQL injection vulnerability in index.php in Mole Group Hotel Script 1.0 allows remote attackers to execute arbitrary SQL commands via the file parameter.