VYPR

CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

BaseStableLikelihood: High

Description

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Hierarchy (View 1000)

Parents

Children

Related attack patterns (CAPEC)

CAPEC-108 · CAPEC-109 · CAPEC-110 · CAPEC-470 · CAPEC-66 · CAPEC-7

CVEs mapped to this weakness (8,813)

page 347 of 441
  • CVE-2008-3124Jul 10, 2008
    risk 0.03cvss epss 0.00

    SQL injection vulnerability in index.php in Mole Group Hotel Script 1.0 allows remote attackers to execute arbitrary SQL commands via the file parameter.

  • CVE-2008-3118Jul 10, 2008
    risk 0.03cvss epss 0.00

    SQL injection vulnerability in play.php in PHPmotion 2.0 and earlier allows remote attackers to execute arbitrary SQL commands via the vid parameter.

  • CVE-2008-3089Jul 9, 2008
    risk 0.03cvss epss 0.00

    SQL injection vulnerability in user.html in Xpoze Pro 3.06 (aka Xpoze Pro CMS 2008) allows remote attackers to execute arbitrary SQL commands via the uid parameter.

  • CVE-2008-3083Jul 9, 2008
    risk 0.03cvss epss 0.00

    SQL injection vulnerability in Brightcode Weblinks (com_brightweblinks) component for Joomla! allows remote attackers to execute arbitrary SQL commands via the catid parameter.

  • CVE-2007-1899Jul 9, 2008
    risk 0.03cvss epss 0.00

    Multiple SQL injection vulnerabilities in myWebland myBloggie 2.1.6 allow remote attackers to execute arbitrary SQL commands via (1) the user_id parameter in a viewuser action to index.php, and allow remote authenticated administrators to execute arbitrary SQL commands via (2) the post_id parameter in an edit action to admin.php.

  • CVE-2008-3027Jul 7, 2008
    risk 0.03cvss epss 0.00

    SQL injection vulnerability in get_article.php in VanGogh Web CMS 0.9 allows remote attackers to execute arbitrary SQL commands via the article_ID parameter to index.php.

  • CVE-2008-3035Jul 7, 2008
    risk 0.03cvss epss 0.00

    SQL injection vulnerability in newThread.php in XchangeBoard 1.70 Final and earlier allows remote authenticated users to execute arbitrary SQL commands via the boardID parameter.

  • CVE-2008-3034Jul 7, 2008
    risk 0.03cvss epss 0.00

    Multiple SQL injection vulnerabilities in RSS-aggregator 1.0 allow remote attackers to execute arbitrary SQL commands via the (1) IdFlux parameter to admin/fonctions/supprimer_flux.php and the (2) IdTag parameter to admin/fonctions/supprimer_tag.php.

  • CVE-2008-3030Jul 7, 2008
    risk 0.03cvss epss 0.00

    SQL injection vulnerability in default.asp in EfesTECH Shop 2.0 allows remote attackers to execute arbitrary SQL commands via the cat_id parameter in an urunler action.

  • CVE-2008-3026Jul 7, 2008
    risk 0.03cvss epss 0.00

    SQL injection vulnerability in index.php in OneClick CMS (aka Sisplet CMS) 2008-01-24 allows remote attackers to execute arbitrary SQL commands via the id parameter.

  • CVE-2008-3025Jul 7, 2008
    risk 0.03cvss epss 0.00

    SQL injection vulnerability in ad.php in plx Ad Trader 3.2 allows remote attackers to execute arbitrary SQL commands via the adid parameter in a redir action.

  • CVE-2008-2995Jul 3, 2008
    risk 0.03cvss epss 0.00

    Multiple SQL injection vulnerabilities in PHPEasyData 1.5.4 allow remote attackers to execute arbitrary SQL commands via (1) the annuaire parameter to annuaire.php or (2) the username field in admin/login.php.

  • CVE-2008-2996Jul 3, 2008
    risk 0.03cvss epss 0.01

    Multiple SQL injection vulnerabilities in index.php in Gravity Board X (GBX) 2.0 Beta, when magic_quotes_gpc is disabled, allow remote attackers to execute arbitrary SQL commands via the (1) searchquery parameter in a getsearch action, and the (2) board_id parameter in a viewboard action.

  • CVE-2008-2972Jul 2, 2008
    risk 0.03cvss epss 0.00

    SQL injection vulnerability in index.php in KbLance allows remote attackers to execute arbitrary SQL commands via the cat_id parameter in a comment action.

  • CVE-2008-2971Jul 2, 2008
    risk 0.03cvss epss 0.00

    SQL injection vulnerability in links-extern.php in CiBlog 3.1 allows remote attackers to execute arbitrary SQL commands via the id parameter.

  • CVE-2008-2968Jul 2, 2008
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in rating.php in Academic Web Tools (AWT YEKTA) 1.4.3.1, and 1.4.2.8 and earlier, allows remote attackers to execute arbitrary SQL commands via the book_id parameter.

  • CVE-2008-2964Jul 2, 2008
    risk 0.03cvss epss 0.00

    SQL injection vulnerability in guide.php in ResearchGuide 0.5 allows remote attackers to execute arbitrary SQL commands via the id parameter.

  • CVE-2008-2963Jul 2, 2008
    risk 0.03cvss epss 0.00

    Multiple SQL injection vulnerabilities in MyBlog allow remote attackers to execute arbitrary SQL commands via the (1) view parameter to (a) index.php, and the (2) id parameter to (b) member.php and (c) post.php.

  • CVE-2008-2989Jul 2, 2008
    risk 0.03cvss epss 0.00

    SQL injection vulnerability in index.php in HoMaP-CMS 0.1 allows remote attackers to execute arbitrary SQL commands via the go parameter.

  • CVE-2008-2983Jul 2, 2008
    risk 0.03cvss epss 0.00

    SQL injection vulnerability in index.php in Demo4 CMS 01 Beta allows remote attackers to execute arbitrary SQL commands via the id parameter.