CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Description
The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-108 · CAPEC-109 · CAPEC-110 · CAPEC-470 · CAPEC-66 · CAPEC-7
CVEs mapped to this weakness (8,813)
page 349 of 441| CVE | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2008-2868 | 0.03 | — | 0.01 | Jun 26, 2008 | SQL injection vulnerability in detail.asp in DUware DUcalendar 1.0 and possibly earlier allows remote attackers to execute arbitrary SQL commands via the iEve parameter. | ||
| CVE-2008-2875 | 0.03 | — | 0.00 | Jun 26, 2008 | SQL injection vulnerability in index.php in Webdevindo-CMS 1.0.0 allows remote attackers to execute arbitrary SQL commands via the hal parameter. | ||
| CVE-2008-2874 | 0.03 | — | 0.00 | Jun 26, 2008 | SQL injection vulnerability in index.php in Softbiz Jokes & Funny Pics Script allows remote attackers to execute arbitrary SQL commands via the sbjoke_id parameter, a different vector than CVE-2008-1050. | ||
| CVE-2008-2872 | 0.03 | — | 0.00 | Jun 26, 2008 | SQL injection vulnerability in default.asp in sHibby sHop 2.2 and earlier allows remote attackers to execute arbitrary SQL commands via the sayfa parameter. | ||
| CVE-2008-2870 | 0.03 | — | 0.00 | Jun 26, 2008 | Multiple SQL injection vulnerabilities in ShareCMS 0.1 Beta allow remote attackers to execute arbitrary SQL commands via the (1) eventID parameter to event_info.php and the (2) userID parameter to list_user.php. | ||
| CVE-2008-2869 | 0.03 | — | 0.01 | Jun 26, 2008 | SQL injection vulnerability in out.php in E-topbiz Link ADS 1 allows remote attackers to execute arbitrary SQL commands via the linkid parameter. | ||
| CVE-2008-2867 | 0.03 | — | 0.01 | Jun 26, 2008 | SQL injection vulnerability in adclick.php in E-topbiz Viral DX 1 2.07 allows remote attackers to execute arbitrary SQL commands via the bannerid parameter. | ||
| CVE-2008-2843 | 0.03 | — | 0.01 | Jun 25, 2008 | Multiple SQL injection vulnerabilities in doITLive CMS 2.50 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) ID parameter in an USUB action to default.asp and the (2) Licence[SpecialLicenseNumber] (aka LicenceId) cookie to edit/default.asp. | ||
| CVE-2008-2844 | 0.03 | — | 0.00 | Jun 25, 2008 | SQL injection vulnerability in index.php in Carscripts Classifieds allows remote attackers to execute arbitrary SQL commands via the cat parameter. | ||
| CVE-2008-2865 | 0.03 | — | 0.00 | Jun 25, 2008 | SQL injection vulnerability in index.php in Kalptaru Infotech PHP Site Lock 2.0 allows remote attackers to execute arbitrary SQL commands via the articleid parameter in a show_article action. | ||
| CVE-2008-2846 | 0.03 | — | 0.00 | Jun 25, 2008 | SQL injection vulnerability in index.php in BoatScripts Classifieds allows remote attackers to execute arbitrary SQL commands via the type parameter. | ||
| CVE-2008-2847 | 0.03 | — | 0.00 | Jun 25, 2008 | SQL injection vulnerability in the Trade module in Maxtrade AIO 1.3.23 allows remote attackers to execute arbitrary SQL commands via the categori parameter in a pocategorisell action to modules.php. | ||
| CVE-2008-2853 | 0.03 | — | 0.00 | Jun 25, 2008 | SQL injection vulnerability in index.php in Easy Webstore 1.2 allows remote attackers to execute arbitrary SQL commands via the cat_path parameter. | ||
| CVE-2008-2856 | 0.03 | — | 0.00 | Jun 25, 2008 | SQL injection vulnerability in clanek.php in OwnRS Beta 3 allows remote attackers to execute arbitrary SQL commands via the id parameter. | ||
| CVE-2008-2858 | 0.03 | — | 0.00 | Jun 25, 2008 | SQL injection vulnerability in index.php in WebChamado 1.1 allows remote attackers to execute arbitrary SQL commands via the eml parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. | ||
| CVE-2008-2866 | 0.03 | — | 0.00 | Jun 25, 2008 | SQL injection vulnerability in csc_article_details.php in Caupo.net CaupoShop Classic 1.3 allows remote attackers to execute arbitrary SQL commands via the saArticle[ID] parameter. | ||
| CVE-2008-2862 | 0.03 | — | 0.01 | Jun 25, 2008 | Multiple SQL injection vulnerabilities in eLineStudio Site Composer (ESC) 2.6 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) id parameter to ansFAQ.asp and the (2) template_id parameter to preview.asp. | ||
| CVE-2008-2860 | 0.03 | — | 0.00 | Jun 25, 2008 | SQL injection vulnerability in category.php in AJSquare AJ Auction Pro web 2.0 allows remote attackers to execute arbitrary SQL commands via the cate_id parameter. | ||
| CVE-2008-2845 | 0.03 | — | 0.00 | Jun 25, 2008 | SQL injection vulnerability in index.php in MyBizz-Classifieds allows remote attackers to execute arbitrary SQL commands via the cat parameter. | ||
| CVE-2008-2837 | 0.03 | — | 0.00 | Jun 24, 2008 | SQL injection vulnerability in index.php in CMS-BRD allows remote attackers to execute arbitrary SQL commands via the menuclick parameter. |
- CVE-2008-2868Jun 26, 2008risk 0.03cvss —epss 0.01
SQL injection vulnerability in detail.asp in DUware DUcalendar 1.0 and possibly earlier allows remote attackers to execute arbitrary SQL commands via the iEve parameter.
- CVE-2008-2875Jun 26, 2008risk 0.03cvss —epss 0.00
SQL injection vulnerability in index.php in Webdevindo-CMS 1.0.0 allows remote attackers to execute arbitrary SQL commands via the hal parameter.
- CVE-2008-2874Jun 26, 2008risk 0.03cvss —epss 0.00
SQL injection vulnerability in index.php in Softbiz Jokes & Funny Pics Script allows remote attackers to execute arbitrary SQL commands via the sbjoke_id parameter, a different vector than CVE-2008-1050.
- CVE-2008-2872Jun 26, 2008risk 0.03cvss —epss 0.00
SQL injection vulnerability in default.asp in sHibby sHop 2.2 and earlier allows remote attackers to execute arbitrary SQL commands via the sayfa parameter.
- CVE-2008-2870Jun 26, 2008risk 0.03cvss —epss 0.00
Multiple SQL injection vulnerabilities in ShareCMS 0.1 Beta allow remote attackers to execute arbitrary SQL commands via the (1) eventID parameter to event_info.php and the (2) userID parameter to list_user.php.
- CVE-2008-2869Jun 26, 2008risk 0.03cvss —epss 0.01
SQL injection vulnerability in out.php in E-topbiz Link ADS 1 allows remote attackers to execute arbitrary SQL commands via the linkid parameter.
- CVE-2008-2867Jun 26, 2008risk 0.03cvss —epss 0.01
SQL injection vulnerability in adclick.php in E-topbiz Viral DX 1 2.07 allows remote attackers to execute arbitrary SQL commands via the bannerid parameter.
- CVE-2008-2843Jun 25, 2008risk 0.03cvss —epss 0.01
Multiple SQL injection vulnerabilities in doITLive CMS 2.50 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) ID parameter in an USUB action to default.asp and the (2) Licence[SpecialLicenseNumber] (aka LicenceId) cookie to edit/default.asp.
- CVE-2008-2844Jun 25, 2008risk 0.03cvss —epss 0.00
SQL injection vulnerability in index.php in Carscripts Classifieds allows remote attackers to execute arbitrary SQL commands via the cat parameter.
- CVE-2008-2865Jun 25, 2008risk 0.03cvss —epss 0.00
SQL injection vulnerability in index.php in Kalptaru Infotech PHP Site Lock 2.0 allows remote attackers to execute arbitrary SQL commands via the articleid parameter in a show_article action.
- CVE-2008-2846Jun 25, 2008risk 0.03cvss —epss 0.00
SQL injection vulnerability in index.php in BoatScripts Classifieds allows remote attackers to execute arbitrary SQL commands via the type parameter.
- CVE-2008-2847Jun 25, 2008risk 0.03cvss —epss 0.00
SQL injection vulnerability in the Trade module in Maxtrade AIO 1.3.23 allows remote attackers to execute arbitrary SQL commands via the categori parameter in a pocategorisell action to modules.php.
- CVE-2008-2853Jun 25, 2008risk 0.03cvss —epss 0.00
SQL injection vulnerability in index.php in Easy Webstore 1.2 allows remote attackers to execute arbitrary SQL commands via the cat_path parameter.
- CVE-2008-2856Jun 25, 2008risk 0.03cvss —epss 0.00
SQL injection vulnerability in clanek.php in OwnRS Beta 3 allows remote attackers to execute arbitrary SQL commands via the id parameter.
- CVE-2008-2858Jun 25, 2008risk 0.03cvss —epss 0.00
SQL injection vulnerability in index.php in WebChamado 1.1 allows remote attackers to execute arbitrary SQL commands via the eml parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
- CVE-2008-2866Jun 25, 2008risk 0.03cvss —epss 0.00
SQL injection vulnerability in csc_article_details.php in Caupo.net CaupoShop Classic 1.3 allows remote attackers to execute arbitrary SQL commands via the saArticle[ID] parameter.
- CVE-2008-2862Jun 25, 2008risk 0.03cvss —epss 0.01
Multiple SQL injection vulnerabilities in eLineStudio Site Composer (ESC) 2.6 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) id parameter to ansFAQ.asp and the (2) template_id parameter to preview.asp.
- CVE-2008-2860Jun 25, 2008risk 0.03cvss —epss 0.00
SQL injection vulnerability in category.php in AJSquare AJ Auction Pro web 2.0 allows remote attackers to execute arbitrary SQL commands via the cate_id parameter.
- CVE-2008-2845Jun 25, 2008risk 0.03cvss —epss 0.00
SQL injection vulnerability in index.php in MyBizz-Classifieds allows remote attackers to execute arbitrary SQL commands via the cat parameter.
- CVE-2008-2837Jun 24, 2008risk 0.03cvss —epss 0.00
SQL injection vulnerability in index.php in CMS-BRD allows remote attackers to execute arbitrary SQL commands via the menuclick parameter.