VYPR

CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

BaseStableLikelihood: High

Description

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Hierarchy (View 1000)

Parents

Children

Related attack patterns (CAPEC)

CAPEC-108 · CAPEC-109 · CAPEC-110 · CAPEC-470 · CAPEC-66 · CAPEC-7

CVEs mapped to this weakness (8,813)

page 351 of 441
  • CVE-2008-2697Jun 13, 2008
    risk 0.03cvss epss 0.00

    SQL injection vulnerability in the Rapid Recipe (com_rapidrecipe) component 1.6.6 and 1.6.7 for Joomla! allows remote attackers to execute arbitrary SQL commands via the recipe_id parameter in a viewrecipe action to index.php.

  • CVE-2008-2700Jun 13, 2008
    risk 0.03cvss epss 0.00

    SQL injection vulnerability in view.php in Galatolo WebManager 1.0 and earlier allows remote attackers to execute arbitrary SQL commands via the id parameter.

  • CVE-2008-2701Jun 13, 2008
    risk 0.03cvss epss 0.00

    SQL injection vulnerability in the GameQ (com_gameq) component 4.0 and earlier for Joomla! allows remote attackers to execute arbitrary SQL commands via the category_id parameter in a page action to index.php.

  • CVE-2008-2691Jun 13, 2008
    risk 0.03cvss epss 0.00

    SQL injection vulnerability in read.asp in JiRo's FAQ Manager eXperience 1.0 allows remote attackers to execute arbitrary SQL commands via the fID parameter.

  • CVE-2008-2688Jun 13, 2008
    risk 0.03cvss epss 0.00

    SQL injection vulnerability in pilot.asp in ASPilot Pilot Cart 7.3 allows remote attackers to execute arbitrary SQL commands via the article parameter in a kb action.

  • CVE-2008-2676Jun 12, 2008
    risk 0.03cvss epss 0.00

    SQL injection vulnerability in the iJoomla News Portal (com_news_portal) component 1.0 and earlier for Joomla! allows remote attackers to execute arbitrary SQL commands via the Itemid parameter to index.php.

  • CVE-2008-2678Jun 12, 2008
    risk 0.03cvss epss 0.00

    Multiple SQL injection vulnerabilities in Telephone Directory 2008, when magic_quotes_gpc is disabled, allow remote attackers to execute arbitrary SQL commands via the (1) code parameter in a confirm_data action to edit1.php and the (2) id parameter to view_more.php.

  • CVE-2008-2679Jun 12, 2008
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in the KeyWordsList function in _includes/inc_routines.asp in Realm CMS 2.3 and earlier allows remote attackers to execute arbitrary SQL commands via the kwrd parameter in a kwl action to the default URI.

  • CVE-2008-2673Jun 12, 2008
    risk 0.03cvss epss 0.00

    SQL injection vulnerability in index.php in Powie pNews 2.08 and 2.10, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the shownews parameter.

  • CVE-2008-2671Jun 12, 2008
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in comments.php in DCFM Blog 0.9.4 allows remote attackers to execute arbitrary SQL commands via the id parameter.

  • CVE-2008-2670Jun 12, 2008
    risk 0.03cvss epss 0.00

    Multiple SQL injection vulnerabilities in index.php in Insanely Simple Blog 0.5 allow remote attackers to execute arbitrary SQL commands via (1) the id parameter, or (2) the term parameter in a search action. NOTE: the current_subsection parameter is already covered by CVE-2007-3889.

  • CVE-2008-2669Jun 12, 2008
    risk 0.03cvss epss 0.01

    Multiple SQL injection vulnerabilities in yBlog 0.2.2.2 allow remote attackers to execute arbitrary SQL commands via (1) the q parameter to search.php, or the n parameter to (2) user.php or (3) uss.php.

  • CVE-2008-2652Jun 10, 2008
    risk 0.03cvss epss 0.01

    Multiple SQL injection vulnerabilities in catalog.php in SMEWeb 1.4b and 1.4f allow remote attackers to execute arbitrary SQL commands via the (1) idp and (2) category parameters.

  • CVE-2008-2643Jun 10, 2008
    risk 0.03cvss epss 0.00

    SQL injection vulnerability in the Bible Study (com_biblestudy) component before 6.0.7c for Joomla! allows remote attackers to execute arbitrary SQL commands via the id parameter in a mediaplayer action to index.php.

  • CVE-2008-2647Jun 10, 2008
    risk 0.03cvss epss 0.00

    SQL injection vulnerability in admin/journal_change_mask.inc.php in meBiblio 0.4.7 allows remote attackers to execute arbitrary SQL commands via the JID parameter.

  • CVE-2008-2651Jun 10, 2008
    risk 0.03cvss epss 0.00

    SQL injection vulnerability in the Joomla! Bulletin Board (aka Joo!BB or com_joobb) component 0.5.9 for Joomla! allows remote attackers to execute arbitrary SQL commands via the forum parameter in a forum action to index.php.

  • CVE-2008-2626Jun 10, 2008
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in comment.asp in Battle Blog 1.25 and earlier allows remote attackers to execute arbitrary SQL commands via the entry parameter.

  • CVE-2008-2634Jun 10, 2008
    risk 0.03cvss epss 0.00

    SQL injection vulnerability in index.asp in I-Pos Internet Pay Online Store 1.3 Beta and earlier allows remote attackers to execute arbitrary SQL commands via the item parameter.

  • CVE-2008-2627Jun 10, 2008
    risk 0.03cvss epss 0.00

    SQL injection vulnerability in the IDoBlog (com_idoblog) component b24 and earlier and 1.0, a component for Joomla!, allows remote attackers to execute arbitrary SQL commands via the userid parameter in a userblog action to index.php.

  • CVE-2008-2628Jun 10, 2008
    risk 0.03cvss epss 0.00

    SQL injection vulnerability in the eQuotes (com_equotes) component 0.9.4 for Joomla! allows remote attackers to execute arbitrary SQL commands via the id parameter to index.php.