VYPR

CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

BaseStableLikelihood: High

Description

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Hierarchy (View 1000)

Parents

Children

Related attack patterns (CAPEC)

CAPEC-108 · CAPEC-109 · CAPEC-110 · CAPEC-470 · CAPEC-66 · CAPEC-7

CVEs mapped to this weakness (8,813)

page 352 of 441
  • CVE-2008-2627Jun 10, 2008
    risk 0.03cvss epss 0.00

    SQL injection vulnerability in the IDoBlog (com_idoblog) component b24 and earlier and 1.0, a component for Joomla!, allows remote attackers to execute arbitrary SQL commands via the userid parameter in a userblog action to index.php.

  • CVE-2008-2633Jun 10, 2008
    risk 0.03cvss epss 0.00

    Multiple SQL injection vulnerabilities in the EXP JoomRadio (com_joomradio) component 1.0 for Joomla! allow remote attackers to execute arbitrary SQL commands via the id parameter in a (1) show_radio or (2) show_video action to index.php.

  • CVE-2008-2634Jun 10, 2008
    risk 0.03cvss epss 0.00

    SQL injection vulnerability in index.asp in I-Pos Internet Pay Online Store 1.3 Beta and earlier allows remote attackers to execute arbitrary SQL commands via the item parameter.

  • CVE-2008-2572Jun 6, 2008
    risk 0.03cvss epss 0.00

    SQL injection vulnerability in php/leer_comentarios.php in FlashBlog allows remote attackers to execute arbitrary SQL commands via the articulo_id parameter.

  • CVE-2008-2564Jun 6, 2008
    risk 0.03cvss epss 0.00

    SQL injection vulnerability in the JotLoader (com_jotloader) component 1.2.1.a and earlier for Joomla! allows remote attackers to execute arbitrary SQL commands via the cid parameter to index.php.

  • CVE-2008-2562Jun 6, 2008
    risk 0.03cvss epss 0.00

    SQL injection vulnerability in edCss.php in PowerPhlogger 2.2.5 and earlier allows remote authenticated users to execute arbitrary SQL commands via the css_str parameter in an edit action.

  • CVE-2008-2560Jun 6, 2008
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in showpost.php in 427BB 2.3.1 allows remote attackers to execute arbitrary SQL commands via the post parameter.

  • CVE-2008-2568Jun 6, 2008
    risk 0.03cvss epss 0.00

    SQL injection vulnerability in the Simple Shop Galore (com_simpleshop) component 3.4 and earlier for Joomla! allows remote attackers to execute arbitrary SQL commands via the catid parameter in a browse action to index.php.

  • CVE-2008-2569Jun 6, 2008
    risk 0.03cvss epss 0.00

    SQL injection vulnerability in the EasyBook (com_easybook) component 1.1 for Joomla! allows remote attackers to execute arbitrary SQL commands via the gbid parameter in a deleteentry action to index.php.

  • CVE-2008-2565Jun 6, 2008
    risk 0.03cvss epss 0.02

    Multiple SQL injection vulnerabilities in PHP Address Book 3.1.5 and earlier allow remote attackers to execute arbitrary SQL commands via the id parameter to (1) view.php and (2) edit.php. NOTE: it was later reported that 4.0.x is also affected.

  • CVE-2008-2554Jun 5, 2008
    risk 0.03cvss epss 0.00

    Multiple SQL injection vulnerabilities in BP Blog 6.0 allow remote attackers to execute arbitrary SQL commands via the (1) id parameter to template_permalink.asp and (2) cat parameter to template_archives_cat.asp.

  • CVE-2008-2555Jun 5, 2008
    risk 0.03cvss epss 0.00

    SQL injection vulnerability in index.php in EasyWay CMS allows remote attackers to execute arbitrary SQL commands via the mid parameter.

  • CVE-2008-2556Jun 5, 2008
    risk 0.03cvss epss 0.00

    SQL injection vulnerability in read.php in PHP Visit Counter 0.4 and earlier allows remote attackers to execute arbitrary SQL commands via the datespan parameter in a read action.

  • CVE-2008-2522Jun 3, 2008
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in members.php in Battle.net Clan Script for PHP 1.5.3 and earlier, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the showmember parameter in a members action.

  • CVE-2008-2529Jun 3, 2008
    risk 0.03cvss epss 0.00

    SQL injection vulnerability in read.php in Advanced Links Management (ALM) 1.5.2 allows remote attackers to execute arbitrary SQL commands via the catId parameter.

  • CVE-2008-2537Jun 3, 2008
    risk 0.03cvss epss 0.00

    SQL injection vulnerability in cat.php in HispaH Model Search allows remote attackers to execute arbitrary SQL commands via the cat parameter.

  • CVE-2008-2536Jun 3, 2008
    risk 0.03cvss epss 0.00

    SQL injection vulnerability in out.php in YABSoft Advanced Image Hosting (AIH) Script 2.1 and earlier allows remote attackers to execute arbitrary SQL commands via the t parameter.

  • CVE-2008-2535Jun 3, 2008
    risk 0.03cvss epss 0.00

    Multiple SQL injection vulnerabilities in Phoenix View CMS Pre Alpha2 and earlier allow remote attackers to execute arbitrary SQL commands via the del parameter to (1) gbuch.admin.php, (2) links.admin.php, (3) menue.admin.php, (4) news.admin.php, and (5) todo.admin.php in admin/module/.

  • CVE-2008-2532Jun 3, 2008
    risk 0.03cvss epss 0.00

    SQL injection vulnerability in forum/topic_detail.php in AJ Square aj-hyip (aka AJ HYIP Acme) allows remote attackers to execute arbitrary SQL commands via the id parameter.

  • CVE-2008-2521Jun 3, 2008
    risk 0.03cvss epss 0.00

    SQL injection vulnerability in members.php in YABSoft Mega File Hosting Script (aka MFH or MFHS) 1.2 allows remote authenticated users to execute arbitrary SQL commands via the fid parameter.