VYPR

CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

BaseStableLikelihood: High

Description

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Hierarchy (View 1000)

Parents

Children

Related attack patterns (CAPEC)

CAPEC-108 · CAPEC-109 · CAPEC-110 · CAPEC-470 · CAPEC-66 · CAPEC-7

CVEs mapped to this weakness (8,812)

page 355 of 441
  • CVE-2008-2278May 16, 2008
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in browseproject.php in Freelance Auction Script 1.0 allows remote attackers to execute arbitrary SQL commands via the pid parameter in a pdetails action.

  • CVE-2008-2277May 16, 2008
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in detail.php in Feedback and Rating Script 1.0 allows remote attackers to execute arbitrary SQL commands via the listingid parameter.

  • CVE-2008-2265May 16, 2008
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in news.php in EMO Realty Manager allows remote attackers to execute arbitrary SQL commands via the ida parameter.

  • CVE-2008-2263May 16, 2008
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in linking.page.php in Automated Link Exchange Portal allows remote attackers to execute arbitrary SQL commands via the cat_id parameter. NOTE: linking.page.php is commonly renamed to link.php, links.php, etc.

  • CVE-2008-2222May 14, 2008
    risk 0.03cvss epss 0.00

    SQL injection vulnerability in login.php in EQdkp 1.3.2f allows remote attackers to bypass EQdkp user authentication via the user_id parameter.

  • CVE-2008-2225May 14, 2008
    risk 0.03cvss epss 0.00

    SQL injection vulnerability in index.php in gameCMS Lite 1.0 allows remote attackers to execute arbitrary SQL commands via the systemId parameter.

  • CVE-2008-2223May 14, 2008
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in group_posts.php in vShare YouTube Clone 2.6 allows remote attackers to execute arbitrary SQL commands via the tid parameter.

  • CVE-2008-2194May 14, 2008
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in forums.php in DeluxeBB 1.2 and earlier allows remote attackers to execute arbitrary SQL commands via the sort parameter.

  • CVE-2008-2191May 14, 2008
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in the pnEncyclopedia module 0.2.0 and earlier for PostNuke allows remote attackers to execute arbitrary SQL commands via the id parameter in a display_term action to index.php.

  • CVE-2008-2190May 14, 2008
    risk 0.03cvss epss 0.02

    SQL injection vulnerability in index.php in Online Rent (aka Online Rental Property Script) 4.5 and earlier allows remote attackers to execute arbitrary SQL commands via the pid parameter. NOTE: it was later reported that 5.0 and earlier are also affected.

  • CVE-2008-2197May 14, 2008
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in the blogwriter module 2.0 for Miniweb allows remote attackers to execute arbitrary SQL commands via the historymonth parameter to index.php.

  • CVE-2008-2189May 14, 2008
    risk 0.03cvss epss 0.02

    SQL injection vulnerability in viewfaqs.php in AnServ Auction XL allows remote attackers to execute arbitrary SQL commands via the cat parameter.

  • CVE-2008-2177May 13, 2008
    risk 0.03cvss epss 0.01

    Multiple SQL injection vulnerabilities in phpDirectorySource 1.1.06, when magic_quotes_gpc is disabled, allow remote attackers to execute arbitrary SQL commands via the (1) lid parameter to show.php and the (2) login parameter to admin.php.

  • CVE-2008-2184May 13, 2008
    risk 0.03cvss epss 0.00

    Multiple SQL injection vulnerabilities in SMartBlog (aka SMBlog) 1.3 allow remote attackers to execute arbitrary SQL commands via the (1) mois, (2) an, (3) jour, and (4) id parameters to index.php, and the (5) login parameter to gestion/logon.php, different vectors than CVE-2008-2183. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.

  • CVE-2008-2183May 13, 2008
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in index.php in SMartBlog (aka SMBlog) 1.3 allows remote attackers to execute arbitrary SQL commands via the idt parameter.

  • CVE-2008-2180May 13, 2008
    risk 0.03cvss epss 0.01

    Multiple SQL injection vulnerabilities in cpLinks 1.03, when magic_quotes_gpc is disabled, allow remote attackers to execute arbitrary SQL commands via the (1) admin_username parameter (aka the username field) to admin/index.php and the (2) search_text and (3) search_category parameters to search.php. NOTE: some of these details are obtained from third party information.

  • CVE-2008-2175May 13, 2008
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in comments.php in Gamma Scripts BlogMe PHP 1.1 allows remote attackers to execute arbitrary SQL commands via the id parameter.

  • CVE-2008-2125May 9, 2008
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in viewalbums.php in Musicbox 2.3.6 and 2.3.7 allows remote attackers to execute arbitrary SQL commands via the artistId parameter.

  • CVE-2008-2129May 9, 2008
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in index.php in Galleristic 1.0, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the cat parameter.

  • CVE-2008-2130May 9, 2008
    risk 0.03cvss epss 0.00

    SQL injection vulnerability in poll_vote.php in iGaming CMS 1.5 allows remote attackers to execute arbitrary SQL commands via the id parameter.