VYPR

CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

BaseStableLikelihood: High

Description

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Hierarchy (View 1000)

Parents

Children

Related attack patterns (CAPEC)

CAPEC-108 · CAPEC-109 · CAPEC-110 · CAPEC-470 · CAPEC-66 · CAPEC-7

CVEs mapped to this weakness (8,809)

page 357 of 441
  • CVE-2008-1982Apr 27, 2008
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in ss_load.php in the Spreadsheet (wpSS) 0.6 and earlier plugin for WordPress allows remote attackers to execute arbitrary SQL commands via the ss_id parameter.

  • CVE-2008-1975Apr 27, 2008
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in index.php in E-RESERV 2.1 allows remote attackers to execute arbitrary SQL commands via the ID_loc parameter.

  • CVE-2008-1968Apr 27, 2008
    risk 0.03cvss epss 0.01

    Multiple SQL injection vulnerabilities in Cezanne 7 allow remote authenticated users to execute arbitrary SQL commands via the FUNID parameter to (1) CFLookup.asp and (2) CznCommon/CznCustomContainer.asp.

  • CVE-2008-1961Apr 25, 2008
    risk 0.03cvss epss 0.00

    SQL injection vulnerability in index.php in Voice Of Web AllMyGuests 0.4.1 allows remote attackers to execute arbitrary SQL commands via the AMG_id parameter in a comments action.

  • CVE-2008-1957Apr 25, 2008
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in news.php in Tr Script News 2.1 allows remote attackers to execute arbitrary SQL commands via the nb parameter in voir mode.

  • CVE-2008-1954Apr 25, 2008
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in one_day.php in Web Calendar Pro 4.1 and earlier allows remote attackers to execute arbitrary SQL commands via the user_id parameter.

  • CVE-2008-1935Apr 25, 2008
    risk 0.03cvss epss 0.00

    SQL injection vulnerability in the Filiale 1.0.4 component for Joomla! allows remote attackers to execute arbitrary SQL commands via the idFiliale parameter.

  • CVE-2008-1934Apr 25, 2008
    risk 0.03cvss epss 0.00

    SQL injection vulnerability in commentaires.php in Crazy Goomba 1.2.1 allows remote attackers to execute arbitrary SQL commands via the id parameter.

  • CVE-2008-1936Apr 25, 2008
    risk 0.03cvss epss 0.00

    SQL injection vulnerability in index.php in Classifieds Caffe allows remote attackers to execute arbitrary SQL commands via the cat_id parameter in an add action. NOTE: this issue might be site-specific.

  • CVE-2008-1939Apr 25, 2008
    risk 0.03cvss epss 0.00

    Multiple SQL injection vulnerabilities in W1L3D4 Philboard 1.0 allow remote attackers to execute arbitrary SQL commands via the (1) id and (2) topic parameters to (a) philboard_reply.asp, and the (3) forumid parameter to (b) philboard_newtopic.asp, different vectors than CVE-2007-2641 and CVE-2007-0920.

  • CVE-2008-1921Apr 23, 2008
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in store_pages/category_list.php in 5th Avenue Shopping Cart 1.2 trial edition allows remote attackers to execute arbitrary SQL commands via the category_ID parameter.

  • CVE-2008-1919Apr 23, 2008
    risk 0.03cvss epss 0.00

    SQL injection vulnerability in listtest.php in YourFreeWorld Apartment Search Script allows remote attackers to execute arbitrary SQL commands via the r parameter.

  • CVE-2008-1918Apr 23, 2008
    risk 0.03cvss epss 0.02

    SQL injection vulnerability in submit.php in PHP-Fusion 6.01.14 and 6.00.307, when magic_quotes_gpc is disabled and the database table prefix is known, allows remote authenticated users to execute arbitrary SQL commands via the submit_info[] parameter in a link submission action. NOTE: it was later reported that 7.00.2 is also affected.

  • CVE-2008-1915Apr 23, 2008
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in view.asp in DevWorx BlogWorx 1.0 allows remote attackers to execute arbitrary SQL commands via the id parameter.

  • CVE-2008-1913Apr 22, 2008
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in index.php in Lasernet CMS 1.5 and 1.11, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the new parameter in a new action.

  • CVE-2008-1613Apr 22, 2008
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in ioRD.asp in RedDot CMS 7.5 Build 7.5.0.48, and possibly other versions including 6.5 and 7.0, allows remote attackers to execute arbitrary SQL commands via the LngId parameter.

  • CVE-2008-1911Apr 22, 2008
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in includes/system.php in 1024 CMS 1.4.2 beta and earlier, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via a cookpass cookie.

  • CVE-2008-1909Apr 22, 2008
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in comment.php in PHP Knowledge Base (PHPKB) 1.5 and 2.0 allows remote attackers to execute arbitrary SQL commands via the ID parameter.

  • CVE-2008-1907Apr 22, 2008
    risk 0.03cvss epss 0.00

    Multiple SQL injection vulnerabilities in functions/display_page.func.php in cpCommerce 1.1.0 allow remote attackers to execute arbitrary SQL commands via the (1) id_product, (2) id_manufacturer, and (3) id_category parameters to unspecified components. NOTE: this probably overlaps CVE-2007-2959 and CVE-2007-2890.

  • CVE-2008-1889Apr 18, 2008
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in viewcat.php in XplodPHP AutoTutorials 2.1 and earlier, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the id parameter.