CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Description
The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-108 · CAPEC-109 · CAPEC-110 · CAPEC-470 · CAPEC-66 · CAPEC-7
CVEs mapped to this weakness (8,799)
page 358 of 440| CVE | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2008-1859 | 0.03 | — | 0.00 | Apr 16, 2008 | SQL injection vulnerability in events.php in iScripts SocialWare allows remote attackers to execute arbitrary SQL commands via the id parameter in a show action. | ||
| CVE-2008-1858 | 0.03 | — | 0.01 | Apr 16, 2008 | SQL injection vulnerability in index.php in 724Networks 724CMS 4.01 and earlier allows remote attackers to execute arbitrary SQL commands via the ID parameter. | ||
| CVE-2008-1847 | 0.03 | — | 0.00 | Apr 16, 2008 | SQL injection vulnerability in view.php in CoronaMatrix phpAddressBook 2.11 allows remote attackers to execute arbitrary SQL commands via the id parameter. | ||
| CVE-2008-1838 | 0.03 | — | 0.01 | Apr 16, 2008 | SQL injection vulnerability in BosClassifieds Classified Ads System 3.0 allows remote attackers to execute arbitrary SQL commands via the cat parameter to index.php. | ||
| CVE-2008-1843 | 0.03 | — | 0.01 | Apr 16, 2008 | SQL injection vulnerability in browse.php in W2B DatingClub (aka Dating Club) allows remote attackers to execute arbitrary SQL commands via the age_to parameter in a browsebyCat action. | ||
| CVE-2008-1844 | 0.03 | — | 0.01 | Apr 16, 2008 | SQL injection vulnerability in cat.php in W2B phpHotResources allows remote attackers to execute arbitrary SQL commands via the kind parameter. | ||
| CVE-2008-1791 | 0.03 | — | 0.00 | Apr 15, 2008 | SQL injection vulnerability in ladder.php in My Gaming Ladder 7.5 and earlier allows remote attackers to execute arbitrary SQL commands via the ladderid parameter. | ||
| CVE-2008-1788 | 0.03 | — | 0.00 | Apr 15, 2008 | SQL injection vulnerability in directory.php in Prozilla Entertainers 1.1 and earlier allows remote attackers to execute arbitrary SQL commands via the cat parameter. NOTE: some of these details are obtained from third party information. | ||
| CVE-2008-1789 | 0.03 | — | 0.00 | Apr 15, 2008 | SQL injection vulnerability in forum.php in Prozilla Forum allows remote attackers to execute arbitrary SQL commands via the forum parameter. | ||
| CVE-2008-1774 | 0.03 | — | 0.00 | Apr 14, 2008 | SQL injection vulnerability in editlink.php in Pligg 9.9.0 allows remote attackers to execute arbitrary SQL commands via the id parameter. | ||
| CVE-2008-1763 | 0.03 | — | 0.01 | Apr 12, 2008 | SQL injection vulnerability in _blogadata/include/sond_result.php in Blogator-script 0.95 allows remote attackers to execute arbitrary SQL commands via the id_art parameter. | ||
| CVE-2008-1758 | 0.03 | — | 0.01 | Apr 12, 2008 | SQL injection vulnerability in the ConcoursPhoto module for KwsPHP allows remote attackers to execute arbitrary SQL commands via the C_ID parameter to index.php. | ||
| CVE-2008-1759 | 0.03 | — | 0.01 | Apr 12, 2008 | SQL injection vulnerability in the jeuxflash module for KwsPHP allows remote attackers to execute arbitrary SQL commands via the cat parameter to index.php, a different vector than CVE-2007-4922. | ||
| CVE-2008-1750 | 0.03 | — | 0.01 | Apr 11, 2008 | SQL injection vulnerability in Integry Systems LiveCart 1.1.1 and earlier allows remote attackers to execute arbitrary SQL commands via the id parameter to the /category URI. | ||
| CVE-2008-1726 | 0.03 | — | 0.02 | Apr 11, 2008 | Multiple SQL injection vulnerabilities in KnowledgeQuest 2.6, when magic_quotes_gpc is disabled, allow remote attackers to execute arbitrary SQL commands via the (1) kqid parameter to (a) articletext.php and (b) articletextonly.php and the (2) username parameter to (c) logincheck.php. | ||
| CVE-2008-1732 | 0.03 | — | 0.00 | Apr 11, 2008 | SQL injection vulnerability in showpredictionsformatch.php in Prediction Football 1.x allows remote attackers to execute arbitrary SQL commands via the matchid parameter in a dupa action. | ||
| CVE-2008-1733 | 0.03 | — | 0.00 | Apr 11, 2008 | SQL injection vulnerability in puarcade.class.php 2.2 and earlier in the Pragmatic Utopia PU Arcade (com_puarcade) component for Joomla! allows remote attackers to execute arbitrary SQL commands via the gid parameter to index.php. | ||
| CVE-2008-1715 | 0.03 | — | 0.01 | Apr 9, 2008 | SQL injection vulnerability in content/user.php in AuraCMS 2.2.1 and earlier, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the country parameter. | ||
| CVE-2008-1714 | 0.03 | — | 0.01 | Apr 9, 2008 | SQL injection vulnerability in show.php in FaScript FaPhoto 1.0, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the id parameter. | ||
| CVE-2008-1623 | 0.03 | — | 0.01 | Apr 2, 2008 | SQL injection vulnerability in admin_view_image.php in Smoothflash allows remote attackers to execute arbitrary SQL commands via the cid parameter. |
- CVE-2008-1859Apr 16, 2008risk 0.03cvss —epss 0.00
SQL injection vulnerability in events.php in iScripts SocialWare allows remote attackers to execute arbitrary SQL commands via the id parameter in a show action.
- CVE-2008-1858Apr 16, 2008risk 0.03cvss —epss 0.01
SQL injection vulnerability in index.php in 724Networks 724CMS 4.01 and earlier allows remote attackers to execute arbitrary SQL commands via the ID parameter.
- CVE-2008-1847Apr 16, 2008risk 0.03cvss —epss 0.00
SQL injection vulnerability in view.php in CoronaMatrix phpAddressBook 2.11 allows remote attackers to execute arbitrary SQL commands via the id parameter.
- CVE-2008-1838Apr 16, 2008risk 0.03cvss —epss 0.01
SQL injection vulnerability in BosClassifieds Classified Ads System 3.0 allows remote attackers to execute arbitrary SQL commands via the cat parameter to index.php.
- CVE-2008-1843Apr 16, 2008risk 0.03cvss —epss 0.01
SQL injection vulnerability in browse.php in W2B DatingClub (aka Dating Club) allows remote attackers to execute arbitrary SQL commands via the age_to parameter in a browsebyCat action.
- CVE-2008-1844Apr 16, 2008risk 0.03cvss —epss 0.01
SQL injection vulnerability in cat.php in W2B phpHotResources allows remote attackers to execute arbitrary SQL commands via the kind parameter.
- CVE-2008-1791Apr 15, 2008risk 0.03cvss —epss 0.00
SQL injection vulnerability in ladder.php in My Gaming Ladder 7.5 and earlier allows remote attackers to execute arbitrary SQL commands via the ladderid parameter.
- CVE-2008-1788Apr 15, 2008risk 0.03cvss —epss 0.00
SQL injection vulnerability in directory.php in Prozilla Entertainers 1.1 and earlier allows remote attackers to execute arbitrary SQL commands via the cat parameter. NOTE: some of these details are obtained from third party information.
- CVE-2008-1789Apr 15, 2008risk 0.03cvss —epss 0.00
SQL injection vulnerability in forum.php in Prozilla Forum allows remote attackers to execute arbitrary SQL commands via the forum parameter.
- CVE-2008-1774Apr 14, 2008risk 0.03cvss —epss 0.00
SQL injection vulnerability in editlink.php in Pligg 9.9.0 allows remote attackers to execute arbitrary SQL commands via the id parameter.
- CVE-2008-1763Apr 12, 2008risk 0.03cvss —epss 0.01
SQL injection vulnerability in _blogadata/include/sond_result.php in Blogator-script 0.95 allows remote attackers to execute arbitrary SQL commands via the id_art parameter.
- CVE-2008-1758Apr 12, 2008risk 0.03cvss —epss 0.01
SQL injection vulnerability in the ConcoursPhoto module for KwsPHP allows remote attackers to execute arbitrary SQL commands via the C_ID parameter to index.php.
- CVE-2008-1759Apr 12, 2008risk 0.03cvss —epss 0.01
SQL injection vulnerability in the jeuxflash module for KwsPHP allows remote attackers to execute arbitrary SQL commands via the cat parameter to index.php, a different vector than CVE-2007-4922.
- CVE-2008-1750Apr 11, 2008risk 0.03cvss —epss 0.01
SQL injection vulnerability in Integry Systems LiveCart 1.1.1 and earlier allows remote attackers to execute arbitrary SQL commands via the id parameter to the /category URI.
- CVE-2008-1726Apr 11, 2008risk 0.03cvss —epss 0.02
Multiple SQL injection vulnerabilities in KnowledgeQuest 2.6, when magic_quotes_gpc is disabled, allow remote attackers to execute arbitrary SQL commands via the (1) kqid parameter to (a) articletext.php and (b) articletextonly.php and the (2) username parameter to (c) logincheck.php.
- CVE-2008-1732Apr 11, 2008risk 0.03cvss —epss 0.00
SQL injection vulnerability in showpredictionsformatch.php in Prediction Football 1.x allows remote attackers to execute arbitrary SQL commands via the matchid parameter in a dupa action.
- CVE-2008-1733Apr 11, 2008risk 0.03cvss —epss 0.00
SQL injection vulnerability in puarcade.class.php 2.2 and earlier in the Pragmatic Utopia PU Arcade (com_puarcade) component for Joomla! allows remote attackers to execute arbitrary SQL commands via the gid parameter to index.php.
- CVE-2008-1715Apr 9, 2008risk 0.03cvss —epss 0.01
SQL injection vulnerability in content/user.php in AuraCMS 2.2.1 and earlier, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the country parameter.
- CVE-2008-1714Apr 9, 2008risk 0.03cvss —epss 0.01
SQL injection vulnerability in show.php in FaScript FaPhoto 1.0, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the id parameter.
- CVE-2008-1623Apr 2, 2008risk 0.03cvss —epss 0.01
SQL injection vulnerability in admin_view_image.php in Smoothflash allows remote attackers to execute arbitrary SQL commands via the cid parameter.