CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Description
The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-108 · CAPEC-109 · CAPEC-110 · CAPEC-470 · CAPEC-66 · CAPEC-7
CVEs mapped to this weakness (8,799)
page 359 of 440| CVE | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2008-1640 | 0.03 | — | 0.00 | Apr 2, 2008 | SQL injection vulnerability in jgs_treffen.php in the JGS-XA JGS-Treffen 2.0.2 and earlier addon for Woltlab Burning Board (wBB) allows remote attackers to execute arbitrary SQL commands via the view_id parameter in an ansicht action. | ||
| CVE-2008-1641 | 0.03 | — | 0.00 | Apr 2, 2008 | SQL injection vulnerability in default.asp in EfesTECH Video 5.0 allows remote attackers to execute arbitrary SQL commands via the catID parameter. | ||
| CVE-2008-1646 | 0.03 | — | 0.01 | Apr 2, 2008 | SQL injection vulnerability in wp-download.php in the WP-Download 1.2 plugin for WordPress allows remote attackers to execute arbitrary SQL commands via the dl_id parameter. | ||
| CVE-2008-1650 | 0.03 | — | 0.02 | Apr 2, 2008 | SQL injection vulnerability in dynamicpages/index.php in EasyNews 4.0 allows remote attackers to execute arbitrary SQL commands via the read parameter in an edp_Help_Internal_News action. | ||
| CVE-2008-1639 | 0.03 | — | 0.00 | Apr 2, 2008 | SQL injection vulnerability in index.php in Neat weblog 0.2 allows remote attackers to execute arbitrary SQL commands via the articleId parameter in a show action, probably related to the showArticle function in lib/lib_article.include.php. | ||
| CVE-2008-1607 | 0.03 | — | 0.00 | Apr 1, 2008 | SQL injection vulnerability in haberoku.php in Serbay Arslanhan Bomba Haber 2.0 allows remote attackers to execute arbitrary SQL commands via the haber parameter. | ||
| CVE-2008-1591 | 0.03 | — | 0.00 | Mar 31, 2008 | The pnVarPrepForStore function in PostNuke 0.764 and earlier skips input sanitization when magic_quotes_runtime is enabled, which allows remote attackers to conduct SQL injection attacks and execute arbitrary SQL commands via input associated with server variables, as demonstrated by the CLIENT_IP HTTP header (HTTP_CLIENT_IP variable). | ||
| CVE-2008-1551 | 0.03 | — | 0.01 | Mar 31, 2008 | SQL injection vulnerability in viewcat.php in the Photo 3.02 module for RunCMS allows remote attackers to execute arbitrary SQL commands via the cid parameter. | ||
| CVE-2008-1554 | 0.03 | — | 0.00 | Mar 31, 2008 | SQL injection vulnerability in account/index.php in TopperMod 2.0, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via a non-alphanumeric first character the localita parameter, which bypasses a protection mechanism. | ||
| CVE-2008-1559 | 0.03 | — | 0.00 | Mar 31, 2008 | SQL injection vulnerability in the Bernard Gilly AlphaContent (com_alphacontent) 2.5.8 component for Joomla! allows remote attackers to execute arbitrary SQL commands via the id parameter in a view action to index.php. | ||
| CVE-2008-1535 | 0.03 | — | 0.01 | Mar 28, 2008 | SQL injection vulnerability in the Matti Kiviharju rekry (aka com_rekry or rekry!Joom) 1.0.0 component for Joomla! allows remote attackers to execute arbitrary SQL commands via the op_id parameter in a view action to index.php. | ||
| CVE-2008-1540 | 0.03 | — | 0.00 | Mar 28, 2008 | SQL injection vulnerability in the Datsogallery (com_datsogallery) 1.3.1 module for Joomla! and Mambo allows remote attackers to execute arbitrary SQL commands via the id parameter in a detail action to index.php. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. | ||
| CVE-2008-1539 | 0.03 | — | 0.00 | Mar 28, 2008 | SQL injection vulnerability in includes/dynamic_titles.php in PHP-Nuke Platinum 7.6.b.5 allows remote attackers to execute arbitrary SQL commands via the p parameter to modules.php for the Forums module. | ||
| CVE-2008-1513 | 0.03 | — | 0.00 | Mar 25, 2008 | SQL injection vulnerability in index.php in Danneo CMS 0.5.1 and earlier, when the Referers statistics option is enabled, allows remote attackers to execute arbitrary SQL commands via the HTTP Referer header. | ||
| CVE-2008-1509 | 0.03 | — | 0.01 | Mar 25, 2008 | SQL injection vulnerability in index.php in XLPortal 2.2.4 and earlier allows remote attackers to execute arbitrary SQL commands via the query parameter. | ||
| CVE-2008-1508 | 0.03 | — | 0.00 | Mar 25, 2008 | SQL injection vulnerability in EfesTech E-Kontör and earlier allows remote attackers to execute arbitrary SQL commands via the id parameter. | ||
| CVE-2008-1496 | 0.03 | — | 0.01 | Mar 25, 2008 | Multiple SQL injection vulnerabilities in PEEL, possibly 3.x and earlier, allow remote attackers to execute arbitrary SQL commands via the (1) email parameter to (a) membre.php, and the (2) timestamp parameter to (b) the details action in achat/historique_commandes.php and (c) the facture action in factures/facture_html.php. | ||
| CVE-2008-1465 | 0.03 | — | 0.01 | Mar 24, 2008 | SQL injection vulnerability in the Detodas Restaurante (com_restaurante) 1.0 component for Mambo and Joomla! allows remote attackers to execute arbitrary SQL commands via the id parameter in a detail action to index.php, a different product than CVE-2008-0562. | ||
| CVE-2008-1462 | 0.03 | — | 0.00 | Mar 24, 2008 | SQL injection vulnerability in the sections (Section) module in RunCMS allows remote attackers to execute arbitrary SQL commands via the artid parameter in a viewarticle action. | ||
| CVE-2008-1460 | 0.03 | — | 0.00 | Mar 24, 2008 | SQL injection vulnerability in the Joovideo (com_joovideo) 1.0 and 1.2.2 component for Mambo and Joomla! allows remote attackers to execute arbitrary SQL commands via the id parameter in a detail action to index.php. |
- CVE-2008-1640Apr 2, 2008risk 0.03cvss —epss 0.00
SQL injection vulnerability in jgs_treffen.php in the JGS-XA JGS-Treffen 2.0.2 and earlier addon for Woltlab Burning Board (wBB) allows remote attackers to execute arbitrary SQL commands via the view_id parameter in an ansicht action.
- CVE-2008-1641Apr 2, 2008risk 0.03cvss —epss 0.00
SQL injection vulnerability in default.asp in EfesTECH Video 5.0 allows remote attackers to execute arbitrary SQL commands via the catID parameter.
- CVE-2008-1646Apr 2, 2008risk 0.03cvss —epss 0.01
SQL injection vulnerability in wp-download.php in the WP-Download 1.2 plugin for WordPress allows remote attackers to execute arbitrary SQL commands via the dl_id parameter.
- CVE-2008-1650Apr 2, 2008risk 0.03cvss —epss 0.02
SQL injection vulnerability in dynamicpages/index.php in EasyNews 4.0 allows remote attackers to execute arbitrary SQL commands via the read parameter in an edp_Help_Internal_News action.
- CVE-2008-1639Apr 2, 2008risk 0.03cvss —epss 0.00
SQL injection vulnerability in index.php in Neat weblog 0.2 allows remote attackers to execute arbitrary SQL commands via the articleId parameter in a show action, probably related to the showArticle function in lib/lib_article.include.php.
- CVE-2008-1607Apr 1, 2008risk 0.03cvss —epss 0.00
SQL injection vulnerability in haberoku.php in Serbay Arslanhan Bomba Haber 2.0 allows remote attackers to execute arbitrary SQL commands via the haber parameter.
- CVE-2008-1591Mar 31, 2008risk 0.03cvss —epss 0.00
The pnVarPrepForStore function in PostNuke 0.764 and earlier skips input sanitization when magic_quotes_runtime is enabled, which allows remote attackers to conduct SQL injection attacks and execute arbitrary SQL commands via input associated with server variables, as demonstrated by the CLIENT_IP HTTP header (HTTP_CLIENT_IP variable).
- CVE-2008-1551Mar 31, 2008risk 0.03cvss —epss 0.01
SQL injection vulnerability in viewcat.php in the Photo 3.02 module for RunCMS allows remote attackers to execute arbitrary SQL commands via the cid parameter.
- CVE-2008-1554Mar 31, 2008risk 0.03cvss —epss 0.00
SQL injection vulnerability in account/index.php in TopperMod 2.0, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via a non-alphanumeric first character the localita parameter, which bypasses a protection mechanism.
- CVE-2008-1559Mar 31, 2008risk 0.03cvss —epss 0.00
SQL injection vulnerability in the Bernard Gilly AlphaContent (com_alphacontent) 2.5.8 component for Joomla! allows remote attackers to execute arbitrary SQL commands via the id parameter in a view action to index.php.
- CVE-2008-1535Mar 28, 2008risk 0.03cvss —epss 0.01
SQL injection vulnerability in the Matti Kiviharju rekry (aka com_rekry or rekry!Joom) 1.0.0 component for Joomla! allows remote attackers to execute arbitrary SQL commands via the op_id parameter in a view action to index.php.
- CVE-2008-1540Mar 28, 2008risk 0.03cvss —epss 0.00
SQL injection vulnerability in the Datsogallery (com_datsogallery) 1.3.1 module for Joomla! and Mambo allows remote attackers to execute arbitrary SQL commands via the id parameter in a detail action to index.php. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
- CVE-2008-1539Mar 28, 2008risk 0.03cvss —epss 0.00
SQL injection vulnerability in includes/dynamic_titles.php in PHP-Nuke Platinum 7.6.b.5 allows remote attackers to execute arbitrary SQL commands via the p parameter to modules.php for the Forums module.
- CVE-2008-1513Mar 25, 2008risk 0.03cvss —epss 0.00
SQL injection vulnerability in index.php in Danneo CMS 0.5.1 and earlier, when the Referers statistics option is enabled, allows remote attackers to execute arbitrary SQL commands via the HTTP Referer header.
- CVE-2008-1509Mar 25, 2008risk 0.03cvss —epss 0.01
SQL injection vulnerability in index.php in XLPortal 2.2.4 and earlier allows remote attackers to execute arbitrary SQL commands via the query parameter.
- CVE-2008-1508Mar 25, 2008risk 0.03cvss —epss 0.00
SQL injection vulnerability in EfesTech E-Kontör and earlier allows remote attackers to execute arbitrary SQL commands via the id parameter.
- CVE-2008-1496Mar 25, 2008risk 0.03cvss —epss 0.01
Multiple SQL injection vulnerabilities in PEEL, possibly 3.x and earlier, allow remote attackers to execute arbitrary SQL commands via the (1) email parameter to (a) membre.php, and the (2) timestamp parameter to (b) the details action in achat/historique_commandes.php and (c) the facture action in factures/facture_html.php.
- CVE-2008-1465Mar 24, 2008risk 0.03cvss —epss 0.01
SQL injection vulnerability in the Detodas Restaurante (com_restaurante) 1.0 component for Mambo and Joomla! allows remote attackers to execute arbitrary SQL commands via the id parameter in a detail action to index.php, a different product than CVE-2008-0562.
- CVE-2008-1462Mar 24, 2008risk 0.03cvss —epss 0.00
SQL injection vulnerability in the sections (Section) module in RunCMS allows remote attackers to execute arbitrary SQL commands via the artid parameter in a viewarticle action.
- CVE-2008-1460Mar 24, 2008risk 0.03cvss —epss 0.00
SQL injection vulnerability in the Joovideo (com_joovideo) 1.0 and 1.2.2 component for Mambo and Joomla! allows remote attackers to execute arbitrary SQL commands via the id parameter in a detail action to index.php.