VYPR

CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

BaseStableLikelihood: High

Description

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Hierarchy (View 1000)

Parents

Children

Related attack patterns (CAPEC)

CAPEC-108 · CAPEC-109 · CAPEC-110 · CAPEC-470 · CAPEC-66 · CAPEC-7

CVEs mapped to this weakness (10,236)

page 36 of 512
  • CVE-2018-17232CriSep 20, 2018
    risk 0.64cvss 9.8epss 0.02

    SQL injection vulnerability in archivebot.py in docmarionum1 Slack ArchiveBot (aka slack-archive-bot) before 2018-09-19 allows remote attackers to execute arbitrary SQL commands via the text parameter to cursor.execute().

  • CVE-2018-17136CriSep 17, 2018
    risk 0.64cvss 9.8epss 0.01

    zzcms 8.3 contains a SQL Injection vulnerability in /user/check.php via a Client-Ip HTTP header.

  • CVE-2018-17110CriSep 17, 2018
    risk 0.64cvss 9.8epss 0.02

    Simple POS 4.0.24 allows SQL Injection via a products/get_products/ columns[0][search][value] parameter in the management panel, as demonstrated by products/get_products/1.

  • CVE-2018-17035CriSep 14, 2018
    risk 0.64cvss 9.8epss 0.01

    UCMS 1.4.6 has SQL injection during installation via the install/index.php mysql_dbname parameter.

  • CVE-2018-16762CriSep 9, 2018
    risk 0.64cvss 9.8epss 0.01

    FUEL CMS 1.4.1 allows SQL Injection via the layout, published, or search_term parameter to pages/items.

  • CVE-2018-16724CriSep 8, 2018
    risk 0.64cvss 9.8epss 0.01

    An issue is discovered in baijiacms V4. Blind SQL Injection exists via the order parameter in an index.php?act=index request.

  • CVE-2018-16445CriSep 4, 2018
    risk 0.64cvss 9.8epss 0.01

    An issue was discovered in SeaCMS through 6.61. SQL injection exists via the tid parameter in an adm1n/admin_topic_vod.php request.

  • CVE-2018-16432CriSep 4, 2018
    risk 0.64cvss 9.8epss 0.01

    BlueCMS 1.6 allows SQL Injection via the user_name parameter to uploads/user.php?act=index_login.

  • CVE-2018-16385CriSep 3, 2018
    risk 0.64cvss 9.8epss 0.02

    ThinkPHP before 5.1.23 allows SQL Injection via the public/index/index/test/index query string.

  • CVE-2018-16354CriSep 2, 2018
    risk 0.64cvss 9.8epss 0.01

    An issue was discovered in FHCRM through 2018-02-11. There is a SQL injection via the index.php/User/read limit parameter.

  • CVE-2018-16353CriSep 2, 2018
    risk 0.64cvss 9.8epss 0.01

    An issue was discovered in FHCRM through 2018-02-11. There is a SQL injection via the /index.php/Customer/read limit parameter.

  • CVE-2018-16278CriAug 31, 2018
    risk 0.64cvss 9.8epss 0.02

    phpkaiyuancms PhpOpenSourceCMS (POSCMS) V3.2.0 allows an unauthenticated user to execute arbitrary SQL commands via the diy/module/member/controllers/Api.php ajax_save_draft function with the dir parameter.

  • CVE-2018-13824CriAug 30, 2018
    risk 0.64cvss 9.8epss 0.02

    Insufficient input sanitization of two parameters in CA PPM 14.3 and below, 14.4, 15.1, 15.2 CP5 and below, and 15.3 CP2 and below, allows remote attackers to execute SQL injection attacks.

  • CVE-2018-15873CriAug 28, 2018
    risk 0.64cvss 9.8epss 0.01

    A SQL Injection issue was discovered in Sentrifugo 3.2 via the deptid parameter.

  • CVE-2018-15904CriAug 27, 2018
    risk 0.64cvss 9.8epss 0.01

    A10 ACOS Web Application Firewall (WAF) 2.7.1 and 2.7.2 before 2.7.2-P12, 4.1.0 before 4.1.0-P11, 4.1.1 before 4.1.1-P8, and 4.1.2 before 4.1.2-P4 mishandles the configured rules for blocking SQL injection attacks, aka A10-2017-0008.

  • CVE-2018-15894CriAug 27, 2018
    risk 0.64cvss 9.8epss 0.02

    A SQL injection was discovered in /coreframe/app/admin/pay/admin/index.php in WUZHI CMS 4.1.0 via the index.php?m=pay&f=index&v=listing keyValue parameter.

  • CVE-2018-15893CriAug 27, 2018
    risk 0.64cvss 9.8epss 0.02

    A SQL injection was discovered in /coreframe/app/admin/copyfrom.php in WUZHI CMS 4.1.0 via the index.php?m=core&f=copyfrom&v=listing keywords parameter.

  • CVE-2018-1000653CriAug 20, 2018
    risk 0.64cvss 9.8epss 0.01

    zzcms version 8.3 and earlier contains a SQL Injection vulnerability in zt/top.php line 5 that can result in could be attacked by sql injection in zzcms in nginx. This attack appear to be exploitable via running zzcms in nginx.

  • CVE-2018-3783CriAug 17, 2018
    risk 0.64cvss 9.8epss 0.04

    A privilege escalation detected in flintcms versions <= 1.1.9 allows account takeover due to blind MongoDB injection in password reset.

  • CVE-2018-15168CriAug 8, 2018
    risk 0.64cvss 9.8epss 0.04

    A SQL Injection vulnerability exists in the Zoho ManageEngine Applications Manager 13 before build 13820 via the resids parameter in a /editDisplaynames.do?method=editDisplaynames GET request.