CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Description
The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-108 · CAPEC-109 · CAPEC-110 · CAPEC-470 · CAPEC-66 · CAPEC-7
CVEs mapped to this weakness (8,799)
page 365 of 440| CVE | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2008-0754 | 0.03 | — | 0.00 | Feb 13, 2008 | Multiple SQL injection vulnerabilities in index.php in the Rapid Recipe (com_rapidrecipe) 1.6.5 component for Joomla! allow remote attackers to execute arbitrary SQL commands via (1) the user_id parameter in a showuser action or (2) the category_id parameter in a viewcategorysrecipes action. | ||
| CVE-2008-0746 | 0.03 | — | 0.00 | Feb 13, 2008 | SQL injection vulnerability in index.php in the Gallery (com_gallery) component for Mambo and Joomla! allows remote attackers to execute arbitrary SQL commands via the id parameter in a detail action. | ||
| CVE-2008-0752 | 0.03 | — | 0.00 | Feb 13, 2008 | SQL injection vulnerability in index.php in the Neogallery (com_neogallery) 1.1 component for Joomla! allows remote attackers to execute arbitrary SQL commands via the catid parameter in a show action. | ||
| CVE-2008-0753 | 0.03 | — | 0.00 | Feb 13, 2008 | SQL injection vulnerability in calendar.php in Virtual War (VWar) 1.5 allows remote attackers to execute arbitrary SQL commands via the month parameter. | ||
| CVE-2008-0744 | 0.03 | — | 0.00 | Feb 13, 2008 | SQL injection vulnerability in user_login.asp in PreProjects.com Pre Hotels & Resorts Management System allows remote attackers to execute arbitrary SQL commands via the login page. | ||
| CVE-2008-0739 | 0.03 | — | 0.00 | Feb 13, 2008 | SQL injection vulnerability in admin/SA_shipFedExMeter.asp in CandyPress (CP) 4.1.1.26, and earlier 4.x and 3.x versions, allows remote attackers to execute arbitrary SQL commands via the FedExAccount parameter. | ||
| CVE-2008-0738 | 0.03 | — | 0.00 | Feb 13, 2008 | Multiple SQL injection vulnerabilities in CandyPress (CP) 4.1.1.26, and earlier 4.1.x versions, allow remote attackers to execute arbitrary SQL commands via the (1) idcust parameter to (a) ajax_getTiers.asp and (b) ajax_getCust.asp in ajax/, and the (2) tableName parameter to (c) ajax/ajax_tableFields.asp. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. | ||
| CVE-2008-0734 | 0.03 | — | 0.00 | Feb 13, 2008 | SQL injection vulnerability in class_auth.php in Limbo CMS 1.0.4.2, and possibly earlier versions, allows remote attackers to execute arbitrary SQL commands via the cuid cookie parameter to admin.php. | ||
| CVE-2008-0735 | 0.03 | — | 0.00 | Feb 13, 2008 | SQL injection vulnerability in mod/gallery/ajax/gallery_data.php in AuraCMS 2.2 allows remote attackers to execute arbitrary SQL commands via the albums parameter. | ||
| CVE-2008-0737 | 0.03 | — | 0.01 | Feb 13, 2008 | SQL injection vulnerability in admin/utilities_ConfigHelp.asp in CandyPress (CP) 4.1.1.26, and other 4.x and 3.x versions, allows remote attackers to execute arbitrary SQL commands via the helpfield parameter. | ||
| CVE-2008-0733 | 0.03 | — | 0.00 | Feb 13, 2008 | SQL injection vulnerability in index.php in CS Team Counter Strike Portals allows remote attackers to execute arbitrary SQL commands via the id parameter, as demonstrated using the downloads page. | ||
| CVE-2008-0714 | 0.03 | — | 0.01 | Feb 12, 2008 | SQL injection vulnerability in users.php in Mihalism Multi Host allows remote attackers to execute arbitrary SQL commands via the username parameter in a lost_password_go action. | ||
| CVE-2008-0719 | 0.03 | — | 0.00 | Feb 12, 2008 | SQL injection vulnerability in customer_testimonials.php in the Customer Testimonials 3 and 3.1 Addon for osCommerce Online Merchant 2.2 allows remote attackers to execute arbitrary SQL commands via the testimonial_id parameter. | ||
| CVE-2008-0721 | 0.03 | — | 0.00 | Feb 12, 2008 | SQL injection vulnerability in index.php in the Sermon (com_sermon) 0.2 component for Mambo allows remote attackers to execute arbitrary SQL commands via the gid parameter. | ||
| CVE-2008-0689 | 0.03 | — | 0.00 | Feb 12, 2008 | SQL injection vulnerability in index.php in the Marketplace (com_marketplace) 1.1.1 and 1.1.1-pl1 component for Joomla! allows remote attackers to execute arbitrary SQL commands via the catid parameter in a show_category action. | ||
| CVE-2008-0678 | 0.03 | — | 0.01 | Feb 12, 2008 | SQL injection vulnerability in index.php in BlogPHP 2.0 allows remote attackers to execute arbitrary SQL commands via the id parameter in a page action. | ||
| CVE-2008-0681 | 0.03 | — | 0.00 | Feb 12, 2008 | SQL injection vulnerability in index.php in PHPShop 0.8.1 allows remote attackers to execute arbitrary SQL commands via the product_id parameter, as demonstrated by a shop/flypage action. | ||
| CVE-2008-0682 | 0.03 | — | 0.01 | Feb 12, 2008 | SQL injection vulnerability in wordspew-rss.php in the Wordspew plugin before 3.72 for Wordpress allows remote attackers to execute arbitrary SQL commands via the id parameter. | ||
| CVE-2008-0683 | 0.03 | — | 0.01 | Feb 12, 2008 | SQL injection vulnerability in shiftthis-preview.php in the ShiftThis Newsletter (st_newsletter) plugin for WordPress allows remote attackers to execute arbitrary SQL commands via the newsletter parameter. | ||
| CVE-2008-0685 | 0.03 | — | 0.01 | Feb 12, 2008 | SQL injection vulnerability in ViewCat.php in iTechClassifieds 3.0 allows remote attackers to execute arbitrary SQL commands via the CatID parameter. |
- CVE-2008-0754Feb 13, 2008risk 0.03cvss —epss 0.00
Multiple SQL injection vulnerabilities in index.php in the Rapid Recipe (com_rapidrecipe) 1.6.5 component for Joomla! allow remote attackers to execute arbitrary SQL commands via (1) the user_id parameter in a showuser action or (2) the category_id parameter in a viewcategorysrecipes action.
- CVE-2008-0746Feb 13, 2008risk 0.03cvss —epss 0.00
SQL injection vulnerability in index.php in the Gallery (com_gallery) component for Mambo and Joomla! allows remote attackers to execute arbitrary SQL commands via the id parameter in a detail action.
- CVE-2008-0752Feb 13, 2008risk 0.03cvss —epss 0.00
SQL injection vulnerability in index.php in the Neogallery (com_neogallery) 1.1 component for Joomla! allows remote attackers to execute arbitrary SQL commands via the catid parameter in a show action.
- CVE-2008-0753Feb 13, 2008risk 0.03cvss —epss 0.00
SQL injection vulnerability in calendar.php in Virtual War (VWar) 1.5 allows remote attackers to execute arbitrary SQL commands via the month parameter.
- CVE-2008-0744Feb 13, 2008risk 0.03cvss —epss 0.00
SQL injection vulnerability in user_login.asp in PreProjects.com Pre Hotels & Resorts Management System allows remote attackers to execute arbitrary SQL commands via the login page.
- CVE-2008-0739Feb 13, 2008risk 0.03cvss —epss 0.00
SQL injection vulnerability in admin/SA_shipFedExMeter.asp in CandyPress (CP) 4.1.1.26, and earlier 4.x and 3.x versions, allows remote attackers to execute arbitrary SQL commands via the FedExAccount parameter.
- CVE-2008-0738Feb 13, 2008risk 0.03cvss —epss 0.00
Multiple SQL injection vulnerabilities in CandyPress (CP) 4.1.1.26, and earlier 4.1.x versions, allow remote attackers to execute arbitrary SQL commands via the (1) idcust parameter to (a) ajax_getTiers.asp and (b) ajax_getCust.asp in ajax/, and the (2) tableName parameter to (c) ajax/ajax_tableFields.asp. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
- CVE-2008-0734Feb 13, 2008risk 0.03cvss —epss 0.00
SQL injection vulnerability in class_auth.php in Limbo CMS 1.0.4.2, and possibly earlier versions, allows remote attackers to execute arbitrary SQL commands via the cuid cookie parameter to admin.php.
- CVE-2008-0735Feb 13, 2008risk 0.03cvss —epss 0.00
SQL injection vulnerability in mod/gallery/ajax/gallery_data.php in AuraCMS 2.2 allows remote attackers to execute arbitrary SQL commands via the albums parameter.
- CVE-2008-0737Feb 13, 2008risk 0.03cvss —epss 0.01
SQL injection vulnerability in admin/utilities_ConfigHelp.asp in CandyPress (CP) 4.1.1.26, and other 4.x and 3.x versions, allows remote attackers to execute arbitrary SQL commands via the helpfield parameter.
- CVE-2008-0733Feb 13, 2008risk 0.03cvss —epss 0.00
SQL injection vulnerability in index.php in CS Team Counter Strike Portals allows remote attackers to execute arbitrary SQL commands via the id parameter, as demonstrated using the downloads page.
- CVE-2008-0714Feb 12, 2008risk 0.03cvss —epss 0.01
SQL injection vulnerability in users.php in Mihalism Multi Host allows remote attackers to execute arbitrary SQL commands via the username parameter in a lost_password_go action.
- CVE-2008-0719Feb 12, 2008risk 0.03cvss —epss 0.00
SQL injection vulnerability in customer_testimonials.php in the Customer Testimonials 3 and 3.1 Addon for osCommerce Online Merchant 2.2 allows remote attackers to execute arbitrary SQL commands via the testimonial_id parameter.
- CVE-2008-0721Feb 12, 2008risk 0.03cvss —epss 0.00
SQL injection vulnerability in index.php in the Sermon (com_sermon) 0.2 component for Mambo allows remote attackers to execute arbitrary SQL commands via the gid parameter.
- CVE-2008-0689Feb 12, 2008risk 0.03cvss —epss 0.00
SQL injection vulnerability in index.php in the Marketplace (com_marketplace) 1.1.1 and 1.1.1-pl1 component for Joomla! allows remote attackers to execute arbitrary SQL commands via the catid parameter in a show_category action.
- CVE-2008-0678Feb 12, 2008risk 0.03cvss —epss 0.01
SQL injection vulnerability in index.php in BlogPHP 2.0 allows remote attackers to execute arbitrary SQL commands via the id parameter in a page action.
- CVE-2008-0681Feb 12, 2008risk 0.03cvss —epss 0.00
SQL injection vulnerability in index.php in PHPShop 0.8.1 allows remote attackers to execute arbitrary SQL commands via the product_id parameter, as demonstrated by a shop/flypage action.
- CVE-2008-0682Feb 12, 2008risk 0.03cvss —epss 0.01
SQL injection vulnerability in wordspew-rss.php in the Wordspew plugin before 3.72 for Wordpress allows remote attackers to execute arbitrary SQL commands via the id parameter.
- CVE-2008-0683Feb 12, 2008risk 0.03cvss —epss 0.01
SQL injection vulnerability in shiftthis-preview.php in the ShiftThis Newsletter (st_newsletter) plugin for WordPress allows remote attackers to execute arbitrary SQL commands via the newsletter parameter.
- CVE-2008-0685Feb 12, 2008risk 0.03cvss —epss 0.01
SQL injection vulnerability in ViewCat.php in iTechClassifieds 3.0 allows remote attackers to execute arbitrary SQL commands via the CatID parameter.