VYPR

CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

BaseStableLikelihood: High

Description

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Hierarchy (View 1000)

Parents

Children

Related attack patterns (CAPEC)

CAPEC-108 · CAPEC-109 · CAPEC-110 · CAPEC-470 · CAPEC-66 · CAPEC-7

CVEs mapped to this weakness (8,799)

page 366 of 440
  • CVE-2008-0686Feb 12, 2008
    risk 0.03cvss epss 0.00

    SQL injection vulnerability in index.php in the NeoReferences (com_neoreferences) 1.3.1 and 1.3.3 component for Joomla! allows remote attackers to execute arbitrary SQL commands via the catid parameter.

  • CVE-2008-0677Feb 12, 2008
    risk 0.03cvss epss 0.00

    SQL injection vulnerability in blog.php in A-Blog 2 allows remote attackers to execute arbitrary SQL commands via the id parameter in a news action.

  • CVE-2008-0690Feb 12, 2008
    risk 0.03cvss epss 0.00

    SQL injection vulnerability in index.php in the mosDirectory (com_directory) 2.3.2 component for Joomla! allows remote attackers to execute arbitrary SQL commands via the catid parameter in a viewcat action.

  • CVE-2008-0692Feb 12, 2008
    risk 0.03cvss epss 0.00

    SQL injection vulnerability in bidhistory.php in iTechBids 3 Gold and 5.0 allows remote attackers to execute arbitrary SQL commands via the item_id parameter.

  • CVE-2008-0695Feb 12, 2008
    risk 0.03cvss epss 0.00

    SQL injection vulnerability in index.php in BookmarkX script 2007 allows remote attackers to execute arbitrary SQL commands via the topicid parameter in a showtopic action.

  • CVE-2008-0670Feb 12, 2008
    risk 0.03cvss epss 0.00

    SQL injection vulnerability in index.php in the Noticias (com_noticias) 1.0 component for Joomla! allows remote attackers to execute arbitrary SQL commands via the id parameter in a detalhe action.

  • CVE-2008-0675Feb 12, 2008
    risk 0.03cvss epss 0.00

    SQL injection vulnerability in cms/index.pl in The Everything Development Engine in The Everything Development System Pre-1.0 and earlier allows remote attackers to execute arbitrary SQL commands via the node_id parameter.

  • CVE-2008-0650Feb 7, 2008
    risk 0.03cvss epss 0.00

    SQL injection vulnerability in login.php in Simple OS CMS 0.1c beta allows remote attackers to execute arbitrary SQL commands via the username field. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.

  • CVE-2008-0649Feb 7, 2008
    risk 0.03cvss epss 0.00

    SQL injection vulnerability in detail.php in Astanda Directory Project (ADP) 1.2 and 1.3 allows remote attackers to execute arbitrary SQL commands via the link_id parameter.

  • CVE-2008-0651Feb 7, 2008
    risk 0.03cvss epss 0.00

    SQL injection vulnerability in login.php in Pedro Santana Codice CMS allows remote attackers to execute arbitrary SQL commands via the username field. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.

  • CVE-2008-0653Feb 7, 2008
    risk 0.03cvss epss 0.00

    SQL injection vulnerability in index.php in the Ynews (com_ynews) 1.0.0 component for Joomla! allows remote attackers to execute arbitrary SQL commands via the id parameter in a showYNews action.

  • CVE-2008-0652Feb 7, 2008
    risk 0.03cvss epss 0.00

    SQL injection vulnerability in index.php in the Downloads (com_downloads) component for Mambo and Joomla! allows remote attackers to execute arbitrary SQL commands via the filecatid parameter in a selectfolder action.

  • CVE-2008-0603Feb 6, 2008
    risk 0.03cvss epss 0.00

    SQL injection vulnerability in index.php in the amazOOP Awesom! (com_awesom) 0.3.2component for Mambo and Joomla! allows remote attackers to execute arbitrary SQL commands via the listid parameter in a viewlist task.

  • CVE-2008-0601Feb 6, 2008
    risk 0.03cvss epss 0.00

    SQL injection vulnerability in index.php in All Club CMS (ACCMS) 0.0.1f and earlier allows remote attackers to execute arbitrary SQL commands via the name parameter.

  • CVE-2008-0616Feb 6, 2008
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in the administration panel in the DMSGuestbook 1.7.0 plugin for WordPress allows remote authenticated administrators to execute arbitrary SQL commands via unspecified vectors. NOTE: it is not clear whether this issue crosses privilege boundaries.

  • CVE-2008-0614Feb 6, 2008
    risk 0.03cvss epss 0.00

    SQL injection vulnerability in index.php in Photokorn Gallery 1.543 allows remote attackers to execute arbitrary SQL commands via the pic parameter in a showpic action.

  • CVE-2008-0611Feb 6, 2008
    risk 0.03cvss epss 0.00

    SQL injection vulnerability in rmgs/images.php in the RMSOFT Gallery System 2.0 module for XOOPS allows remote attackers to execute arbitrary SQL commands via the id parameter.

  • CVE-2008-0606Feb 6, 2008
    risk 0.03cvss epss 0.00

    SQL injection vulnerability in index.php in the Shambo2 (com_shambo2) component for Mambo and Joomla! allows remote attackers to execute arbitrary SQL commands via the Itemid parameter.

  • CVE-2008-0579Feb 5, 2008
    risk 0.03cvss epss 0.00

    SQL injection vulnerability in index.php in the buslicense (com_buslicense) component for Joomla! allows remote attackers to execute arbitrary SQL commands via the aid parameter in a list action.

  • CVE-2008-0565Feb 5, 2008
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in vote.php in DeltaScripts PHP Links 1.3 and earlier allows remote attackers to execute arbitrary SQL commands via the id parameter.