VYPR

CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

BaseStableLikelihood: High

Description

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Hierarchy (View 1000)

Parents

Children

Related attack patterns (CAPEC)

CAPEC-108 · CAPEC-109 · CAPEC-110 · CAPEC-470 · CAPEC-66 · CAPEC-7

CVEs mapped to this weakness (8,799)

page 369 of 440
  • CVE-2008-0355Jan 18, 2008
    risk 0.03cvss epss 0.00

    SQL injection vulnerability in index.php in the forum module in PHPEcho CMS, probably 2.0-rc3 and earlier, allows remote attackers to execute arbitrary SQL commands via the id parameter in a section action, a different vector than CVE-2007-2866.

  • CVE-2008-0326Jan 17, 2008
    risk 0.03cvss epss 0.00

    SQL injection vulnerability in class/show.php in FaScript FaPersianHack 1.0 allows remote attackers to execute arbitrary SQL commands via the id parameter to show.php.

  • CVE-2008-0328Jan 17, 2008
    risk 0.03cvss epss 0.00

    SQL injection vulnerability in page.php in FaScript FaName 1.0 allows remote attackers to execute arbitrary SQL commands via the id parameter.

  • CVE-2008-0327Jan 17, 2008
    risk 0.03cvss epss 0.00

    SQL injection vulnerability in show.php in FaScript FaMp3 1.0 allows remote attackers to execute arbitrary SQL commands via the id parameter.

  • CVE-2008-0325Jan 17, 2008
    risk 0.03cvss epss 0.00

    SQL injection vulnerability in show.php in FaScript FaPersian Petition allows remote attackers to execute arbitrary SQL commands via the id parameter.

  • CVE-2008-0291Jan 16, 2008
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in showproduct.asp in RichStrong CMS allows remote attackers to execute arbitrary SQL commands via the cat parameter.

  • CVE-2008-0288Jan 16, 2008
    risk 0.03cvss epss 0.00

    Multiple SQL injection vulnerabilities in ImageAlbum 2.0.0b2 allow remote attackers to execute arbitrary SQL commands via the id, which is not properly handled in (1) classes/IADomain.php, (2) classes/IACollection.php, and (3) classes/IAUser.php, as demonstrated via the id parameter in a collection.imageview action.

  • CVE-2008-0290Jan 16, 2008
    risk 0.03cvss epss 0.00

    Multiple SQL injection vulnerabilities in Digital Hive 2.0 RC2 and earlier allow (1) remote attackers to execute arbitrary SQL commands via the selectskin parameter to an unspecified program, or (2) remote authenticated administrators to execute arbitrary SQL commands via the user_id parameter in the gestion_membre.php page to base.php.

  • CVE-2008-0286Jan 16, 2008
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in admin/login.php in Article Dashboard allows remote attackers to execute arbitrary SQL commands via the (1) user or (2) password fields.

  • CVE-2008-0282Jan 15, 2008
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in welcome/inscription.php in DomPHP 0.81 and earlier allows remote attackers to execute arbitrary SQL commands via the mail parameter.

  • CVE-2008-0281Jan 15, 2008
    risk 0.03cvss epss 0.00

    SQL injection vulnerability in liste.php in ID-Commerce 2.0 and earlier allows remote attackers to execute arbitrary SQL commands via the idFamille parameter.

  • CVE-2008-0280Jan 15, 2008
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in index.php in MTCMS 2.0 and possibly earlier versions allows remote attackers to execute arbitrary SQL commands via the (1) a or (2) cid parameter.

  • CVE-2008-0270Jan 15, 2008
    risk 0.03cvss epss 0.00

    SQL injection vulnerability in index.php in TaskFreak! 0.6.1 and earlier allows remote authenticated users to execute arbitrary SQL commands via the sContext parameter.

  • CVE-2008-0253Jan 15, 2008
    risk 0.03cvss epss 0.00

    SQL injection vulnerability in full_text.php in Binn SBuilder allows remote attackers to execute arbitrary SQL commands via the nid parameter.

  • CVE-2008-0254Jan 15, 2008
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in activate.php in TutorialCMS (aka Photoshop Tutorials) 1.02, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the userName parameter.

  • CVE-2008-0278Jan 15, 2008
    risk 0.03cvss epss 0.00

    SQL injection vulnerability in index.php in X7 Chat 2.0.5 and possibly earlier allows remote attackers to execute arbitrary SQL commands via the day parameter in a sm_window action.

  • CVE-2008-0255Jan 15, 2008
    risk 0.03cvss epss 0.00

    SQL injection vulnerability in archive.php in iGaming 1.5, and 1.3.1 and earlier, allows remote attackers to execute arbitrary SQL commands via the section parameter.

  • CVE-2008-0256Jan 15, 2008
    risk 0.03cvss epss 0.01

    Multiple SQL injection vulnerabilities in Matteo Binda ASP Photo Gallery 1.0 allow remote attackers to execute arbitrary SQL commands via the (1) id parameter to (a) Imgbig.asp, (b) thumb.asp, and (c) thumbricerca.asp and the (2) ricerca parameter to (d) thumbricerca.asp.

  • CVE-2008-0279Jan 15, 2008
    risk 0.03cvss epss 0.00

    SQL injection vulnerability in liretopic.php in Xforum 1.4 and possibly others allows remote attackers to execute arbitrary SQL commands via the topic parameter. NOTE: the categorie parameter might also be affected.

  • CVE-2008-0262Jan 15, 2008
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in includes/articleblock.php in Agares PhpAutoVideo 2.21 allows remote attackers to execute arbitrary SQL commands via the articlecat parameter.