VYPR

CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

BaseStableLikelihood: High

Description

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Hierarchy (View 1000)

Parents

Children

Related attack patterns (CAPEC)

CAPEC-108 · CAPEC-109 · CAPEC-110 · CAPEC-470 · CAPEC-66 · CAPEC-7

CVEs mapped to this weakness (10,236)

page 37 of 512
  • CVE-2018-14968CriAug 6, 2018
    risk 0.64cvss 9.8epss 0.01

    An issue was discovered in EMLsoft 5.4.5. upload\eml\action\action.address.php has SQL Injection via the numPerPage parameter.

  • CVE-2018-14961CriAug 6, 2018
    risk 0.64cvss 9.8epss 0.02

    dl/dl_sendmail.php in zzcms 8.3 has SQL Injection via the sql parameter.

  • CVE-2018-5384CriJul 24, 2018
    risk 0.64cvss 9.8epss 0.04

    Navarino Infinity web interface up to version 2.2 exposes an unauthenticated script that is prone to blind sql injection. If successfully exploited the user can get info from the underlying postgresql database that could lead into to total compromise of the product. The said…

  • CVE-2017-3181CriJul 24, 2018
    risk 0.64cvss 9.8epss 0.02

    Multiple TIBCO Products are prone to multiple unspecified SQL-injection vulnerabilities because it fails to properly sanitize user-supplied input before using it in an SQL query. Exploiting these issues could allow an attacker to compromise the application, access or modify…

  • CVE-2018-14515CriJul 23, 2018
    risk 0.64cvss 9.8epss 0.02

    A SQL injection was discovered in WUZHI CMS 4.1.0 that allows remote attackers to inject a malicious SQL statement via the index.php?m=promote&f=index&v=search keywords parameter.

  • CVE-2018-14501CriJul 22, 2018
    risk 0.64cvss 9.8epss 0.01

    manager/admin_ajax.php in joyplus-cms 1.6.0 has SQL Injection, as demonstrated by crafted POST data beginning with an "m_id=1 AND SLEEP(5)" substring.

  • CVE-2018-14440CriJul 20, 2018
    risk 0.64cvss 9.8epss 0.01

    An issue was discovered in cckevincyh SSH CompanyWebsite through 2018-05-03. SQL injection exists via the admin/noticeManageAction_queryNotice.action noticeInfo parameter.

  • CVE-2018-14389CriJul 18, 2018
    risk 0.64cvss 9.8epss 0.01

    joyplus-cms 1.6.0 has SQL Injection via the manager/admin_ajax.php val parameter.

  • CVE-2018-14066CriJul 15, 2018
    risk 0.64cvss 9.8epss 0.00

    The content://wappush content provider in com.android.provider.telephony, as found in some custom ROMs for Android phones, allows SQL injection. One consequence is that an application without the READ_SMS permission can read SMS messages. This affects Infinix X571 phones, as…

  • CVE-2018-14012CriJul 12, 2018
    risk 0.64cvss 9.8epss 0.02

    WolfSight CMS 3.2 allows SQL injection via the PATH_INFO to the default URI.

  • CVE-2018-10197CriJul 11, 2018
    risk 0.64cvss 9.8epss 0.02

    There is a time-based blind SQL injection vulnerability in the Access Manager component before 9.18.040 and 10.x before 10.18.040 in ELO ELOenterprise 9 and 10 and ELOprofessional 9 and 10 that makes it possible to read all database content. The vulnerability exists in the…

  • CVE-2018-13850CriJul 10, 2018
    risk 0.64cvss 9.8epss 0.01

    The "Firebase Cloud Messaging (FCM) + Advance Admin Panel" component supporting Firebase Push Notification on iOS (through 2017-10-26) allows SQL injection via the /advance_push/public/login username parameter.

  • CVE-2013-3000CriJul 9, 2018
    risk 0.64cvss 9.8epss 0.02

    SQL injection vulnerability in IBM InfoSphere Data Replication Dashboard 9.7 and 10.1 allows remote attackers to execute arbitrary SQL commands via unspecified vectors. IBM X-Force ID: 84116.

  • CVE-2017-11088CriJul 6, 2018
    risk 0.64cvss 9.8epss 0.01

    Improper Input Validation in Linux io-prefetch in Snapdragon Mobile and Snapdragon Wear, A SQL injection vulnerability exists in versions MSM8909W, MSM8996AU, SD 210/SD 212/SD 205, SD 430, SD 450, SD 617, SD 625, SD 650/52, SD 820, SD 835, SD 845.

  • CVE-2018-13116CriJul 3, 2018
    risk 0.64cvss 9.8epss 0.01

    /user/del.php in zzcms 8.3 allows SQL injection via the tablename parameter after leveraging use of the zzcms_ask table.

  • CVE-2018-12630CriJun 21, 2018
    risk 0.64cvss 9.8epss 0.02

    NEWMARK (aka New Mark) NMCMS 2.1 allows SQL Injection via the sect_id parameter to the /catalog URI.

  • CVE-2015-4043CriJun 19, 2018
    risk 0.64cvss 9.8epss 0.01

    SQL injection vulnerability in ConnX ESP HR Management 4.4.0 allows remote attackers to execute arbitrary SQL commands via the ctl00$cphMainContent$txtUserName parameter to frmLogin.aspx.

  • CVE-2018-9029CriJun 18, 2018
    risk 0.64cvss 9.8epss 0.02

    An improper input validation vulnerability in CA Privileged Access Manager 2.x allows remote attackers to conduct SQL injection attacks.

  • CVE-2018-12534CriJun 18, 2018
    risk 0.64cvss 9.8epss 0.01

    A SQL injection issue was discovered in the Quick Chat plugin before 4.00 for WordPress.

  • CVE-2018-10997CriJun 17, 2018
    risk 0.64cvss 9.8epss 0.02

    Etere EtereWeb before 28.1.20 has a pre-authentication blind SQL injection in the POST parameters txUserName and txPassword.