CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Description
The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-108 · CAPEC-109 · CAPEC-110 · CAPEC-470 · CAPEC-66 · CAPEC-7
CVEs mapped to this weakness (8,799)
page 372 of 440| CVE | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2007-6575 | 0.03 | — | 0.00 | Dec 28, 2007 | SQL injection vulnerability in default.php in MMSLamp allows remote attackers to execute arbitrary SQL commands via the idpro parameter in a prodotti_dettaglio action. | ||
| CVE-2007-6566 | 0.03 | — | 0.01 | Dec 28, 2007 | SQL injection vulnerability in post.php in XZero Community Classifieds 4.95.11 and earlier allows remote attackers to execute arbitrary SQL commands via the subcatid parameter to index.php. | ||
| CVE-2007-6565 | 0.03 | — | 0.01 | Dec 28, 2007 | Multiple SQL injection vulnerabilities in Blakord Portal 1.3.A Beta and earlier allow remote attackers to execute arbitrary SQL commands via the id parameter to an arbitrary component. | ||
| CVE-2007-6556 | 0.03 | — | 0.01 | Dec 28, 2007 | Multiple SQL injection vulnerabilities in websihirbazi 5.1.1 allow remote attackers to execute arbitrary SQL commands via (1) the id parameter to default.asp in a news page action or (2) the pageid parameter to default.asp. | ||
| CVE-2007-6543 | 0.03 | — | 0.00 | Dec 28, 2007 | SQL injection vulnerability in suggest-link.php in eSyndiCat Link Exchange Script allows remote attackers to execute arbitrary SQL commands via the id parameter. | ||
| CVE-2007-6544 | 0.03 | — | 0.03 | Dec 28, 2007 | Multiple SQL injection vulnerabilities in RunCMS before 1.6.1 allow remote attackers to execute arbitrary SQL commands via the lid parameter to (1) brokenfile.php, (2) visit.php, or (3) ratefile.php in modules/mydownloads/; or (4) ratelink.php, (5) modlink.php, or (6) brokenlink.php in modules/mylinks/. | ||
| CVE-2007-6551 | 0.03 | — | 0.01 | Dec 28, 2007 | SQL injection vulnerability in showMsg.php in MailMachine Pro 2.2.4, and other versions before 2.2.6, allows remote attackers to execute arbitrary SQL commands via the id parameter. | ||
| CVE-2007-6559 | 0.03 | — | 0.01 | Dec 28, 2007 | Multiple SQL injection vulnerabilities in Logaholic before 2.0 RC8 allow remote attackers to execute arbitrary SQL commands via (1) the from parameter to index.php or (2) the page parameter to update.php. | ||
| CVE-2007-6557 | 0.03 | — | 0.01 | Dec 28, 2007 | Multiple SQL injection vulnerabilities in MeGaCheatZ 1.1 allow remote attackers to execute arbitrary SQL commands via the ItemID parameter to (1) comments.php, (2) view.php, (3) siteadmin/ViewItem.php, and unspecified other vectors. | ||
| CVE-2007-6538 | 0.03 | — | 0.02 | Dec 27, 2007 | SQL injection vulnerability in ing/blocks/mrbs/code/web/view_entry.php in the MRBS plugin for Moodle allows remote attackers to execute arbitrary SQL commands via the id parameter. | ||
| CVE-2007-6518 | 0.03 | — | 0.01 | Dec 24, 2007 | Multiple SQL injection vulnerabilities in search.php in WoltLab Burning Board (wBB) Lite 1.0.2 pl3e allow remote attackers to execute arbitrary SQL commands via the (1) showposts, (2) sortby, and (3) sortorder parameters. | ||
| CVE-2007-6472 | 0.03 | — | 0.01 | Dec 20, 2007 | Multiple SQL injection vulnerabilities in phpMyRealty (PMR) 1.0.9 allow (1) remote attackers to execute arbitrary SQL commands via the type parameter to search.php and (2) remote authenticated administrators to execute arbitrary SQL commands via the listing_updated_days parameter to admin/findlistings.php. NOTE: some of these details are obtained from third party information. | ||
| CVE-2007-6498 | 0.03 | — | 0.01 | Dec 20, 2007 | Multiple SQL injection vulnerabilities in Hosting Controller 6.1 Hot fix 3.3 and earlier allow remote authenticated users to execute arbitrary SQL commands via the (1) email and (2) loginname parameters to Hosting/Addreseller.asp, (3) the sortfield parameter to accounts/accountmanager.asp, (4) the GateWayID parameter to OpenApi/GatewayVariables.asp, and possibly (5) unspecified vectors to IIS/iibind.asp. | ||
| CVE-2007-6462 | 0.03 | — | 0.00 | Dec 20, 2007 | SQL injection vulnerability in fullnews.php in PHP Real Estate Classifieds allows remote attackers to execute arbitrary SQL commands via the id parameter. | ||
| CVE-2007-6467 | 0.03 | — | 0.00 | Dec 20, 2007 | SQL injection vulnerability in index.php in MKPortal 1.1 RC1 allows remote attackers to execute arbitrary SQL commands via the ida parameter in a gallery foto_show action. | ||
| CVE-2007-6458 | 0.03 | — | 0.00 | Dec 20, 2007 | SQL injection vulnerability in shop/mainfile.php in 123tkShop 0.9.1 allows remote attackers to execute arbitrary SQL commands via a base64-encoded value of the admin parameter to shop/admin.php. | ||
| CVE-2007-6466 | 0.03 | — | 0.01 | Dec 20, 2007 | Multiple SQL injection vulnerabilities in index.php in FreeWebshop 2.2.1 allow remote attackers to execute arbitrary SQL commands via (1) the prod parameter in a details action, (2) the cat parameter in a browse list action, or (3) the group parameter in a categories action. NOTE: it was later reported that MOG - Web Shop (MOG-WebShop), a product based on the same code, is also affected. | ||
| CVE-2007-6392 | 0.03 | — | 0.00 | Dec 17, 2007 | SQL injection vulnerability in DWdirectory 2.1 and earlier allows remote attackers to execute arbitrary SQL commands via the search parameter to the /search URI. | ||
| CVE-2007-6394 | 0.03 | — | 0.00 | Dec 17, 2007 | SQL injection vulnerability in index.php in Content Injector 1.53 allows remote attackers to execute arbitrary SQL commands via the id parameter in an expand action. | ||
| CVE-2007-6391 | 0.03 | — | 0.00 | Dec 17, 2007 | SQL injection vulnerability in patch/comments.php in SH-News 3.0 allows remote attackers to execute arbitrary SQL commands via the id parameter. |
- CVE-2007-6575Dec 28, 2007risk 0.03cvss —epss 0.00
SQL injection vulnerability in default.php in MMSLamp allows remote attackers to execute arbitrary SQL commands via the idpro parameter in a prodotti_dettaglio action.
- CVE-2007-6566Dec 28, 2007risk 0.03cvss —epss 0.01
SQL injection vulnerability in post.php in XZero Community Classifieds 4.95.11 and earlier allows remote attackers to execute arbitrary SQL commands via the subcatid parameter to index.php.
- CVE-2007-6565Dec 28, 2007risk 0.03cvss —epss 0.01
Multiple SQL injection vulnerabilities in Blakord Portal 1.3.A Beta and earlier allow remote attackers to execute arbitrary SQL commands via the id parameter to an arbitrary component.
- CVE-2007-6556Dec 28, 2007risk 0.03cvss —epss 0.01
Multiple SQL injection vulnerabilities in websihirbazi 5.1.1 allow remote attackers to execute arbitrary SQL commands via (1) the id parameter to default.asp in a news page action or (2) the pageid parameter to default.asp.
- CVE-2007-6543Dec 28, 2007risk 0.03cvss —epss 0.00
SQL injection vulnerability in suggest-link.php in eSyndiCat Link Exchange Script allows remote attackers to execute arbitrary SQL commands via the id parameter.
- CVE-2007-6544Dec 28, 2007risk 0.03cvss —epss 0.03
Multiple SQL injection vulnerabilities in RunCMS before 1.6.1 allow remote attackers to execute arbitrary SQL commands via the lid parameter to (1) brokenfile.php, (2) visit.php, or (3) ratefile.php in modules/mydownloads/; or (4) ratelink.php, (5) modlink.php, or (6) brokenlink.php in modules/mylinks/.
- CVE-2007-6551Dec 28, 2007risk 0.03cvss —epss 0.01
SQL injection vulnerability in showMsg.php in MailMachine Pro 2.2.4, and other versions before 2.2.6, allows remote attackers to execute arbitrary SQL commands via the id parameter.
- CVE-2007-6559Dec 28, 2007risk 0.03cvss —epss 0.01
Multiple SQL injection vulnerabilities in Logaholic before 2.0 RC8 allow remote attackers to execute arbitrary SQL commands via (1) the from parameter to index.php or (2) the page parameter to update.php.
- CVE-2007-6557Dec 28, 2007risk 0.03cvss —epss 0.01
Multiple SQL injection vulnerabilities in MeGaCheatZ 1.1 allow remote attackers to execute arbitrary SQL commands via the ItemID parameter to (1) comments.php, (2) view.php, (3) siteadmin/ViewItem.php, and unspecified other vectors.
- CVE-2007-6538Dec 27, 2007risk 0.03cvss —epss 0.02
SQL injection vulnerability in ing/blocks/mrbs/code/web/view_entry.php in the MRBS plugin for Moodle allows remote attackers to execute arbitrary SQL commands via the id parameter.
- CVE-2007-6518Dec 24, 2007risk 0.03cvss —epss 0.01
Multiple SQL injection vulnerabilities in search.php in WoltLab Burning Board (wBB) Lite 1.0.2 pl3e allow remote attackers to execute arbitrary SQL commands via the (1) showposts, (2) sortby, and (3) sortorder parameters.
- CVE-2007-6472Dec 20, 2007risk 0.03cvss —epss 0.01
Multiple SQL injection vulnerabilities in phpMyRealty (PMR) 1.0.9 allow (1) remote attackers to execute arbitrary SQL commands via the type parameter to search.php and (2) remote authenticated administrators to execute arbitrary SQL commands via the listing_updated_days parameter to admin/findlistings.php. NOTE: some of these details are obtained from third party information.
- CVE-2007-6498Dec 20, 2007risk 0.03cvss —epss 0.01
Multiple SQL injection vulnerabilities in Hosting Controller 6.1 Hot fix 3.3 and earlier allow remote authenticated users to execute arbitrary SQL commands via the (1) email and (2) loginname parameters to Hosting/Addreseller.asp, (3) the sortfield parameter to accounts/accountmanager.asp, (4) the GateWayID parameter to OpenApi/GatewayVariables.asp, and possibly (5) unspecified vectors to IIS/iibind.asp.
- CVE-2007-6462Dec 20, 2007risk 0.03cvss —epss 0.00
SQL injection vulnerability in fullnews.php in PHP Real Estate Classifieds allows remote attackers to execute arbitrary SQL commands via the id parameter.
- CVE-2007-6467Dec 20, 2007risk 0.03cvss —epss 0.00
SQL injection vulnerability in index.php in MKPortal 1.1 RC1 allows remote attackers to execute arbitrary SQL commands via the ida parameter in a gallery foto_show action.
- CVE-2007-6458Dec 20, 2007risk 0.03cvss —epss 0.00
SQL injection vulnerability in shop/mainfile.php in 123tkShop 0.9.1 allows remote attackers to execute arbitrary SQL commands via a base64-encoded value of the admin parameter to shop/admin.php.
- CVE-2007-6466Dec 20, 2007risk 0.03cvss —epss 0.01
Multiple SQL injection vulnerabilities in index.php in FreeWebshop 2.2.1 allow remote attackers to execute arbitrary SQL commands via (1) the prod parameter in a details action, (2) the cat parameter in a browse list action, or (3) the group parameter in a categories action. NOTE: it was later reported that MOG - Web Shop (MOG-WebShop), a product based on the same code, is also affected.
- CVE-2007-6392Dec 17, 2007risk 0.03cvss —epss 0.00
SQL injection vulnerability in DWdirectory 2.1 and earlier allows remote attackers to execute arbitrary SQL commands via the search parameter to the /search URI.
- CVE-2007-6394Dec 17, 2007risk 0.03cvss —epss 0.00
SQL injection vulnerability in index.php in Content Injector 1.53 allows remote attackers to execute arbitrary SQL commands via the id parameter in an expand action.
- CVE-2007-6391Dec 17, 2007risk 0.03cvss —epss 0.00
SQL injection vulnerability in patch/comments.php in SH-News 3.0 allows remote attackers to execute arbitrary SQL commands via the id parameter.