CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
BaseStableLikelihood: High
Description
The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-108 · CAPEC-109 · CAPEC-110 · CAPEC-470 · CAPEC-66 · CAPEC-7
CVEs mapped to this weakness (8,799)
page 382 of 440| CVE | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2006-1330 | 0.03 | — | 0.01 | Mar 21, 2006 | Multiple SQL injection vulnerabilities in phpWebsite 0.83 and earlier allow remote attackers to execute arbitrary SQL commands via the sid parameter to (1) friend.php or (2) article.php. | ||
| CVE-2006-1278 | 0.03 | — | 0.03 | Mar 19, 2006 | SQL injection vulnerability in @1 File Store 2006.03.07 allows remote attackers to execute arbitrary SQL commands via the id parameter to (1) functions.php and (2) user.php in the libs directory, (3) edit.php and (4) delete.php in control/files/, (5) edit.php and (6) delete.php in control/users/, (7) edit.php, (8) access.php, and (9) in control/folders/, (10) access.php and (11) delete.php in control/groups/, (12) confirm.php, and (13) download.php; (14) the email parameter in password.php, and (15) the id parameter in folder.php. NOTE: it was later reported that vectors 12 and 13 also affect @1 File Store PRO 3.2. | ||
| CVE-2006-1018 | 0.03 | — | 0.00 | Mar 7, 2006 | SQL injection vulnerability in poems.php in DCI-Designs Dawaween 1.03 allows remote attackers to execute arbitrary SQL commands via the id parameter in a diwan view action. | ||
| CVE-2006-0961 | 0.03 | — | 0.03 | Mar 2, 2006 | SQL injection vulnerability in yazdir.asp in Cilem Hiber 1.1 allows remote attackers to execute arbitrary SQL commands via the haber_id parameter. NOTE: this product has also been referred to as "Cilem News," although that does not appear to be the proper name. | ||
| CVE-2006-0959 | 0.03 | — | 0.05 | Mar 2, 2006 | SQL injection vulnerability in misc.php in MyBulletinBoard (MyBB) 1.03, when register_globals is enabled, allows remote attackers to execute arbitrary SQL commands by setting the comma variable value via the comma parameter in a cookie. NOTE: 1.04 has also been reported to be affected. | ||
| CVE-2006-0750 | 0.03 | — | 0.01 | Feb 18, 2006 | SQL injection vulnerability in army.php in supersmashbrothers (SSB) Army System 2.1.0 for Invision Power Board (IPB) allows remote attackers to execute arbitrary SQL commands via the userstat parameter in an army action to index.php. | ||
| CVE-2006-0510 | 0.03 | — | 0.01 | Feb 1, 2006 | SQL injection vulnerability in userlogin.jsp in Daffodil CRM 1.5 allows remote attackers to execute arbitrary SQL commands via unspecified parameters in a login action. | ||
| CVE-2006-0413 | 0.03 | — | 0.01 | Jan 25, 2006 | Multiple SQL injection vulnerabilities in index.php in NewsPHP allow remote attackers to execute arbitrary SQL commands via the (1) discuss, (2) tim, (3) id, (4) last, and (5) limit parameter. | ||
| CVE-2006-0318 | 0.03 | — | 0.04 | Jan 19, 2006 | SQL injection vulnerability in index.php in BlogPHP 1.0, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands and bypass authentication via the username parameter in a login action. | ||
| CVE-2006-0249 | 0.03 | — | 0.03 | Jan 18, 2006 | SQL injection vulnerability in viewcat.php in BitDamaged geoBlog MOD_1.0 allows remote attackers to execute arbitrary SQL commands, then steal credentials and upload files, via the cat parameter ($tmpCategory variable). | ||
| CVE-2006-0240 | 0.03 | — | 0.01 | Jan 18, 2006 | Multiple SQL injection vulnerabilities in Simple Blog 2.1 allow remote attackers to execute arbitrary SQL commands via the month parameter in an archives view operation and possibly certain other parameters in unspecified scripts. | ||
| CVE-2006-0199 | 0.03 | — | 0.03 | Jan 13, 2006 | SQL injection vulnerability in news.asp in Mini-Nuke CMS System 1.8.2 and earlier allows remote attackers to execute arbitrary SQL commands via the hid parameter. | ||
| CVE-2006-0160 | 0.03 | — | 0.04 | Jan 10, 2006 | SQL injection vulnerability in add_post.php3 in Venom Board 1.22 allows remote attackers to execute arbitrary SQL commands via the (1) parent, (2) root, and (3) topic_id parameters to post.php3. | ||
| CVE-2006-0115 | 0.03 | — | 0.01 | Jan 9, 2006 | Multiple SQL injection vulnerabilities in OnePlug Solutions OnePlug CMS allow remote attackers to execute arbitrary SQL commands via the (1) Press_Release_ID parameter in press/details.asp, (2) Service_ID parameter in services/details.asp, and (3) Product_ID parameter in products/details.asp. | ||
| CVE-2006-0123 | 0.03 | — | 0.01 | Jan 9, 2006 | Multiple SQL injection vulnerabilities in ADN Forum 1.0b allow remote attackers to execute arbitrary SQL commands via the (1) fid parameter in index.php and (2) pagid parameter in verpag.php, and possibly other vectors. | ||
| CVE-2006-0074 | 0.03 | — | 0.01 | Jan 4, 2006 | SQL injection vulnerability in profile.php in PHPenpals allows remote attackers to execute arbitrary SQL commands via the personalID parameter. NOTE: it was later reported that 1.1 and earlier are affected. | ||
| CVE-2005-4500 | 0.03 | — | 0.01 | Dec 22, 2005 | SQL injection vulnerability in MusicBox 2.3 allows remote attackers to execute arbitrary SQL commands via the (1) show and (2) type parameter. NOTE: the provenance of this information is unknown, although it was later rediscovered. | ||
| CVE-2005-4478 | 0.03 | — | 0.01 | Dec 22, 2005 | Multiple SQL injection vulnerabilities in Papoo 2.1.2 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) menuid parameter to (a) index.php and (b) guestbook.php, and the (2) forumid and (3) reporeid_print parameters to (c) print.php. | ||
| CVE-2005-4380 | 0.03 | — | 0.01 | Dec 20, 2005 | Multiple SQL injection vulnerabilities in Bitweaver 1.1 and 1.1.1 beta allow remote attackers to execute arbitrary SQL commands via the (1) sort_mode parameter to (a) fisheye/list_galleries.php, (b) messages/message_box.php, and (c) users/my.php; the (2) post_id parameter to (d) blogs/view_post.php; and the (3) blog_id parameter to (e) blogs/view.php, which are not properly cleansed by the convert_sortmode function in kernel/BitDb.php. | ||
| CVE-2005-4263 | 0.03 | — | 0.01 | Dec 15, 2005 | SQL injection vulnerability in the News module in Envolution allows remote attackers to execute arbitrary SQL commands via the (1) startrow and (2) catid parameter. |