VYPR
Get started

CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

BaseStableLikelihood: High

Description

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Hierarchy (View 1000)

Parents

Children

Related attack patterns (CAPEC)

CAPEC-108 · CAPEC-109 · CAPEC-110 · CAPEC-470 · CAPEC-66 · CAPEC-7

CVEs mapped to this weakness (8,797)

page 386 of 440
CVESevRiskCVSSEPSSKEVPublishedDescription
CVE-2015-57030.000.00Sep 28, 2015SQL injection vulnerability in the public key discovery API call in Open-Xchange OX Guard before 2.0.0-rev8 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors.
CVE-2015-65480.000.01Sep 20, 2015Multiple SQL injection vulnerabilities in a PHP script in the management console on Symantec Web Gateway (SWG) appliances with software before 5.2.2 DB 5.0.0.1277 allow remote authenticated users to execute arbitrary SQL commands via unspecified vectors.
CVE-2014-92290.000.00Sep 20, 2015Multiple SQL injection vulnerabilities in interface PHP scripts in the Manager component in Symantec Endpoint Protection (SEP) before 12.1.6 allow remote authenticated users to execute arbitrary SQL commands by leveraging the Limited Administrator role.
CVE-2015-62990.000.00Sep 20, 2015SQL injection vulnerability in the web interface in Cisco Unity Connection 9.1(1.2) and earlier allows remote authenticated users to execute arbitrary SQL commands via a crafted POST request, aka Bug ID CSCuv63824.
CVE-2015-72390.000.00Sep 18, 2015SQL injection vulnerability in the BP_FIND_JOBS_WITH_PROGRAM function module in SAP NetWeaver J2EE Engine 7.40 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
CVE-2015-68290.000.01Sep 16, 2015Multiple SQL injection vulnerabilities in the getip function in wp-limit-login-attempts.php in the WP Limit Login Attempts plugin before 2.0.1 for WordPress allow remote attackers to execute arbitrary SQL commands via the (1) X-Forwarded-For or (2) Client-IP HTTP header.
CVE-2015-69430.000.00Sep 15, 2015SQL injection vulnerability in the serendipity_checkCommentToken function in include/functions_comments.inc.php in Serendipity before 2.0.2, when "Use Tokens for Comment Moderation" is enabled, allows remote administrators to execute arbitrary SQL commands via the serendipity[id] parameter to serendipity_admin.php.
CVE-2015-69150.000.00Sep 11, 2015SQL injection vulnerability in Montala Limited ResourceSpace 7.3.7009 and earlier allows remote attackers to execute arbitrary SQL commands via the "user" cookie to plugins/feedback/pages/feedback.php.
CVE-2015-69100.000.01Sep 11, 2015SQL injection vulnerability in Synology Video Station before 1.5-0757 allows remote attackers to execute arbitrary SQL commands via the id parameter to audiotrack.cgi.
CVE-2015-55040.000.01Aug 18, 2015SQL injection vulnerability in the Novalnet Payment Module Ubercart module for Drupal allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
CVE-2015-44260.000.00Aug 18, 2015SQL injection vulnerability in pimcore before build 3473 allows remote attackers to execute arbitrary SQL commands via the filter parameter to admin/asset/grid-proxy.
CVE-2015-65130.000.00Aug 18, 2015Multiple SQL injection vulnerabilities in the J2Store (com_j2store) extension before 3.1.7 for Joomla! allow remote attackers to execute arbitrary SQL commands via the (1) sortby or (2) manufacturer_ids[] parameter to index.php.
CVE-2015-55990.000.02Aug 18, 2015Multiple SQL injection vulnerabilities in upload.php in the Powerplay Gallery plugin 3.3 for WordPress allow remote attackers to execute arbitrary SQL commands via the (1) albumid or (2) name parameter.
CVE-2015-46340.000.00Aug 11, 2015SQL injection vulnerability in graphs.php in Cacti before 0.8.8e allows remote attackers to execute arbitrary SQL commands via the local_graph_id parameter.
CVE-2015-14910.000.01Aug 1, 2015SQL injection vulnerability in the management console in Symantec Endpoint Protection Manager (SEPM) 12.1 before 12.1-RU6-MP1 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors.
CVE-2015-29720.000.01Jul 19, 2015Multiple SQL injection vulnerabilities in Sysphonic Thetis before 2.3.0 allow remote attackers to execute arbitrary SQL commands via unspecified vectors.
CVE-2015-54590.000.01Jul 8, 2015SQL injection vulnerability in the AdvanceSearch.class in AdventNetPassTrix.jar in ManageEngine Password Manager Pro (PMP) before 8.1 Build 8101 allows remote authenticated users to execute arbitrary SQL commands via the ANDOR parameter, as demonstrated by a request to STATE_ID/1425543888647/SQLAdvancedALSearchResult.cc.
CVE-2015-28490.000.00Jul 7, 2015SQL injection vulnerability in main.ant in the ANTlabs InnGate firmware on IG 3100, InnGate 3.01 E, InnGate 3.10 E, InnGate 3.10 M, SG 4, and SSG 4 devices, when https is used, allows remote attackers to execute arbitrary SQL commands via the ppli parameter.
CVE-2015-41290.000.01Jul 5, 2015SQL injection vulnerability in Subrion CMS before 3.3.3 allows remote authenticated users to execute arbitrary SQL commands via modified serialized data in a salt cookie.
CVE-2015-42330.000.01Jul 2, 2015SQL injection vulnerability in Cisco Unified MeetingPlace 8.6(1.2) allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors, aka Bug ID CSCuu54037.