CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

BaseStableLikelihood: High

Description

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Hierarchy (View 1000)

Parents

CWE-943

Children

CWE-564

Related attack patterns (CAPEC)

CAPEC-108 · CAPEC-109 · CAPEC-110 · CAPEC-470 · CAPEC-66 · CAPEC-7

CVEs mapped to this weakness (9,793)

page 397 of 490

CVE	Vendor / Product	Risk	CVSS	EPSS	Published	Description
CVE-2007-6080	Bcoos Bcoos	0.03	—	0.02	Nov 21, 2007	SQL injection vulnerability in modules/banners/click.php in the banners module for bcoos 1.0.10 allows remote attackers to execute arbitrary SQL commands via the bid parameter. NOTE: it was later reported that 1.0.13 is also affected.
CVE-2007-6058	Profilecms Profilecms	0.03	—	0.01	Nov 20, 2007	Multiple SQL injection vulnerabilities in index.php in ProfileCMS 1.0 and earlier allow remote attackers to execute arbitrary SQL commands via the id parameter in a (1) codes action in the profile-codes module, (2) videos action in the video-codes module, or (3) games action in…
CVE-2007-6032	Aleris Web Publishing Server	0.03	—	0.01	Nov 20, 2007	SQL injection vulnerability in calendar/page.asp in Aleris Web Publishing Server 3.0 allows remote attackers to execute arbitrary SQL commands via the mode parameter.
CVE-2007-5996	Softbizscripts Link Directory Script	0.03	—	0.00	Nov 15, 2007	SQL injection vulnerability in searchresult.php in Softbiz Link Directory Script allows remote attackers to execute arbitrary SQL commands via the sbcat_id parameter, a related issue to CVE-2007-5449.
CVE-2007-6004	Toko Instan	0.03	—	0.00	Nov 15, 2007	Multiple SQL injection vulnerabilities in index.php in Toko Instan 7.6 allow remote attackers to execute arbitrary SQL commands via (1) the id parameter in an artikel action or (2) the katid parameter in a produk action.
CVE-2007-5999	Softbizscripts Softbiz Auctions Script	0.03	—	0.00	Nov 15, 2007	SQL injection vulnerability in product_desc.php in Softbiz Auctions Script allows remote attackers to execute arbitrary SQL commands via the id parameter.
CVE-2007-5998	Softbizscripts AD Management Plus Script	0.03	—	0.00	Nov 15, 2007	SQL injection vulnerability in ads.php in Softbiz Ad Management plus Script 1 allows remote authenticated users to execute arbitrary SQL commands via the package parameter.
CVE-2007-5997	Softbizscripts Banner Exchange Network Script	0.03	—	0.00	Nov 15, 2007	SQL injection vulnerability in campaign_stats.php in Softbiz Banner Exchange Network Script 1.0 allows remote authenticated users to execute arbitrary SQL commands via the id parameter.
CVE-2007-5992	Datecomm Social Networking Script	0.03	—	0.01	Nov 15, 2007	SQL injection vulnerability in index.php in datecomm Social Networking Script (aka Myspace Clone Script) allows remote attackers to execute arbitrary SQL commands via the seid parameter in a viewcat s action on the forums page.
CVE-2007-5974	Jportal Jportal Web Portal	0.03	—	0.00	Nov 15, 2007	SQL injection vulnerability in mailer.php in JPortal 2 allows remote attackers to execute arbitrary SQL commands via the to parameter.
CVE-2007-5973	Jportal Jportal	0.03	—	0.00	Nov 15, 2007	SQL injection vulnerability in articles.php in JPortal 2.3.1 and earlier allows remote attackers to execute arbitrary SQL commands via the topic parameter.
CVE-2007-5978	XOOPS Mylinks Module	0.03	—	0.00	Nov 15, 2007	SQL injection vulnerability in brokenlink.php in the mylinks module for XOOPS allows remote attackers to execute arbitrary SQL commands via the lid parameter.
CVE-2007-5951	E Vendejo E-Vendejo	0.03	—	0.00	Nov 14, 2007	SQL injection vulnerability in articles.php in E-Vendejo 0.2 allows remote attackers to execute arbitrary SQL commands via the id parameter.
CVE-2007-5912	Jportal Jportal	0.03	—	0.00	Nov 10, 2007	SQL injection vulnerability in mailer.php in jPORTAL 2 allows remote attackers to execute arbitrary SQL commands via the to parameter.
CVE-2007-5887	Infuseum Asp Message Board	0.03	—	0.00	Nov 7, 2007	SQL injection vulnerability in boards/printer.asp in ASP Message Board 2.2.1c allows remote attackers to execute arbitrary SQL commands via the id parameter.
CVE-2007-4863	Saxon Saxon	0.03	—	0.01	Oct 30, 2007	SQL injection vulnerability in example.php in SAXON 5.4 allows remote attackers to execute arbitrary SQL commands via the template parameter.
CVE-2007-5719	Minibb Minibb	0.03	—	0.00	Oct 30, 2007	SQL injection vulnerability in bb_func_search.php in miniBB 2.1 allows remote attackers to execute arbitrary SQL commands via the table parameter to index.php.
CVE-2007-5688	PhpBB phpBB	0.03	—	0.00	Oct 29, 2007	Multiple SQL injection vulnerabilities in directory.php in the Multi-Forums (aka Multi Host Forum Pro) module 1.3.3, for phpBB and Invision Power Board (IPB or IP.Board), allow remote attackers to execute arbitrary SQL commands via the (1) go and (2) cat parameters.
CVE-2007-5679	Deeemm Dmcms	0.03	—	0.01	Oct 25, 2007	SQL injection vulnerability in index.php in DeeEmm.com DM CMS 0.7.0.Beta allows remote attackers to execute arbitrary SQL commands via the id parameter in the media page (build_media_content.php). NOTE: it was later reported that 0.7.4 is also affected.
CVE-2007-5646	Simple Machines Simple Machines Forum	0.03	—	0.02	Oct 23, 2007	SQL injection vulnerability in Sources/Search.php in Simple Machines Forum (SMF) 1.1.3, when MySQL 5 is used, allows remote attackers to execute arbitrary SQL commands via the userspec parameter in a search2 action to index.php.

CVE-2007-6080Nov 21, 2007
Bcoos
Bcoos
risk 0.03cvss —epss 0.02
SQL injection vulnerability in modules/banners/click.php in the banners module for bcoos 1.0.10 allows remote attackers to execute arbitrary SQL commands via the bid parameter. NOTE: it was later reported that 1.0.13 is also affected.
CVE-2007-6058Nov 20, 2007
Profilecms
Profilecms
risk 0.03cvss —epss 0.01
Multiple SQL injection vulnerabilities in index.php in ProfileCMS 1.0 and earlier allow remote attackers to execute arbitrary SQL commands via the id parameter in a (1) codes action in the profile-codes module, (2) videos action in the video-codes module, or (3) games action in…
CVE-2007-6032Nov 20, 2007
Aleris
Web Publishing Server
risk 0.03cvss —epss 0.01
SQL injection vulnerability in calendar/page.asp in Aleris Web Publishing Server 3.0 allows remote attackers to execute arbitrary SQL commands via the mode parameter.
CVE-2007-5996Nov 15, 2007
Softbizscripts
Link Directory Script
risk 0.03cvss —epss 0.00
SQL injection vulnerability in searchresult.php in Softbiz Link Directory Script allows remote attackers to execute arbitrary SQL commands via the sbcat_id parameter, a related issue to CVE-2007-5449.
CVE-2007-6004Nov 15, 2007
Toko
Instan
risk 0.03cvss —epss 0.00
Multiple SQL injection vulnerabilities in index.php in Toko Instan 7.6 allow remote attackers to execute arbitrary SQL commands via (1) the id parameter in an artikel action or (2) the katid parameter in a produk action.
CVE-2007-5999Nov 15, 2007
Softbizscripts
Softbiz Auctions Script
risk 0.03cvss —epss 0.00
SQL injection vulnerability in product_desc.php in Softbiz Auctions Script allows remote attackers to execute arbitrary SQL commands via the id parameter.
CVE-2007-5998Nov 15, 2007
Softbizscripts
AD Management Plus Script
risk 0.03cvss —epss 0.00
SQL injection vulnerability in ads.php in Softbiz Ad Management plus Script 1 allows remote authenticated users to execute arbitrary SQL commands via the package parameter.
CVE-2007-5997Nov 15, 2007
Softbizscripts
Banner Exchange Network Script
risk 0.03cvss —epss 0.00
SQL injection vulnerability in campaign_stats.php in Softbiz Banner Exchange Network Script 1.0 allows remote authenticated users to execute arbitrary SQL commands via the id parameter.
CVE-2007-5992Nov 15, 2007
Datecomm
Social Networking Script
risk 0.03cvss —epss 0.01
SQL injection vulnerability in index.php in datecomm Social Networking Script (aka Myspace Clone Script) allows remote attackers to execute arbitrary SQL commands via the seid parameter in a viewcat s action on the forums page.
CVE-2007-5974Nov 15, 2007
Jportal
Jportal Web Portal
risk 0.03cvss —epss 0.00
SQL injection vulnerability in mailer.php in JPortal 2 allows remote attackers to execute arbitrary SQL commands via the to parameter.
CVE-2007-5973Nov 15, 2007
Jportal
Jportal
risk 0.03cvss —epss 0.00
SQL injection vulnerability in articles.php in JPortal 2.3.1 and earlier allows remote attackers to execute arbitrary SQL commands via the topic parameter.
CVE-2007-5978Nov 15, 2007
XOOPS
Mylinks Module
risk 0.03cvss —epss 0.00
SQL injection vulnerability in brokenlink.php in the mylinks module for XOOPS allows remote attackers to execute arbitrary SQL commands via the lid parameter.
CVE-2007-5951Nov 14, 2007
E Vendejo
E-Vendejo
risk 0.03cvss —epss 0.00
SQL injection vulnerability in articles.php in E-Vendejo 0.2 allows remote attackers to execute arbitrary SQL commands via the id parameter.
CVE-2007-5912Nov 10, 2007
Jportal
Jportal
risk 0.03cvss —epss 0.00
SQL injection vulnerability in mailer.php in jPORTAL 2 allows remote attackers to execute arbitrary SQL commands via the to parameter.
CVE-2007-5887Nov 7, 2007
Infuseum
Asp Message Board
risk 0.03cvss —epss 0.00
SQL injection vulnerability in boards/printer.asp in ASP Message Board 2.2.1c allows remote attackers to execute arbitrary SQL commands via the id parameter.
CVE-2007-4863Oct 30, 2007
Saxon
Saxon
risk 0.03cvss —epss 0.01
SQL injection vulnerability in example.php in SAXON 5.4 allows remote attackers to execute arbitrary SQL commands via the template parameter.
CVE-2007-5719Oct 30, 2007
Minibb
Minibb
risk 0.03cvss —epss 0.00
SQL injection vulnerability in bb_func_search.php in miniBB 2.1 allows remote attackers to execute arbitrary SQL commands via the table parameter to index.php.
CVE-2007-5688Oct 29, 2007
PhpBB
phpBB
risk 0.03cvss —epss 0.00
Multiple SQL injection vulnerabilities in directory.php in the Multi-Forums (aka Multi Host Forum Pro) module 1.3.3, for phpBB and Invision Power Board (IPB or IP.Board), allow remote attackers to execute arbitrary SQL commands via the (1) go and (2) cat parameters.
CVE-2007-5679Oct 25, 2007
Deeemm
Dmcms
risk 0.03cvss —epss 0.01
SQL injection vulnerability in index.php in DeeEmm.com DM CMS 0.7.0.Beta allows remote attackers to execute arbitrary SQL commands via the id parameter in the media page (build_media_content.php). NOTE: it was later reported that 0.7.4 is also affected.
CVE-2007-5646Oct 23, 2007
Simple Machines
Simple Machines Forum
risk 0.03cvss —epss 0.02
SQL injection vulnerability in Sources/Search.php in Simple Machines Forum (SMF) 1.1.3, when MySQL 5 is used, allows remote attackers to execute arbitrary SQL commands via the userspec parameter in a search2 action to index.php.