CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

BaseStableLikelihood: High

Description

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Hierarchy (View 1000)

Parents

CWE-943

Children

CWE-564

Related attack patterns (CAPEC)

CAPEC-108 · CAPEC-109 · CAPEC-110 · CAPEC-470 · CAPEC-66 · CAPEC-7

CVEs mapped to this weakness (9,793)

page 399 of 490

CVE	Vendor / Product	Risk	CVSS	EPSS	Published	Description
CVE-2007-5187	PHP-Fusion Expanded Calendar Module	0.03	—	0.01	Oct 3, 2007	SQL injection vulnerability in infusions/calendar_events_panel/show_single.php in the Expanded Calendar 2.x module for PHP-Fusion allows remote attackers to execute arbitrary SQL commands via the sel parameter.
CVE-2007-5131	Interspire Activekb	0.03	—	0.01	Sep 27, 2007	SQL injection vulnerability in index.php in Interspire ActiveKB NX 2.x allows remote attackers to execute arbitrary SQL commands via the catId parameter in a browse action. NOTE: it was separately reported that ActiveKB 1.5 is also affected.
CVE-2007-5122	Softbizscripts Classifieds PLUS	0.03	—	0.01	Sep 27, 2007	SQL injection vulnerability in store_info.php in SoftBiz Classifieds PLUS allows remote attackers to execute arbitrary SQL commands via the id parameter.
CVE-2007-5123	Solidweb Novus	0.03	—	0.01	Sep 27, 2007	SQL injection vulnerability in notas.asp in Novus 1.0 allows remote attackers to execute arbitrary SQL commands via the nota_id parameter.
CVE-2007-5068	Phpfullannu Phpfullannu	0.03	—	0.01	Sep 24, 2007	SQL injection vulnerability in index.php in phpFullAnnu (PFA) 6.0 allows remote attackers to execute arbitrary SQL commands via the mod parameter.
CVE-2007-5061	Clansphere Clansphere	0.03	—	0.01	Sep 24, 2007	SQL injection vulnerability in mods/banners/navlist.php in Clansphere 2007.4 allows remote attackers to execute arbitrary SQL commands via the cat_id parameter to index.php in a banners action.
CVE-2007-5016	Adaptcms Onecms	0.03	—	0.01	Sep 20, 2007	SQL injection vulnerability in userreviews.php in OneCMS 2.4 allows remote attackers to execute arbitrary SQL commands via the abc parameter.
CVE-2007-4984	Ktauber Stylesdemo	0.03	—	0.01	Sep 19, 2007	SQL injection vulnerability in index.php in the Ktauber.com StylesDemo mod for phpBB 2.0.xx allows remote attackers to execute arbitrary SQL commands via the s parameter.
CVE-2007-4979	Kwsphp Kwsphp	0.03	—	0.01	Sep 19, 2007	SQL injection vulnerability in index.php in the sondages module in KwsPHP 1.0 allows remote attackers to execute arbitrary SQL commands via the id parameter in a results action, a different module than CVE-2007-4956.2.
CVE-2007-4966	GForge Gforge	0.03	—	0.01	Sep 18, 2007	SQL injection vulnerability in www/people/editprofile.php in GForge 4.6b2 and earlier allows remote attackers to execute arbitrary SQL commands via the skill_delete[] parameter.
CVE-2007-4952	Omnistar Interactive Omnistar Article Manager	0.03	—	0.01	Sep 18, 2007	SQL injection vulnerability in article.php in OmniStar Article Manager allows remote attackers to execute arbitrary SQL commands via the page_id parameter in a favorite op action, a different vector than CVE-2006-5917.
CVE-2007-4953	Simpcms Simpcms	0.03	—	0.01	Sep 18, 2007	SQL injection vulnerability in index.php in SimpCMS allows remote attackers to execute arbitrary SQL commands via the keyword parameter in a search site action.
CVE-2007-4956	Kwsphp Kwsphp	0.03	—	0.02	Sep 18, 2007	Multiple SQL injection vulnerabilities in KwsPHP 1.0 allow remote attackers to execute arbitrary SQL commands via (1) the pseudo parameter to login.php, (2) the id parameter to index.php in a carnet editer action in the Member_Space (espace_membre) module, or (3) the typenav…
CVE-2007-4918	Gelatocms Gelato	0.03	—	0.02	Sep 17, 2007	SQL injection vulnerability in classes/gelato.class.php in Gelato allows remote attackers to execute arbitrary SQL commands via the post parameter to index.php.
CVE-2007-4922	Kwsphp Kwsphp	0.03	—	0.01	Sep 17, 2007	SQL injection vulnerability in play.php in the jeuxflash 1.0 module for KwsPHP allows remote authenticated users to execute arbitrary SQL commands via the id parameter in a play ac action to index.php. NOTE: some details are obtained from third party information.
CVE-2007-4920	PHP Webquest Phpwebquest	0.03	—	0.01	Sep 17, 2007	SQL injection vulnerability in soporte_derecha_w.php in PHP Webquest 2.5 and earlier allows remote attackers to execute arbitrary SQL commands via the id_actividad parameter.
CVE-2007-4919	Jblog Jblog	0.03	—	0.01	Sep 17, 2007	Multiple SQL injection vulnerabilities in JBlog 1.0 allow (1) remote attackers to execute arbitrary SQL commands via the id parameter to index.php, and allow (2) remote authenticated administrators to execute arbitrary SQL commands via the id parameter to admin/modifpost.php.
CVE-2007-4892	Swsoft Plesk	0.03	—	0.01	Sep 14, 2007	Multiple SQL injection vulnerabilities in SWSoft Plesk 7.6.1, 8.1.0, 8.1.1, and 8.2.0 for Windows allow remote attackers to execute arbitrary SQL commands via a PLESKSESSID cookie to (1) login.php3 or (2) auth.php3.
CVE-2007-4846	Webace Webace Linkscript	0.03	—	0.01	Sep 12, 2007	SQL injection vulnerability in start.php in Webace-Linkscript (wls) 1.3 Special Edition (SE) allows remote attackers to execute arbitrary SQL commands via the id parameter in a rubrik go action.
CVE-2007-4845	Rwscripts.com Rw Download Lite	0.03	—	0.01	Sep 12, 2007	Multiple SQL injection vulnerabilities in UPLOAD/index.php in RW::Download 2.0.3 lite allow remote attackers to execute arbitrary SQL commands via the (1) dlid or (2) cid parameter.

CVE-2007-5187Oct 3, 2007
PHP-Fusion
Expanded Calendar Module
risk 0.03cvss —epss 0.01
SQL injection vulnerability in infusions/calendar_events_panel/show_single.php in the Expanded Calendar 2.x module for PHP-Fusion allows remote attackers to execute arbitrary SQL commands via the sel parameter.
CVE-2007-5131Sep 27, 2007
Interspire
Activekb
risk 0.03cvss —epss 0.01
SQL injection vulnerability in index.php in Interspire ActiveKB NX 2.x allows remote attackers to execute arbitrary SQL commands via the catId parameter in a browse action. NOTE: it was separately reported that ActiveKB 1.5 is also affected.
CVE-2007-5122Sep 27, 2007
Softbizscripts
Classifieds PLUS
risk 0.03cvss —epss 0.01
SQL injection vulnerability in store_info.php in SoftBiz Classifieds PLUS allows remote attackers to execute arbitrary SQL commands via the id parameter.
CVE-2007-5123Sep 27, 2007
Solidweb
Novus
risk 0.03cvss —epss 0.01
SQL injection vulnerability in notas.asp in Novus 1.0 allows remote attackers to execute arbitrary SQL commands via the nota_id parameter.
CVE-2007-5068Sep 24, 2007
Phpfullannu
Phpfullannu
risk 0.03cvss —epss 0.01
SQL injection vulnerability in index.php in phpFullAnnu (PFA) 6.0 allows remote attackers to execute arbitrary SQL commands via the mod parameter.
CVE-2007-5061Sep 24, 2007
Clansphere
Clansphere
risk 0.03cvss —epss 0.01
SQL injection vulnerability in mods/banners/navlist.php in Clansphere 2007.4 allows remote attackers to execute arbitrary SQL commands via the cat_id parameter to index.php in a banners action.
CVE-2007-5016Sep 20, 2007
Adaptcms
Onecms
risk 0.03cvss —epss 0.01
SQL injection vulnerability in userreviews.php in OneCMS 2.4 allows remote attackers to execute arbitrary SQL commands via the abc parameter.
CVE-2007-4984Sep 19, 2007
Ktauber
Stylesdemo
risk 0.03cvss —epss 0.01
SQL injection vulnerability in index.php in the Ktauber.com StylesDemo mod for phpBB 2.0.xx allows remote attackers to execute arbitrary SQL commands via the s parameter.
CVE-2007-4979Sep 19, 2007
Kwsphp
Kwsphp
risk 0.03cvss —epss 0.01
SQL injection vulnerability in index.php in the sondages module in KwsPHP 1.0 allows remote attackers to execute arbitrary SQL commands via the id parameter in a results action, a different module than CVE-2007-4956.2.
CVE-2007-4966Sep 18, 2007
GForge
Gforge
risk 0.03cvss —epss 0.01
SQL injection vulnerability in www/people/editprofile.php in GForge 4.6b2 and earlier allows remote attackers to execute arbitrary SQL commands via the skill_delete[] parameter.
CVE-2007-4952Sep 18, 2007
Omnistar Interactive
Omnistar Article Manager
risk 0.03cvss —epss 0.01
SQL injection vulnerability in article.php in OmniStar Article Manager allows remote attackers to execute arbitrary SQL commands via the page_id parameter in a favorite op action, a different vector than CVE-2006-5917.
CVE-2007-4953Sep 18, 2007
Simpcms
Simpcms
risk 0.03cvss —epss 0.01
SQL injection vulnerability in index.php in SimpCMS allows remote attackers to execute arbitrary SQL commands via the keyword parameter in a search site action.
CVE-2007-4956Sep 18, 2007
Kwsphp
Kwsphp
risk 0.03cvss —epss 0.02
Multiple SQL injection vulnerabilities in KwsPHP 1.0 allow remote attackers to execute arbitrary SQL commands via (1) the pseudo parameter to login.php, (2) the id parameter to index.php in a carnet editer action in the Member_Space (espace_membre) module, or (3) the typenav…
CVE-2007-4918Sep 17, 2007
Gelatocms
Gelato
risk 0.03cvss —epss 0.02
SQL injection vulnerability in classes/gelato.class.php in Gelato allows remote attackers to execute arbitrary SQL commands via the post parameter to index.php.
CVE-2007-4922Sep 17, 2007
Kwsphp
Kwsphp
risk 0.03cvss —epss 0.01
SQL injection vulnerability in play.php in the jeuxflash 1.0 module for KwsPHP allows remote authenticated users to execute arbitrary SQL commands via the id parameter in a play ac action to index.php. NOTE: some details are obtained from third party information.
CVE-2007-4920Sep 17, 2007
PHP Webquest
Phpwebquest
risk 0.03cvss —epss 0.01
SQL injection vulnerability in soporte_derecha_w.php in PHP Webquest 2.5 and earlier allows remote attackers to execute arbitrary SQL commands via the id_actividad parameter.
CVE-2007-4919Sep 17, 2007
Jblog
Jblog
risk 0.03cvss —epss 0.01
Multiple SQL injection vulnerabilities in JBlog 1.0 allow (1) remote attackers to execute arbitrary SQL commands via the id parameter to index.php, and allow (2) remote authenticated administrators to execute arbitrary SQL commands via the id parameter to admin/modifpost.php.
CVE-2007-4892Sep 14, 2007
Swsoft
Plesk
risk 0.03cvss —epss 0.01
Multiple SQL injection vulnerabilities in SWSoft Plesk 7.6.1, 8.1.0, 8.1.1, and 8.2.0 for Windows allow remote attackers to execute arbitrary SQL commands via a PLESKSESSID cookie to (1) login.php3 or (2) auth.php3.
CVE-2007-4846Sep 12, 2007
Webace
Webace Linkscript
risk 0.03cvss —epss 0.01
SQL injection vulnerability in start.php in Webace-Linkscript (wls) 1.3 Special Edition (SE) allows remote attackers to execute arbitrary SQL commands via the id parameter in a rubrik go action.
CVE-2007-4845Sep 12, 2007
Rwscripts.com
Rw Download Lite
risk 0.03cvss —epss 0.01
Multiple SQL injection vulnerabilities in UPLOAD/index.php in RW::Download 2.0.3 lite allow remote attackers to execute arbitrary SQL commands via the (1) dlid or (2) cid parameter.