CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Description
The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-108 · CAPEC-109 · CAPEC-110 · CAPEC-470 · CAPEC-66 · CAPEC-7
CVEs mapped to this weakness (10,236)
page 4 of 512| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2017-7997 | — | Cri | 0.68 | 9.8 | 0.19 | Jan 8, 2018 | Multiple SQL injection vulnerabilities in Gespage before 7.4.9 allow remote attackers to execute arbitrary SQL commands via the (1) show_prn parameter to webapp/users/prnow.jsp or show_month parameter to (2) webapp/users/blhistory.jsp or (3) webapp/users/prhistory.jsp. | |
| CVE-2017-14078 | Cri | 0.68 | 9.8 | 0.50 | Sep 22, 2017 | SQL Injection vulnerabilities in Trend Micro Mobile Security (Enterprise) versions before 9.7 Patch 3 allow remote attackers to execute arbitrary code on vulnerable installations. | ||
| CVE-2015-9098 | Cri | 0.68 | 9.8 | 0.14 | Jun 22, 2017 | In Redgate SQL Monitor before 3.10 and 4.x before 4.2, a remote attacker can gain unauthenticated access to the Base Monitor, resulting in the ability to execute arbitrary SQL commands on any monitored Microsoft SQL Server machines. If the Base Monitor is connecting to these… | ||
| CVE-2017-2641 | Cri | 0.68 | 9.8 | 0.15 | Mar 26, 2017 | In Moodle 2.x and 3.x, SQL injection can occur via user preferences. | ||
| CVE-2025-3096 | Cri | 0.67 | — | 0.01 | Apr 1, 2025 | Clinic’s Patient Management System versions 2.0 suffers from a SQL injection vulnerability in the login page. | ||
| CVE-2025-22954 | Cri | 0.67 | 10.0 | 0.23 | Mar 12, 2025 | GetLateOrMissingIssues in C4/Serials.pm in Koha before 24.11.02 allows SQL Injection in /serials/lateissues-export.pl via the supplierid or serialid parameter. | ||
| CVE-2024-50672 | Cri | 0.67 | 9.8 | 0.02 | Nov 25, 2024 | A NoSQL injection vulnerability in Adapt Learning Adapt Authoring Tool <= 0.11.3 allows unauthenticated attackers to reset user and administrator account passwords via the "Reset password" feature. The vulnerability occurs due to insufficient validation of user input, which is… | ||
| CVE-2024-44541 | Cri | 0.67 | 9.8 | 0.03 | Sep 11, 2024 | evilnapsis Inventio Lite Versions v4 and before is vulnerable to SQL Injection via the "username" parameter in "/?action=processlogin." | ||
| CVE-2024-5827 | Cri | 0.67 | 9.8 | 0.03 | Jun 28, 2024 | Vanna v0.3.4 is vulnerable to SQL injection in its DuckDB integration exposed to its Flask Web APIs. Attackers can inject malicious SQL training data and generate corresponding queries to write arbitrary files on the victim's file system, such as backdoor.php with contents… | ||
| CVE-2022-44588 | Cri | 0.67 | 9.9 | 0.02 | Dec 15, 2022 | Unauth. SQL Injection vulnerability in Cryptocurrency Widgets Pack Plugin <=1.8.1 on WordPress. | ||
| CVE-2018-17428 | Cri | 0.67 | 9.8 | 0.03 | Oct 3, 2018 | An issue was discovered in OPAC EasyWeb Five 5.7. There is SQL injection via the w2001/index.php?scelta=campi biblio parameter. | ||
| CVE-2018-17397 | Cri | 0.67 | 9.8 | 0.03 | Sep 28, 2018 | SQL Injection exists in the AlphaIndex Dictionaries 1.0 component for Joomla! via the letter parameter. | ||
| CVE-2018-17394 | Cri | 0.67 | 9.8 | 0.03 | Sep 28, 2018 | SQL Injection exists in the Timetable Schedule 3.6.8 component for Joomla! via the eid parameter. | ||
| CVE-2018-17391 | Cri | 0.67 | 9.8 | 0.03 | Sep 28, 2018 | SQL Injection exists in authors_post.php in Super Cms Blog Pro 1.0 via the author parameter. | ||
| CVE-2018-17385 | Cri | 0.67 | 9.8 | 0.03 | Sep 28, 2018 | SQL Injection exists in the Social Factory 3.8.3 component for Joomla! via the radius[lat], radius[lng], or radius[radius] parameter. | ||
| CVE-2018-17384 | Cri | 0.67 | 9.8 | 0.03 | Sep 28, 2018 | SQL Injection exists in the Swap Factory 2.2.1 component for Joomla! via the filter_order_Dir or filter_order parameter. | ||
| CVE-2018-17383 | Cri | 0.67 | 9.8 | 0.03 | Sep 28, 2018 | SQL Injection exists in the Collection Factory 4.1.9 component for Joomla! via the filter_order or filter_order_Dir parameter. | ||
| CVE-2018-17382 | Cri | 0.67 | 9.8 | 0.03 | Sep 28, 2018 | SQL Injection exists in the Jobs Factory 2.0.4 component for Joomla! via the filter_letter parameter. | ||
| CVE-2018-17380 | Cri | 0.67 | 9.8 | 0.03 | Sep 28, 2018 | SQL Injection exists in the Article Factory Manager 4.3.9 component for Joomla! via the start_date, m_start_date, or m_end_date parameter. | ||
| CVE-2018-17379 | Cri | 0.67 | 9.8 | 0.03 | Sep 28, 2018 | SQL Injection exists in the Raffle Factory 3.5.2 component for Joomla! via the filter_order_Dir or filter_order parameter. |
- risk 0.68cvss 9.8epss 0.19
Multiple SQL injection vulnerabilities in Gespage before 7.4.9 allow remote attackers to execute arbitrary SQL commands via the (1) show_prn parameter to webapp/users/prnow.jsp or show_month parameter to (2) webapp/users/blhistory.jsp or (3) webapp/users/prhistory.jsp.
- risk 0.68cvss 9.8epss 0.50
SQL Injection vulnerabilities in Trend Micro Mobile Security (Enterprise) versions before 9.7 Patch 3 allow remote attackers to execute arbitrary code on vulnerable installations.
- risk 0.68cvss 9.8epss 0.14
In Redgate SQL Monitor before 3.10 and 4.x before 4.2, a remote attacker can gain unauthenticated access to the Base Monitor, resulting in the ability to execute arbitrary SQL commands on any monitored Microsoft SQL Server machines. If the Base Monitor is connecting to these…
- risk 0.68cvss 9.8epss 0.15
In Moodle 2.x and 3.x, SQL injection can occur via user preferences.
- risk 0.67cvss —epss 0.01
Clinic’s Patient Management System versions 2.0 suffers from a SQL injection vulnerability in the login page.
- risk 0.67cvss 10.0epss 0.23
GetLateOrMissingIssues in C4/Serials.pm in Koha before 24.11.02 allows SQL Injection in /serials/lateissues-export.pl via the supplierid or serialid parameter.
- risk 0.67cvss 9.8epss 0.02
A NoSQL injection vulnerability in Adapt Learning Adapt Authoring Tool <= 0.11.3 allows unauthenticated attackers to reset user and administrator account passwords via the "Reset password" feature. The vulnerability occurs due to insufficient validation of user input, which is…
- risk 0.67cvss 9.8epss 0.03
evilnapsis Inventio Lite Versions v4 and before is vulnerable to SQL Injection via the "username" parameter in "/?action=processlogin."
- risk 0.67cvss 9.8epss 0.03
Vanna v0.3.4 is vulnerable to SQL injection in its DuckDB integration exposed to its Flask Web APIs. Attackers can inject malicious SQL training data and generate corresponding queries to write arbitrary files on the victim's file system, such as backdoor.php with contents…
- risk 0.67cvss 9.9epss 0.02
Unauth. SQL Injection vulnerability in Cryptocurrency Widgets Pack Plugin <=1.8.1 on WordPress.
- risk 0.67cvss 9.8epss 0.03
An issue was discovered in OPAC EasyWeb Five 5.7. There is SQL injection via the w2001/index.php?scelta=campi biblio parameter.
- risk 0.67cvss 9.8epss 0.03
SQL Injection exists in the AlphaIndex Dictionaries 1.0 component for Joomla! via the letter parameter.
- risk 0.67cvss 9.8epss 0.03
SQL Injection exists in the Timetable Schedule 3.6.8 component for Joomla! via the eid parameter.
- risk 0.67cvss 9.8epss 0.03
SQL Injection exists in authors_post.php in Super Cms Blog Pro 1.0 via the author parameter.
- risk 0.67cvss 9.8epss 0.03
SQL Injection exists in the Social Factory 3.8.3 component for Joomla! via the radius[lat], radius[lng], or radius[radius] parameter.
- risk 0.67cvss 9.8epss 0.03
SQL Injection exists in the Swap Factory 2.2.1 component for Joomla! via the filter_order_Dir or filter_order parameter.
- risk 0.67cvss 9.8epss 0.03
SQL Injection exists in the Collection Factory 4.1.9 component for Joomla! via the filter_order or filter_order_Dir parameter.
- risk 0.67cvss 9.8epss 0.03
SQL Injection exists in the Jobs Factory 2.0.4 component for Joomla! via the filter_letter parameter.
- risk 0.67cvss 9.8epss 0.03
SQL Injection exists in the Article Factory Manager 4.3.9 component for Joomla! via the start_date, m_start_date, or m_end_date parameter.
- risk 0.67cvss 9.8epss 0.03
SQL Injection exists in the Raffle Factory 3.5.2 component for Joomla! via the filter_order_Dir or filter_order parameter.