VYPR

CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

BaseStableLikelihood: High

Description

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Hierarchy (View 1000)

Parents

Children

Related attack patterns (CAPEC)

CAPEC-108 · CAPEC-109 · CAPEC-110 · CAPEC-470 · CAPEC-66 · CAPEC-7

CVEs mapped to this weakness (10,236)

page 4 of 512
  • CVE-2017-7997CriJan 8, 2018
    risk 0.68cvss 9.8epss 0.19

    Multiple SQL injection vulnerabilities in Gespage before 7.4.9 allow remote attackers to execute arbitrary SQL commands via the (1) show_prn parameter to webapp/users/prnow.jsp or show_month parameter to (2) webapp/users/blhistory.jsp or (3) webapp/users/prhistory.jsp.

  • CVE-2017-14078CriSep 22, 2017
    risk 0.68cvss 9.8epss 0.50

    SQL Injection vulnerabilities in Trend Micro Mobile Security (Enterprise) versions before 9.7 Patch 3 allow remote attackers to execute arbitrary code on vulnerable installations.

  • CVE-2015-9098CriJun 22, 2017
    risk 0.68cvss 9.8epss 0.14

    In Redgate SQL Monitor before 3.10 and 4.x before 4.2, a remote attacker can gain unauthenticated access to the Base Monitor, resulting in the ability to execute arbitrary SQL commands on any monitored Microsoft SQL Server machines. If the Base Monitor is connecting to these…

  • CVE-2017-2641CriMar 26, 2017
    risk 0.68cvss 9.8epss 0.15

    In Moodle 2.x and 3.x, SQL injection can occur via user preferences.

  • CVE-2025-3096CriApr 1, 2025
    risk 0.67cvss epss 0.01

    Clinic’s Patient Management System versions 2.0 suffers from a SQL injection vulnerability in the login page.

  • CVE-2025-22954CriMar 12, 2025
    risk 0.67cvss 10.0epss 0.23

    GetLateOrMissingIssues in C4/Serials.pm in Koha before 24.11.02 allows SQL Injection in /serials/lateissues-export.pl via the supplierid or serialid parameter.

  • CVE-2024-50672CriNov 25, 2024
    risk 0.67cvss 9.8epss 0.02

    A NoSQL injection vulnerability in Adapt Learning Adapt Authoring Tool <= 0.11.3 allows unauthenticated attackers to reset user and administrator account passwords via the "Reset password" feature. The vulnerability occurs due to insufficient validation of user input, which is…

  • CVE-2024-44541CriSep 11, 2024
    risk 0.67cvss 9.8epss 0.03

    evilnapsis Inventio Lite Versions v4 and before is vulnerable to SQL Injection via the "username" parameter in "/?action=processlogin."

  • CVE-2024-5827CriJun 28, 2024
    risk 0.67cvss 9.8epss 0.03

    Vanna v0.3.4 is vulnerable to SQL injection in its DuckDB integration exposed to its Flask Web APIs. Attackers can inject malicious SQL training data and generate corresponding queries to write arbitrary files on the victim's file system, such as backdoor.php with contents…

  • CVE-2022-44588CriDec 15, 2022
    risk 0.67cvss 9.9epss 0.02

    Unauth. SQL Injection vulnerability in Cryptocurrency Widgets Pack Plugin <=1.8.1 on WordPress.

  • CVE-2018-17428CriOct 3, 2018
    risk 0.67cvss 9.8epss 0.03

    An issue was discovered in OPAC EasyWeb Five 5.7. There is SQL injection via the w2001/index.php?scelta=campi biblio parameter.

  • CVE-2018-17397CriSep 28, 2018
    risk 0.67cvss 9.8epss 0.03

    SQL Injection exists in the AlphaIndex Dictionaries 1.0 component for Joomla! via the letter parameter.

  • CVE-2018-17394CriSep 28, 2018
    risk 0.67cvss 9.8epss 0.03

    SQL Injection exists in the Timetable Schedule 3.6.8 component for Joomla! via the eid parameter.

  • CVE-2018-17391CriSep 28, 2018
    risk 0.67cvss 9.8epss 0.03

    SQL Injection exists in authors_post.php in Super Cms Blog Pro 1.0 via the author parameter.

  • CVE-2018-17385CriSep 28, 2018
    risk 0.67cvss 9.8epss 0.03

    SQL Injection exists in the Social Factory 3.8.3 component for Joomla! via the radius[lat], radius[lng], or radius[radius] parameter.

  • CVE-2018-17384CriSep 28, 2018
    risk 0.67cvss 9.8epss 0.03

    SQL Injection exists in the Swap Factory 2.2.1 component for Joomla! via the filter_order_Dir or filter_order parameter.

  • CVE-2018-17383CriSep 28, 2018
    risk 0.67cvss 9.8epss 0.03

    SQL Injection exists in the Collection Factory 4.1.9 component for Joomla! via the filter_order or filter_order_Dir parameter.

  • CVE-2018-17382CriSep 28, 2018
    risk 0.67cvss 9.8epss 0.03

    SQL Injection exists in the Jobs Factory 2.0.4 component for Joomla! via the filter_letter parameter.

  • CVE-2018-17380CriSep 28, 2018
    risk 0.67cvss 9.8epss 0.03

    SQL Injection exists in the Article Factory Manager 4.3.9 component for Joomla! via the start_date, m_start_date, or m_end_date parameter.

  • CVE-2018-17379CriSep 28, 2018
    risk 0.67cvss 9.8epss 0.03

    SQL Injection exists in the Raffle Factory 3.5.2 component for Joomla! via the filter_order_Dir or filter_order parameter.