CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

BaseStableLikelihood: High

Description

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Hierarchy (View 1000)

Parents

CWE-943

Children

CWE-564

Related attack patterns (CAPEC)

CAPEC-108 · CAPEC-109 · CAPEC-110 · CAPEC-470 · CAPEC-66 · CAPEC-7

CVEs mapped to this weakness (8,797)

page 4 of 440

CVE	Sev	Risk	CVSS	EPSS	Published	Description
CVE-2017-17871	Cri	0.67	9.8	0.01	Dec 27, 2017	The "JEXTN Question And Answer" extension 3.1.0 for Joomla! has SQL Injection via the an parameter in a view=tags action, or the ques-srch parameter.
CVE-2017-17870	Cri	0.67	9.8	0.03	Dec 27, 2017	The JBuildozer extension 1.4.1 for Joomla! has SQL Injection via the appid parameter in an entriessearch action.
CVE-2017-17721	Cri	0.67	9.8	0.07	Dec 18, 2017	CWEBNET/WOSummary/List in ZUUSE BEIMS ContractorWeb .NET 5.18.0.0 allows SQL injection via the tradestatus, assetno, assignto, building, domain, jobtype, site, trade, woType, workorderno, or workorderstatus parameter.
CVE-2017-17651	Cri	0.67	9.8	0.03	Dec 18, 2017	Paid To Read Script 2.0.5 has SQL Injection via the admin/userview.php uid parameter, the admin/viewemcamp.php fnum parameter, or the admin/viewvisitcamp.php fn parameter.
CVE-2017-17645	Cri	0.67	9.8	0.03	Dec 18, 2017	Bus Booking Script 1.0 has SQL Injection via the txtname parameter to admin/index.php.
CVE-2017-17643	Cri	0.67	9.8	0.02	Dec 18, 2017	FS Lynda Clone 1.0 has SQL Injection via the keywords parameter to tutorial/.
CVE-2017-17648	Cri	0.67	9.8	0.01	Dec 13, 2017	Entrepreneur Dating Script 2.0.1 has SQL Injection via the search_result.php marital, gender, country, or profileid parameter.
CVE-2017-17642	Cri	0.67	9.8	0.03	Dec 13, 2017	Basic Job Site Script 2.0.5 has SQL Injection via the keyword parameter to /job.
CVE-2017-17641	Cri	0.67	9.8	0.03	Dec 13, 2017	Resume Clone Script 2.0.5 has SQL Injection via the preview.php id parameter.
CVE-2017-17640	Cri	0.67	9.8	0.03	Dec 13, 2017	Advanced World Database 2.0.5 has SQL Injection via the city.php country or state parameter, or the state.php country parameter.
CVE-2017-17639	Cri	0.67	9.8	0.03	Dec 13, 2017	Muslim Matrimonial Script 3.02 has SQL Injection via the success-story.php succid parameter.
CVE-2017-17638	Cri	0.67	9.8	0.03	Dec 13, 2017	Groupon Clone Script 3.01 has SQL Injection via the city_ajax.php state_id parameter.
CVE-2017-17637	Cri	0.67	9.8	0.03	Dec 13, 2017	Car Rental Script 2.0.4 has SQL Injection via the countrycode1.php val parameter.
CVE-2017-17636	Cri	0.67	9.8	0.03	Dec 13, 2017	MLM Forced Matrix 2.0.9 has SQL Injection via the news-detail.php newid parameter.
CVE-2017-17635	Cri	0.67	9.8	0.03	Dec 13, 2017	MLM Forex Market Plan Script 2.0.4 has SQL Injection via the news_detail.php newid parameter or the event_detail.php eventid parameter.
CVE-2017-17634	Cri	0.67	9.8	0.03	Dec 13, 2017	Single Theater Booking Script 3.2.1 has SQL Injection via the findcity.php q parameter.
CVE-2017-17633	Cri	0.67	9.8	0.03	Dec 13, 2017	Multiplex Movie Theater Booking Script 3.1.5 has SQL Injection via the trailer-detail.php moid parameter, show-time.php moid parameter, or event-detail.php eid parameter.
CVE-2017-17632	Cri	0.67	9.8	0.03	Dec 13, 2017	Responsive Events And Movie Ticket Booking Script 3.2.1 has SQL Injection via the findcity.php q parameter.
CVE-2017-17631	Cri	0.67	9.8	0.03	Dec 13, 2017	Multireligion Responsive Matrimonial 4.7.2 has SQL Injection via the success-story.php succid parameter.
CVE-2017-17630	Cri	0.67	9.8	0.03	Dec 13, 2017	Yoga Class Script 1.0 has SQL Injection via the /list city parameter.