CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Description
The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-108 · CAPEC-109 · CAPEC-110 · CAPEC-470 · CAPEC-66 · CAPEC-7
CVEs mapped to this weakness (9,696)
page 402 of 485| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2004-1925 | 0.03 | — | 0.00 | Apr 12, 2004 | Multiple SQL injection vulnerabilities in Tiki CMS/Groupware (TikiWiki) 1.8.1 and earlier allow remote attackers to execute arbitrary SQL commands via the sort_mode parameter in (1) tiki-usermenu.php, (2) tiki-list_file_gallery.php, (3) tiki-directory_ranking.php, (4)… | |||
| CVE-2003-1435 | 0.03 | — | 0.00 | Dec 31, 2003 | SQL injection vulnerability in PHP-Nuke 5.6 and 6.0 allows remote attackers to execute arbitrary SQL commands via the days parameter to the search module. | |||
| CVE-2003-1244 | 0.03 | — | 0.02 | Dec 31, 2003 | SQL injection vulnerability in page_header.php in phpBB 2.0, 2.0.1 and 2.0.2 allows remote attackers to brute force user passwords and possibly gain unauthorized access to forums via the forum_id parameter to index.php. | |||
| CVE-2003-1504 | 0.03 | — | 0.00 | Dec 31, 2003 | SQL injection vulnerability in variables.php in Goldlink 3.0 allows remote attackers to execute arbitrary SQL commands via the (1) vadmin_login or (2) vadmin_pass cookie in a request to goldlink.php. | |||
| CVE-2003-1520 | 0.03 | — | 0.01 | Dec 31, 2003 | SQL injection vulnerability in FuzzyMonkey My Classifieds 2.11 allows remote attackers to execute arbitrary SQL commands via the email parameter. | |||
| CVE-2003-1532 | 0.03 | — | 0.00 | Dec 31, 2003 | SQL injection vulnerability in compte.php in PhpMyShop 1.00 allows remote attackers to execute arbitrary SQL commands via the (1) identifiant and (2) password parameters. | |||
| CVE-2003-1533 | 0.03 | — | 0.00 | Dec 31, 2003 | SQL injection vulnerability in accesscontrol.php in PhpPass 2 allows remote attackers to execute arbitrary SQL commands via the (1) uid and (2) pwd parameters. | |||
| CVE-2003-0377 | 0.03 | — | 0.01 | Jun 16, 2003 | SQL injection vulnerability in the web-based administration interface for iisPROTECT 2.2-r4, and possibly earlier versions, allows remote attackers to insert arbitrary SQL and execute code via certain variables, as demonstrated using the GroupName variable in SiteAdmin.ASP. | |||
| CVE-2002-2304 | 0.03 | — | 0.01 | Dec 31, 2002 | SQL injection vulnerability in admin/auth/checksession.php in MyPHPLinks 2.1.9 and 2.2.0 allows remote attackers to execute arbitrary SQL commands via the idsession parameter. | |||
| CVE-2023-31717 | 0.02 | — | 0.31 | Sep 21, 2023 | A SQL Injection attack in FUXA <= 1.1.12 allows exfiltration of confidential information from the database. | |||
| CVE-2021-36393 | 0.02 | — | 0.24 | Mar 6, 2023 | In Moodle, an SQL injection risk was identified in the library fetching a user's recent courses. | |||
| CVE-2022-4375 | 0.02 | — | 0.26 | Dec 9, 2022 | A vulnerability was found in Mingsoft MCMS up to 5.2.9. It has been classified as critical. Affected is an unknown function of the file /cms/category/list. The manipulation of the argument sqlWhere leads to sql injection. It is possible to launch the attack remotely. The exploit… | |||
| CVE-2018-10094 | — | 0.02 | — | 0.74 | May 22, 2018 | SQL injection vulnerability in Dolibarr before 7.0.2 allows remote attackers to execute arbitrary SQL commands via vectors involving integer parameters without quotes. | ||
| CVE-2014-9566 | 0.02 | — | 0.76 | Mar 10, 2015 | Multiple SQL injection vulnerabilities in the Manage Accounts page in the AccountManagement.asmx service in the Solarwinds Orion Platform 2015.1, as used in Network Performance Monitor (NPM) before 11.5, NetFlow Traffic Analyzer (NTA) before 4.1, Network Configuration Manager… | |||
| CVE-2014-8682 | 0.02 | — | 0.77 | Nov 21, 2014 | Multiple SQL injection vulnerabilities in Gogs (aka Go Git Service) 0.3.1-9 through 0.5.x before 0.5.6.1105 Beta allow remote attackers to execute arbitrary SQL commands via the q parameter to (1) api/v1/repos/search, which is not properly handled in models/repo.go, or (2)… | |||
| CVE-2014-3828 | 0.02 | — | 0.79 | Oct 23, 2014 | Multiple SQL injection vulnerabilities in Centreon 2.5.1 and Centreon Enterprise Server 2.2 (fixed in Centreon web 2.5.3) allow remote attackers to execute arbitrary SQL commands via (1) the index_id parameter to views/graphs/common/makeXML_ListMetrics.php, (2) the sid parameter… | |||
| CVE-2023-26750 | — | 0.01 | — | 0.11 | Apr 4, 2023 | SQL injection vulnerability found in Yii Framework Yii 2 Framework before v.2.0.47 allows the a remote attacker to execute arbitrary code via the runAction function. NOTE: the software maintainer's position is that the vulnerability is in third-party code, not in the framework. | ||
| CVE-2023-24775 | 0.01 | — | 0.11 | Mar 7, 2023 | Funadmin v3.2.0 was discovered to contain a SQL injection vulnerability via the selectFields parameter at \member\Member.php. | |||
| CVE-2023-25157 | 0.01 | — | 0.94 | Feb 21, 2023 | GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. GeoServer includes support for the OGC Filter expression language and the OGC Common Query Language (CQL) as part of the Web Feature Service (WFS) and Web Map Service… | |||
| CVE-2022-31101 | 0.01 | — | 0.57 | Jun 27, 2022 | prestashop/blockwishlist is a prestashop extension which adds a block containing the customer's wishlists. In affected versions an authenticated customer can perform SQL injection. This issue is fixed in version 2.1.1. Users are advised to upgrade. There are no known workarounds… |
- CVE-2004-1925Apr 12, 2004risk 0.03cvss —epss 0.00
Multiple SQL injection vulnerabilities in Tiki CMS/Groupware (TikiWiki) 1.8.1 and earlier allow remote attackers to execute arbitrary SQL commands via the sort_mode parameter in (1) tiki-usermenu.php, (2) tiki-list_file_gallery.php, (3) tiki-directory_ranking.php, (4)…
- CVE-2003-1435Dec 31, 2003risk 0.03cvss —epss 0.00
SQL injection vulnerability in PHP-Nuke 5.6 and 6.0 allows remote attackers to execute arbitrary SQL commands via the days parameter to the search module.
- CVE-2003-1244Dec 31, 2003risk 0.03cvss —epss 0.02
SQL injection vulnerability in page_header.php in phpBB 2.0, 2.0.1 and 2.0.2 allows remote attackers to brute force user passwords and possibly gain unauthorized access to forums via the forum_id parameter to index.php.
- CVE-2003-1504Dec 31, 2003risk 0.03cvss —epss 0.00
SQL injection vulnerability in variables.php in Goldlink 3.0 allows remote attackers to execute arbitrary SQL commands via the (1) vadmin_login or (2) vadmin_pass cookie in a request to goldlink.php.
- CVE-2003-1520Dec 31, 2003risk 0.03cvss —epss 0.01
SQL injection vulnerability in FuzzyMonkey My Classifieds 2.11 allows remote attackers to execute arbitrary SQL commands via the email parameter.
- CVE-2003-1532Dec 31, 2003risk 0.03cvss —epss 0.00
SQL injection vulnerability in compte.php in PhpMyShop 1.00 allows remote attackers to execute arbitrary SQL commands via the (1) identifiant and (2) password parameters.
- CVE-2003-1533Dec 31, 2003risk 0.03cvss —epss 0.00
SQL injection vulnerability in accesscontrol.php in PhpPass 2 allows remote attackers to execute arbitrary SQL commands via the (1) uid and (2) pwd parameters.
- CVE-2003-0377Jun 16, 2003risk 0.03cvss —epss 0.01
SQL injection vulnerability in the web-based administration interface for iisPROTECT 2.2-r4, and possibly earlier versions, allows remote attackers to insert arbitrary SQL and execute code via certain variables, as demonstrated using the GroupName variable in SiteAdmin.ASP.
- CVE-2002-2304Dec 31, 2002risk 0.03cvss —epss 0.01
SQL injection vulnerability in admin/auth/checksession.php in MyPHPLinks 2.1.9 and 2.2.0 allows remote attackers to execute arbitrary SQL commands via the idsession parameter.
- CVE-2023-31717Sep 21, 2023risk 0.02cvss —epss 0.31
A SQL Injection attack in FUXA <= 1.1.12 allows exfiltration of confidential information from the database.
- CVE-2021-36393Mar 6, 2023risk 0.02cvss —epss 0.24
In Moodle, an SQL injection risk was identified in the library fetching a user's recent courses.
- CVE-2022-4375Dec 9, 2022risk 0.02cvss —epss 0.26
A vulnerability was found in Mingsoft MCMS up to 5.2.9. It has been classified as critical. Affected is an unknown function of the file /cms/category/list. The manipulation of the argument sqlWhere leads to sql injection. It is possible to launch the attack remotely. The exploit…
- CVE-2018-10094May 22, 2018risk 0.02cvss —epss 0.74
SQL injection vulnerability in Dolibarr before 7.0.2 allows remote attackers to execute arbitrary SQL commands via vectors involving integer parameters without quotes.
- CVE-2014-9566Mar 10, 2015risk 0.02cvss —epss 0.76
Multiple SQL injection vulnerabilities in the Manage Accounts page in the AccountManagement.asmx service in the Solarwinds Orion Platform 2015.1, as used in Network Performance Monitor (NPM) before 11.5, NetFlow Traffic Analyzer (NTA) before 4.1, Network Configuration Manager…
- CVE-2014-8682Nov 21, 2014risk 0.02cvss —epss 0.77
Multiple SQL injection vulnerabilities in Gogs (aka Go Git Service) 0.3.1-9 through 0.5.x before 0.5.6.1105 Beta allow remote attackers to execute arbitrary SQL commands via the q parameter to (1) api/v1/repos/search, which is not properly handled in models/repo.go, or (2)…
- CVE-2014-3828Oct 23, 2014risk 0.02cvss —epss 0.79
Multiple SQL injection vulnerabilities in Centreon 2.5.1 and Centreon Enterprise Server 2.2 (fixed in Centreon web 2.5.3) allow remote attackers to execute arbitrary SQL commands via (1) the index_id parameter to views/graphs/common/makeXML_ListMetrics.php, (2) the sid parameter…
- CVE-2023-26750Apr 4, 2023risk 0.01cvss —epss 0.11
SQL injection vulnerability found in Yii Framework Yii 2 Framework before v.2.0.47 allows the a remote attacker to execute arbitrary code via the runAction function. NOTE: the software maintainer's position is that the vulnerability is in third-party code, not in the framework.
- CVE-2023-24775Mar 7, 2023risk 0.01cvss —epss 0.11
Funadmin v3.2.0 was discovered to contain a SQL injection vulnerability via the selectFields parameter at \member\Member.php.
- CVE-2023-25157Feb 21, 2023risk 0.01cvss —epss 0.94
GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. GeoServer includes support for the OGC Filter expression language and the OGC Common Query Language (CQL) as part of the Web Feature Service (WFS) and Web Map Service…
- CVE-2022-31101Jun 27, 2022risk 0.01cvss —epss 0.57
prestashop/blockwishlist is a prestashop extension which adds a block containing the customer's wishlists. In affected versions an authenticated customer can perform SQL injection. This issue is fixed in version 2.1.1. Users are advised to upgrade. There are no known workarounds…