CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Description
The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-108 · CAPEC-109 · CAPEC-110 · CAPEC-470 · CAPEC-66 · CAPEC-7
CVEs mapped to this weakness (8,812)
page 409 of 441| CVE | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2011-4669 | 0.00 | — | 0.01 | Dec 2, 2011 | SQL injection vulnerability in wp-users.php in WordPress Users plugin 1.3 and possibly earlier for WordPress allows remote attackers to execute arbitrary SQL commands via the uid parameter to index.php. | ||
| CVE-2010-5061 | 0.00 | — | 0.00 | Nov 23, 2011 | SQL injection vulnerability in index.php in RSStatic allows remote attackers to execute arbitrary SQL commands via the maxarticles parameter. | ||
| CVE-2010-5049 | 0.00 | — | 0.00 | Nov 23, 2011 | SQL injection vulnerability in events.php in Zabbix 1.8.1 and earlier allows remote attackers to execute arbitrary SQL commands via the nav_time parameter. | ||
| CVE-2011-3989 | 0.00 | — | 0.00 | Nov 4, 2011 | SQL injection vulnerability in DBD::mysqlPP 0.04 and earlier allows remote attackers to execute arbitrary SQL commands via unspecified vectors. | ||
| CVE-2010-5006 | 0.00 | — | 0.00 | Nov 2, 2011 | SQL injection vulnerability in googlemap/index.php in EMO Realty Manager allows remote attackers to execute arbitrary SQL commands via the cat1 parameter. | ||
| CVE-2010-4994 | 0.00 | — | 0.00 | Nov 1, 2011 | SQL injection vulnerability in the Jobs Pro component 1.6.4 for Joomla! allows remote attackers to execute arbitrary SQL commands via the detailed_results parameter to search_jobs.html. | ||
| CVE-2011-4215 | 0.00 | — | 0.01 | Nov 1, 2011 | SQL injection vulnerability in lib/ooz_access.php in OneOrZero Action & Information Management System (AIMS) 2.7.0 allows remote attackers to execute arbitrary SQL commands via the cookieName variable. | ||
| CVE-2011-1915 | 0.00 | — | 0.00 | Nov 1, 2011 | SQL injection vulnerability in eClient 7.3.2.3 in Enspire Distribution Management Solution 7.3.2.7 allows remote attackers to execute arbitrary SQL commands via unspecified vectors. | ||
| CVE-2011-3615 | 0.00 | — | 0.00 | Oct 24, 2011 | Multiple SQL injection vulnerabilities in Simple Machines Forum (SMF) before 1.1.15 and 2.x before 2.0.1 allow remote attackers to execute arbitrary SQL commands via vectors involving a (1) HTML entity or (2) display name. NOTE: some of these details are obtained from third party information. | ||
| CVE-2011-3988 | 0.00 | — | 0.01 | Oct 21, 2011 | SQL injection vulnerability in data/class/SC_Query.php in EC-CUBE 2.11.0 through 2.11.2 allows remote attackers to execute arbitrary SQL commands via unspecified vectors. | ||
| CVE-2010-4961 | 0.00 | — | 0.00 | Oct 9, 2011 | SQL injection vulnerability in the Webkit PDFs (webkitpdf) extension before 1.1.4 for TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors. | ||
| CVE-2010-4958 | 0.00 | — | 0.01 | Oct 9, 2011 | SQL injection vulnerability in index.php in Prado Portal 1.2.0 allows remote attackers to execute arbitrary SQL commands via the page parameter. | ||
| CVE-2010-4957 | 0.00 | — | 0.01 | Oct 9, 2011 | SQL injection vulnerability in the Questionnaire (ke_questionnaire) extension before 2.2.3 for TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors. | ||
| CVE-2010-4952 | 0.00 | — | 0.01 | Oct 9, 2011 | SQL injection vulnerability in the FE user statistic (festat) extension before 0.2.4 for TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors. | ||
| CVE-2010-4950 | 0.00 | — | 0.00 | Oct 9, 2011 | SQL injection vulnerability in the Event (event) extension before 0.3.7 for TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors. | ||
| CVE-2010-4936 | 0.00 | — | 0.00 | Oct 9, 2011 | SQL injection vulnerability in the Slide Show (com_slideshow) component for Joomla! allows remote attackers to execute arbitrary SQL commands via the catid parameter to index.php. | ||
| CVE-2010-4923 | 0.00 | — | 0.00 | Oct 9, 2011 | SQL injection vulnerability in book/detail.php in Virtue Netz Virtue Book Store allows remote attackers to execute arbitrary SQL commands via the bid parameter. | ||
| CVE-2010-4908 | 0.00 | — | 0.00 | Oct 8, 2011 | SQL injection vulnerability in detail.php in Virtue Shopping Mall allows remote attackers to execute arbitrary SQL commands via the prodid parameter. | ||
| CVE-2010-4903 | 0.00 | — | 0.00 | Oct 8, 2011 | SQL injection vulnerability in index.php in CubeCart 4.3.3 allows remote attackers to execute arbitrary SQL commands via the searchStr parameter. | ||
| CVE-2010-4897 | 0.00 | — | 0.00 | Oct 8, 2011 | SQL injection vulnerability in comment.php in BlueCMS 1.6 allows remote attackers to execute arbitrary SQL commands via the X-Forwarded-For HTTP header in a send action. |
- CVE-2011-4669Dec 2, 2011risk 0.00cvss —epss 0.01
SQL injection vulnerability in wp-users.php in WordPress Users plugin 1.3 and possibly earlier for WordPress allows remote attackers to execute arbitrary SQL commands via the uid parameter to index.php.
- CVE-2010-5061Nov 23, 2011risk 0.00cvss —epss 0.00
SQL injection vulnerability in index.php in RSStatic allows remote attackers to execute arbitrary SQL commands via the maxarticles parameter.
- CVE-2010-5049Nov 23, 2011risk 0.00cvss —epss 0.00
SQL injection vulnerability in events.php in Zabbix 1.8.1 and earlier allows remote attackers to execute arbitrary SQL commands via the nav_time parameter.
- CVE-2011-3989Nov 4, 2011risk 0.00cvss —epss 0.00
SQL injection vulnerability in DBD::mysqlPP 0.04 and earlier allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
- CVE-2010-5006Nov 2, 2011risk 0.00cvss —epss 0.00
SQL injection vulnerability in googlemap/index.php in EMO Realty Manager allows remote attackers to execute arbitrary SQL commands via the cat1 parameter.
- CVE-2010-4994Nov 1, 2011risk 0.00cvss —epss 0.00
SQL injection vulnerability in the Jobs Pro component 1.6.4 for Joomla! allows remote attackers to execute arbitrary SQL commands via the detailed_results parameter to search_jobs.html.
- CVE-2011-4215Nov 1, 2011risk 0.00cvss —epss 0.01
SQL injection vulnerability in lib/ooz_access.php in OneOrZero Action & Information Management System (AIMS) 2.7.0 allows remote attackers to execute arbitrary SQL commands via the cookieName variable.
- CVE-2011-1915Nov 1, 2011risk 0.00cvss —epss 0.00
SQL injection vulnerability in eClient 7.3.2.3 in Enspire Distribution Management Solution 7.3.2.7 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
- CVE-2011-3615Oct 24, 2011risk 0.00cvss —epss 0.00
Multiple SQL injection vulnerabilities in Simple Machines Forum (SMF) before 1.1.15 and 2.x before 2.0.1 allow remote attackers to execute arbitrary SQL commands via vectors involving a (1) HTML entity or (2) display name. NOTE: some of these details are obtained from third party information.
- CVE-2011-3988Oct 21, 2011risk 0.00cvss —epss 0.01
SQL injection vulnerability in data/class/SC_Query.php in EC-CUBE 2.11.0 through 2.11.2 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
- CVE-2010-4961Oct 9, 2011risk 0.00cvss —epss 0.00
SQL injection vulnerability in the Webkit PDFs (webkitpdf) extension before 1.1.4 for TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
- CVE-2010-4958Oct 9, 2011risk 0.00cvss —epss 0.01
SQL injection vulnerability in index.php in Prado Portal 1.2.0 allows remote attackers to execute arbitrary SQL commands via the page parameter.
- CVE-2010-4957Oct 9, 2011risk 0.00cvss —epss 0.01
SQL injection vulnerability in the Questionnaire (ke_questionnaire) extension before 2.2.3 for TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
- CVE-2010-4952Oct 9, 2011risk 0.00cvss —epss 0.01
SQL injection vulnerability in the FE user statistic (festat) extension before 0.2.4 for TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
- CVE-2010-4950Oct 9, 2011risk 0.00cvss —epss 0.00
SQL injection vulnerability in the Event (event) extension before 0.3.7 for TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
- CVE-2010-4936Oct 9, 2011risk 0.00cvss —epss 0.00
SQL injection vulnerability in the Slide Show (com_slideshow) component for Joomla! allows remote attackers to execute arbitrary SQL commands via the catid parameter to index.php.
- CVE-2010-4923Oct 9, 2011risk 0.00cvss —epss 0.00
SQL injection vulnerability in book/detail.php in Virtue Netz Virtue Book Store allows remote attackers to execute arbitrary SQL commands via the bid parameter.
- CVE-2010-4908Oct 8, 2011risk 0.00cvss —epss 0.00
SQL injection vulnerability in detail.php in Virtue Shopping Mall allows remote attackers to execute arbitrary SQL commands via the prodid parameter.
- CVE-2010-4903Oct 8, 2011risk 0.00cvss —epss 0.00
SQL injection vulnerability in index.php in CubeCart 4.3.3 allows remote attackers to execute arbitrary SQL commands via the searchStr parameter.
- CVE-2010-4897Oct 8, 2011risk 0.00cvss —epss 0.00
SQL injection vulnerability in comment.php in BlueCMS 1.6 allows remote attackers to execute arbitrary SQL commands via the X-Forwarded-For HTTP header in a send action.