VYPR

CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

BaseStableLikelihood: High

Description

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Hierarchy (View 1000)

Parents

Children

Related attack patterns (CAPEC)

CAPEC-108 · CAPEC-109 · CAPEC-110 · CAPEC-470 · CAPEC-66 · CAPEC-7

CVEs mapped to this weakness (10,236)

page 41 of 512
  • CVE-2017-17424CriFeb 8, 2018
    risk 0.64cvss 9.8epss 0.04

    This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Quest NetVault Backup 11.3.0.12. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of NVBUScheduleSet Get method requests.…

  • CVE-2017-17423CriFeb 8, 2018
    risk 0.64cvss 9.8epss 0.04

    This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Quest NetVault Backup 11.3.0.12. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of NVBUBackupSegment Get method…

  • CVE-2017-17422CriFeb 8, 2018
    risk 0.64cvss 9.8epss 0.04

    This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Quest NetVault Backup 11.3.0.12. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of NVBUBackup Get method requests. The…

  • CVE-2017-17421CriFeb 8, 2018
    risk 0.64cvss 9.8epss 0.04

    This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Quest NetVault Backup 11.3.0.12. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of NVBUSelectionSet Get method…

  • CVE-2017-17419CriFeb 8, 2018
    risk 0.64cvss 9.8epss 0.04

    This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Quest NetVault Backup 11.3.0.12. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of NVBUTransferHistory Get method…

  • CVE-2017-17418CriFeb 8, 2018
    risk 0.64cvss 9.8epss 0.04

    This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Quest NetVault Backup 11.3.0.12. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of NVBUPolicy Get method requests. The…

  • CVE-2017-17416CriFeb 8, 2018
    risk 0.64cvss 9.8epss 0.04

    This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Quest NetVault Backup 11.3.0.12. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of NVBUPhaseStatus GetPlugins method…

  • CVE-2017-17415CriFeb 8, 2018
    risk 0.64cvss 9.8epss 0.04

    This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Quest NetVault Backup 11.3.0.12. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of NVBUPhaseStatus Count method…

  • CVE-2017-17414CriFeb 8, 2018
    risk 0.64cvss 9.8epss 0.04

    This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Quest NetVault Backup 11.3.0.12. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of NVBUPhaseStatus Get method requests.…

  • CVE-2017-17413CriFeb 8, 2018
    risk 0.64cvss 9.8epss 0.04

    This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Quest NetVault Backup 11.3.0.12. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of NVBUBackupTargetSet Get method…

  • CVE-2017-17412CriFeb 8, 2018
    risk 0.64cvss 9.8epss 0.04

    This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Quest NetVault Backup 11.3.0.12. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of GET method requests. The issue…

  • CVE-2018-6376CriJan 30, 2018
    risk 0.64cvss 9.8epss 0.05

    In Joomla! before 3.8.4, the lack of type casting of a variable in a SQL statement leads to a SQL injection vulnerability in the Hathor postinstall message.

  • CVE-2018-6308CriJan 25, 2018
    risk 0.64cvss 9.8epss 0.01

    Multiple SQL injections exist in SugarCRM Community Edition 6.5.26 and below via the track parameter to modules\Campaigns\Tracker.php and modules\Campaigns\utils.php, the default_currency_name parameter to modules\Configurator\controller.php and modules\Currencies\Currency.php,…

  • CVE-2018-5778CriJan 24, 2018
    risk 0.64cvss 9.8epss 0.01

    An issue was discovered in Ipswitch WhatsUp Gold before 2017 Plus SP1 (17.1.1). Multiple SQL injection vulnerabilities are present in the legacy .ASP pages, which could allow attackers to execute arbitrary SQL commands via unspecified vectors.

  • CVE-2017-12729CriJan 18, 2018
    risk 0.64cvss 9.8epss 0.01

    A SQL Injection issue was discovered in Moxa SoftCMS Live Viewer through 1.6. An improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability has been identified. Attackers can exploit this vulnerability to access SoftCMS without knowing the…

  • CVE-2018-5696CriJan 14, 2018
    risk 0.64cvss 9.8epss 0.01

    The iJoomla com_adagency plugin 6.0.9 for Joomla! allows SQL injection via the `advertiser_status` and `status_select` parameters to index.php.

  • CVE-2015-9249CriJan 12, 2018
    risk 0.64cvss 9.8epss 0.01

    An issue was discovered in Skybox Platform before 7.5.201. SQL Injection exists in /skyboxview/webservice/services/VersionWebService via a soapenv:Body element.

  • CVE-2017-1670CriJan 9, 2018
    risk 0.64cvss 9.8epss 0.02

    IBM Tivoli Key Lifecycle Manager 2.5, 2.6, and 2.7 is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements, which could allow the attacker to view, add, modify or delete information in the back-end database. IBM X-Force ID: 133637.

  • CVE-2014-5071CriJan 8, 2018
    risk 0.64cvss 9.8epss 0.02

    SQL injection vulnerability in the checkPassword function in Symmetricom s350i 2.70.15 allows remote attackers to execute arbitrary SQL commands via vectors involving a username.

  • CVE-2017-5971CriJan 8, 2018
    risk 0.64cvss 9.8epss 0.02

    SQL injection vulnerability in NewsBee CMS allow remote attackers to execute arbitrary SQL commands.