CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Description
The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-108 · CAPEC-109 · CAPEC-110 · CAPEC-470 · CAPEC-66 · CAPEC-7
CVEs mapped to this weakness (8,799)
page 429 of 440| CVE | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2008-3393 | 0.00 | — | 0.00 | Jul 31, 2008 | SQL injection vulnerability in events.cfm in BookMine allows remote attackers to execute arbitrary SQL commands via the events_id parameter. | ||
| CVE-2008-3359 | 0.00 | — | 0.00 | Jul 29, 2008 | SQL injection vulnerability in register.php in Steve Bourgeois and Chris Vincent Owl Intranet Knowledgebase 0.95 and earlier allows remote attackers to execute arbitrary SQL commands via the username parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. | ||
| CVE-2008-3341 | 0.00 | — | 0.00 | Jul 28, 2008 | Multiple SQL injection vulnerabilities in search_result.cfm in Jobbex JobSite allow remote attackers to execute arbitrary SQL commands via the (1) jobcountryid and (2) jobstateid parameters. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. | ||
| CVE-2008-3297 | 0.00 | — | 0.01 | Jul 25, 2008 | Multiple SQL injection vulnerabilities in SocialEngine (SE) before 2.83 allow remote attackers to execute arbitrary SQL commands via (1) an se_user cookie to include/class_user.php or (2) an se_admin cookie to include/class_admin.php. | ||
| CVE-2008-3258 | 0.00 | — | 0.00 | Jul 22, 2008 | Multiple SQL injection vulnerabilities in Zoph before 0.7.0.5 allow remote attackers to execute arbitrary SQL commands via unspecified vectors. | ||
| CVE-2008-3223 | 0.00 | — | 0.01 | Jul 18, 2008 | SQL injection vulnerability in the Schema API in Drupal 6.x before 6.3 allows remote attackers to execute arbitrary SQL commands via vectors related to "an inappropriate placeholder for 'numeric' fields." | ||
| CVE-2008-3122 | 0.00 | — | 0.00 | Jul 10, 2008 | Multiple SQL injection vulnerabilities in Xerox CentreWare Web (CWW) before 4.6.46 allow remote authenticated users to execute arbitrary SQL commands via the unspecified vectors. | ||
| CVE-2008-3092 | 0.00 | — | 0.00 | Jul 9, 2008 | SQL injection vulnerability in the Taxonomy Autotagger module 5.x before 5.x-1.8 for Drupal allows remote authenticated users, with create or edit post permissions, to execute arbitrary SQL commands via unspecified vectors. | ||
| CVE-2008-3090 | 0.00 | — | 0.01 | Jul 9, 2008 | Multiple SQL injection vulnerabilities in index.php in BlognPlus (BURO GUN +) 2.5.5 MySQL and PostgreSQL editions allow remote attackers to execute arbitrary SQL commands via the (1) p, (2) e, (3) d, and (4) m parameters, a different vulnerability than CVE-2008-2819. | ||
| CVE-2008-3070 | 0.00 | — | 0.00 | Jul 8, 2008 | Unspecified vulnerability in inc/datahandler/user.php in MyBB before 1.2.13 has unknown impact and attack vectors related to the $user['language'] variable, probably related to SQL injection. | ||
| CVE-2008-2667 | 0.00 | — | 0.02 | Jul 7, 2008 | SQL injection vulnerability in the Courier Authentication Library (aka courier-authlib) before 0.60.6 on SUSE openSUSE 10.3 and 11.0, and other platforms, when MySQL and a non-Latin character set are used, allows remote attackers to execute arbitrary SQL commands via the username and unspecified other vectors. | ||
| CVE-2008-3039 | 0.00 | — | 0.00 | Jul 7, 2008 | SQL injection vulnerability in the DAM Frontend (dam_frontend) extension 0.1.0 and earlier for TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors. | ||
| CVE-2008-3038 | 0.00 | — | 0.00 | Jul 7, 2008 | SQL injection vulnerability in the Address Directory (sp_directory) extension 0.2.10 and earlier for TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors. | ||
| CVE-2008-3044 | 0.00 | — | 0.00 | Jul 7, 2008 | SQL injection vulnerability in the News Calendar (newscalendar) extension 1.0.7 and earlier for TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors. | ||
| CVE-2008-3051 | 0.00 | — | 0.00 | Jul 7, 2008 | SQL injection vulnerability in the Pinboard extension 0.0.6 and earlier for TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors. | ||
| CVE-2008-3056 | 0.00 | — | 0.00 | Jul 7, 2008 | SQL injection vulnerability in the Codeon Petition (cd_petition) extension 0.0.2 and earlier for TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors. | ||
| CVE-2008-3055 | 0.00 | — | 0.00 | Jul 7, 2008 | SQL injection vulnerability in the Support view (ext_tbl) extension 0.0.102 and earlier for TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors. | ||
| CVE-2008-3054 | 0.00 | — | 0.00 | Jul 7, 2008 | SQL injection vulnerability in the Branchenbuch (aka Yellow Pages o (mh_branchenbuch) extension 0.8.1 and earlier for TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors. | ||
| CVE-2008-3053 | 0.00 | — | 0.00 | Jul 7, 2008 | SQL injection vulnerability in the SQL Frontend (mh_omsqlio) extension 1.0.11 and earlier for TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors. | ||
| CVE-2008-2999 | 0.00 | — | 0.00 | Jul 3, 2008 | Multiple SQL injection vulnerabilities in the Aggregation module 5.x before 5.x-4.4 for Drupal allow remote attackers to execute arbitrary SQL commands via unspecified vectors. |
- CVE-2008-3393Jul 31, 2008risk 0.00cvss —epss 0.00
SQL injection vulnerability in events.cfm in BookMine allows remote attackers to execute arbitrary SQL commands via the events_id parameter.
- CVE-2008-3359Jul 29, 2008risk 0.00cvss —epss 0.00
SQL injection vulnerability in register.php in Steve Bourgeois and Chris Vincent Owl Intranet Knowledgebase 0.95 and earlier allows remote attackers to execute arbitrary SQL commands via the username parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
- CVE-2008-3341Jul 28, 2008risk 0.00cvss —epss 0.00
Multiple SQL injection vulnerabilities in search_result.cfm in Jobbex JobSite allow remote attackers to execute arbitrary SQL commands via the (1) jobcountryid and (2) jobstateid parameters. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
- CVE-2008-3297Jul 25, 2008risk 0.00cvss —epss 0.01
Multiple SQL injection vulnerabilities in SocialEngine (SE) before 2.83 allow remote attackers to execute arbitrary SQL commands via (1) an se_user cookie to include/class_user.php or (2) an se_admin cookie to include/class_admin.php.
- CVE-2008-3258Jul 22, 2008risk 0.00cvss —epss 0.00
Multiple SQL injection vulnerabilities in Zoph before 0.7.0.5 allow remote attackers to execute arbitrary SQL commands via unspecified vectors.
- CVE-2008-3223Jul 18, 2008risk 0.00cvss —epss 0.01
SQL injection vulnerability in the Schema API in Drupal 6.x before 6.3 allows remote attackers to execute arbitrary SQL commands via vectors related to "an inappropriate placeholder for 'numeric' fields."
- CVE-2008-3122Jul 10, 2008risk 0.00cvss —epss 0.00
Multiple SQL injection vulnerabilities in Xerox CentreWare Web (CWW) before 4.6.46 allow remote authenticated users to execute arbitrary SQL commands via the unspecified vectors.
- CVE-2008-3092Jul 9, 2008risk 0.00cvss —epss 0.00
SQL injection vulnerability in the Taxonomy Autotagger module 5.x before 5.x-1.8 for Drupal allows remote authenticated users, with create or edit post permissions, to execute arbitrary SQL commands via unspecified vectors.
- CVE-2008-3090Jul 9, 2008risk 0.00cvss —epss 0.01
Multiple SQL injection vulnerabilities in index.php in BlognPlus (BURO GUN +) 2.5.5 MySQL and PostgreSQL editions allow remote attackers to execute arbitrary SQL commands via the (1) p, (2) e, (3) d, and (4) m parameters, a different vulnerability than CVE-2008-2819.
- CVE-2008-3070Jul 8, 2008risk 0.00cvss —epss 0.00
Unspecified vulnerability in inc/datahandler/user.php in MyBB before 1.2.13 has unknown impact and attack vectors related to the $user['language'] variable, probably related to SQL injection.
- CVE-2008-2667Jul 7, 2008risk 0.00cvss —epss 0.02
SQL injection vulnerability in the Courier Authentication Library (aka courier-authlib) before 0.60.6 on SUSE openSUSE 10.3 and 11.0, and other platforms, when MySQL and a non-Latin character set are used, allows remote attackers to execute arbitrary SQL commands via the username and unspecified other vectors.
- CVE-2008-3039Jul 7, 2008risk 0.00cvss —epss 0.00
SQL injection vulnerability in the DAM Frontend (dam_frontend) extension 0.1.0 and earlier for TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
- CVE-2008-3038Jul 7, 2008risk 0.00cvss —epss 0.00
SQL injection vulnerability in the Address Directory (sp_directory) extension 0.2.10 and earlier for TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
- CVE-2008-3044Jul 7, 2008risk 0.00cvss —epss 0.00
SQL injection vulnerability in the News Calendar (newscalendar) extension 1.0.7 and earlier for TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
- CVE-2008-3051Jul 7, 2008risk 0.00cvss —epss 0.00
SQL injection vulnerability in the Pinboard extension 0.0.6 and earlier for TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
- CVE-2008-3056Jul 7, 2008risk 0.00cvss —epss 0.00
SQL injection vulnerability in the Codeon Petition (cd_petition) extension 0.0.2 and earlier for TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
- CVE-2008-3055Jul 7, 2008risk 0.00cvss —epss 0.00
SQL injection vulnerability in the Support view (ext_tbl) extension 0.0.102 and earlier for TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
- CVE-2008-3054Jul 7, 2008risk 0.00cvss —epss 0.00
SQL injection vulnerability in the Branchenbuch (aka Yellow Pages o (mh_branchenbuch) extension 0.8.1 and earlier for TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
- CVE-2008-3053Jul 7, 2008risk 0.00cvss —epss 0.00
SQL injection vulnerability in the SQL Frontend (mh_omsqlio) extension 1.0.11 and earlier for TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
- CVE-2008-2999Jul 3, 2008risk 0.00cvss —epss 0.00
Multiple SQL injection vulnerabilities in the Aggregation module 5.x before 5.x-4.4 for Drupal allow remote attackers to execute arbitrary SQL commands via unspecified vectors.