VYPR

CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

BaseStableLikelihood: High

Description

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Hierarchy (View 1000)

Parents

Children

Related attack patterns (CAPEC)

CAPEC-108 · CAPEC-109 · CAPEC-110 · CAPEC-470 · CAPEC-66 · CAPEC-7

CVEs mapped to this weakness (8,799)

page 430 of 440
  • CVE-2008-2925Jun 30, 2008
    risk 0.00cvss epss 0.00

    SQL injection vulnerability in Webmatic before 2.8 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.

  • CVE-2008-2850Jun 25, 2008
    risk 0.00cvss epss 0.00

    SQL injection vulnerability in the TrailScout module 5.x before 5.x-1.4 for Drupal allows remote attackers to execute arbitrary SQL commands via unspecified cookies, related to improper use of the Drupal database API.

  • CVE-2008-2819Jun 23, 2008
    risk 0.00cvss epss 0.00

    SQL injection vulnerability in BlognPlus (BURO GUN +) 2.5.4 and earlier MySQL and PostgreSQL editions allows remote attackers to execute arbitrary SQL commands via unspecified vectors.

  • CVE-2008-2775Jun 19, 2008
    risk 0.00cvss epss 0.00

    SQL injection vulnerability in search.asp in DT Centrepiece 4.0 allows remote attackers to execute arbitrary SQL commands via the searchFor parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.

  • CVE-2008-2760Jun 18, 2008
    risk 0.00cvss epss 0.01

    SQL injection vulnerability in searchbanners.asp in Xigla Absolute Banner Manager XE 2.0 allows remote authenticated administrators to execute arbitrary SQL commands via the orderby parameter.

  • CVE-2008-2767Jun 18, 2008
    risk 0.00cvss epss 0.00

    SQL injection vulnerability in search.asp in Xigla Poll Manager XE allows remote authenticated users with administrator role privileges to execute arbitrary SQL commands via the orderby parameter.

  • CVE-2008-2765Jun 18, 2008
    risk 0.00cvss epss 0.00

    SQL injection vulnerability in gallery.asp in Xigla Absolute Image Gallery XE allows remote attackers to execute arbitrary SQL commands via the categoryid parameter in a viewimage action.

  • CVE-2008-2763Jun 18, 2008
    risk 0.00cvss epss 0.00

    SQL injection vulnerability in search.asp in Xigla Absolute Live Support XE 5.1 allows remote authenticated administrators to execute arbitrary SQL commands via the orderby parameter.

  • CVE-2008-2762Jun 18, 2008
    risk 0.00cvss epss 0.00

    SQL injection vulnerability in search.asp in Xigla Absolute Form Processor XE 4.0 allows remote authenticated administrators to execute arbitrary SQL commands via the orderby parameter.

  • CVE-2008-2757Jun 18, 2008
    risk 0.00cvss epss 0.01

    SQL injection vulnerability in search.asp in Xigla Absolute News Manager XE 3.2 allows remote authenticated administrators to execute arbitrary SQL commands via the orderby parameter.

  • CVE-2008-2428Jun 18, 2008
    risk 0.00cvss epss 0.01

    Multiple SQL injection vulnerabilities in TorrentTrader 1.08 Classic allow remote attackers to execute arbitrary SQL commands via the (1) email or (2) wantusername parameter to account-signup.php, or the (3) receiver parameter to account-inbox.php in a msg action.

  • CVE-2008-2685Jun 12, 2008
    risk 0.00cvss epss 0.00

    SQL injection vulnerability in article.asp in Battle Blog 1.25 Build 4 and earlier allows remote attackers to execute arbitrary SQL commands via the entry parameter, a different vector than CVE-2008-2626.

  • CVE-2008-2642Jun 10, 2008
    risk 0.00cvss epss 0.00

    SQL injection vulnerability in login.php in OtomiGenX 2.2 allows remote attackers to execute arbitrary SQL commands via the userAccount parameter (aka the User Name field) to index.php. NOTE: some of these details are obtained from third party information.

  • CVE-2008-2231Jun 5, 2008
    risk 0.00cvss epss 0.01

    SQL injection vulnerability in Slashdot Like Automated Storytelling Homepage (Slash) (aka Slashcode) R_2_5_0_94 and earlier allows remote attackers to execute SQL commands and read table information via the id parameter.

  • CVE-2008-2523Jun 3, 2008
    risk 0.00cvss epss 0.00

    SQL injection vulnerability in the Autopatcher server plugin in RakNet before 3.23 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.

  • CVE-2008-2498May 28, 2008
    risk 0.00cvss epss 0.00

    Multiple SQL injection vulnerabilities in index.php in Mambo before 4.6.4, when magic_quotes_gpc is disabled, allow remote attackers to execute arbitrary SQL commands via the (1) articleid and (2) mcname parameters. NOTE: some of these details are obtained from third party information.

  • CVE-2008-2489May 28, 2008
    risk 0.00cvss epss 0.00

    SQL injection vulnerability in the Library for Frontend Plugins (aka sg_zfelib) extension 1.1.512 and earlier for TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified "user input."

  • CVE-2008-2460May 27, 2008
    risk 0.00cvss epss 0.00

    SQL injection vulnerability in faq.php in vBulletin 3.7.0 Gold allows remote attackers to execute arbitrary SQL commands via the q parameter in a search action.

  • CVE-2008-2451May 27, 2008
    risk 0.00cvss epss 0.00

    Multiple SQL injection vulnerabilities in the Statistics (aka ke_stats) extension 0.1.2 and earlier for TYPO3 allow remote attackers to execute arbitrary SQL commands via unspecified vectors.

  • CVE-2008-2203May 14, 2008
    risk 0.00cvss epss 0.00

    SQL injection vulnerability in search.php in Maian Search 1.1 allows remote attackers to execute arbitrary SQL commands via the keywords parameter in a search action.