CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
BaseStableLikelihood: High
Description
The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-108 · CAPEC-109 · CAPEC-110 · CAPEC-470 · CAPEC-66 · CAPEC-7
CVEs mapped to this weakness (8,799)
page 433 of 440| CVE | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2007-6491 | 0.00 | — | 0.00 | Dec 20, 2007 | Multiple SQL injection vulnerabilities in Kvaliitti WebDoc 3.0 CMS allow remote attackers to execute arbitrary SQL commands via (1) the cat_id parameter to categories.asp; and probably (2) the document_id parameter to categories.asp, and the (3) cat_id and (4) document_id parameters to subcategory.asp. | ||
| CVE-2007-6469 | 0.00 | — | 0.01 | Dec 20, 2007 | SQL injection vulnerability in index.php in phpRPG 0.8, when magic_qutoes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the username parameter. NOTE: some of these details are obtained from third party information. | ||
| CVE-2007-6381 | 0.00 | — | 0.01 | Dec 15, 2007 | SQL injection vulnerability in the indexed_search system extension in TYPO3 3.x, 4.0 through 4.0.7, and 4.1 through 4.1.3 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors. | ||
| CVE-2007-6338 | 0.00 | — | 0.01 | Dec 15, 2007 | SQL injection vulnerability in userlogin.jsp in Trivantis CourseMill Enterprise Learning Management System 4.1 SP4 allows remote attackers to execute arbitrary SQL commands via the user parameter (username field). NOTE: some of these details are obtained from third party information. | ||
| CVE-2007-6373 | 0.00 | — | 0.00 | Dec 15, 2007 | Multiple SQL injection vulnerabilities in GestDown 1.00 Beta allow remote attackers to execute arbitrary SQL commands via the (1) categorie parameter to catdownload.php, or the id parameter to (2) download.php or (3) hitcounter.php. | ||
| CVE-2007-6345 | 0.00 | — | 0.00 | Dec 13, 2007 | SQL injection vulnerability in aurora framework before 20071208 allows remote attackers to execute arbitrary SQL commands via unspecified vectors, possibly the value parameter to the pack_var function in module/db.lib/db_mysql.lib. NOTE: some of these details are obtained from third party information. | ||
| CVE-2007-6342 | 0.00 | — | 0.01 | Dec 13, 2007 | SQL injection vulnerability in the David Castro AuthCAS module (AuthCAS.pm) 0.4 for the Apache HTTP Server allows remote attackers to execute arbitrary SQL commands via the SESSION_COOKIE_NAME (session ID) in a cookie. | ||
| CVE-2007-6288 | 0.00 | — | 0.00 | Dec 10, 2007 | Multiple SQL injection vulnerabilities in TCExam before 5.1.000 allow remote attackers to execute arbitrary SQL commands via unspecified vectors. | ||
| CVE-2007-6299 | 0.00 | — | 0.02 | Dec 10, 2007 | Multiple SQL injection vulnerabilities in Drupal and vbDrupal 4.7.x before 4.7.9 and 5.x before 5.4 allow remote attackers to execute arbitrary SQL commands via modules that pass input to the taxonomy_select_nodes function, as demonstrated by the (1) taxonomy_menu, (2) ajaxLoader, and (3) ubrowser contributed modules. | ||
| CVE-2007-6291 | 0.00 | — | 0.00 | Dec 10, 2007 | SQL injection vulnerability in abm.aspx in Xigla Absolute Banner Manager .NET 4.0 allows remote attackers to execute arbitrary SQL commands via the z parameter. | ||
| CVE-2007-6014 | 0.00 | — | 0.01 | Dec 5, 2007 | SQL injection vulnerability in post.php in Beehive Forum 0.7.1 and earlier allows remote attackers to execute arbitrary SQL commands via the t_dedupe parameter. | ||
| CVE-2007-6171 | 0.00 | — | 0.00 | Nov 30, 2007 | SQL injection vulnerability in the Postgres Realtime Engine (res_config_pgsql) in Asterisk 1.4.x before 1.4.15 and C.x before C.1.0-beta6 allows remote attackers to execute arbitrary SQL commands via unknown vectors. | ||
| CVE-2007-6170 | 0.00 | — | 0.00 | Nov 30, 2007 | SQL injection vulnerability in the Call Detail Record Postgres logging engine (cdr_pgsql) in Asterisk 1.4.x before 1.4.15, 1.2.x before 1.2.25, B.x before B.2.3.4, and C.x before C.1.0-beta6 allows remote authenticated users to execute arbitrary SQL commands via (1) ANI and (2) DNIS arguments. | ||
| CVE-2007-6168 | 0.00 | — | 0.00 | Nov 29, 2007 | SQL injection vulnerability in default.asp in VU Case Manager allows remote attackers to execute arbitrary SQL commands via the username parameter, a different vector than CVE-2007-6143. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. | ||
| CVE-2007-6169 | 0.00 | — | 0.00 | Nov 29, 2007 | SQL injection vulnerability in admin/index2.asp in GOUAE DWD Realty allows remote attackers to execute arbitrary SQL commands via the uname parameter, a different vector than CVE-2007-6163. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. | ||
| CVE-2007-6143 | 0.00 | — | 0.01 | Nov 27, 2007 | SQL injection vulnerability in default.asp (aka the Login Page) in VU Case Manager allows remote attackers to execute arbitrary SQL commands via the password parameter. | ||
| CVE-2007-6140 | 0.00 | — | 0.01 | Nov 27, 2007 | Multiple SQL injection vulnerabilities in Dora Emlak 2.0 allow remote attackers to execute arbitrary SQL commands via the (1) id parameter to (a) emlak_detay.asp and (b) haber_detay.asp, the (2) kategori parameter to (c) kategorisirala.asp, and the (3) tip parameter to (d) tipsirala.asp. | ||
| CVE-2007-6035 | 0.00 | — | 0.05 | Nov 20, 2007 | SQL injection vulnerability in graph.php in Cacti before 0.8.7a allows remote attackers to execute arbitrary SQL commands via the local_graph_id parameter. | ||
| CVE-2007-6012 | 0.00 | — | 0.00 | Nov 16, 2007 | SQL injection vulnerability in SearchR.asp in DocuSafe 4.1.0 and 4.1.2 allows remote attackers to execute arbitrary SQL commands via the artnr parameter (aka the search section). NOTE: some of these details are obtained from third party information. | ||
| CVE-2007-5991 | 0.00 | — | 0.00 | Nov 15, 2007 | SQL injection vulnerability in index.php in ExoPHPdesk allows remote attackers to execute arbitrary SQL commands via the user parameter in a profile fn action. |