CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Description
The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-108 · CAPEC-109 · CAPEC-110 · CAPEC-470 · CAPEC-66 · CAPEC-7
CVEs mapped to this weakness (10,236)
page 44 of 512| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2017-1002021 | Cri | 0.64 | 9.8 | 0.04 | Sep 14, 2017 | Vulnerability in wordpress plugin surveys v1.01.8, The code in individual_responses.php does not sanitize the survey_id variable before placing it inside of an SQL query. | ||
| CVE-2017-1002020 | Cri | 0.64 | 9.8 | 0.04 | Sep 14, 2017 | Vulnerability in wordpress plugin surveys v1.01.8, The code in survey_form.php does not sanitize the action variable before placing it inside of an SQL query. | ||
| CVE-2017-1002019 | Cri | 0.64 | 9.8 | 0.02 | Sep 14, 2017 | Vulnerability in wordpress plugin eventr v1.02.2, The edit.php form and event_form.php code do not sanitize input, this allows for blind SQL injection via the event parameter. | ||
| CVE-2017-1002018 | Cri | 0.64 | 9.8 | 0.02 | Sep 14, 2017 | Vulnerability in wordpress plugin eventr v1.02.2, The edit.php form and attendees.php code do not sanitize input, this allows for blind SQL injection via the event parameter. | ||
| CVE-2017-1002015 | Cri | 0.64 | 9.8 | 0.03 | Sep 14, 2017 | Vulnerability in wordpress plugin image-gallery-with-slideshow v1.5.2, Blind SQL Injection in image-gallery-with-slideshow/admin_setting.php via selectMulGallery parameter. | ||
| CVE-2017-1002014 | Cri | 0.64 | 9.8 | 0.03 | Sep 14, 2017 | Vulnerability in wordpress plugin image-gallery-with-slideshow v1.5.2, Blind SQL Injection in image-gallery-with-slideshow/admin_setting.php via gallery_name parameter. | ||
| CVE-2017-1002013 | Cri | 0.64 | 9.8 | 0.03 | Sep 14, 2017 | Vulnerability in wordpress plugin image-gallery-with-slideshow v1.5.2, Blind SQL Injection via imgid parameter in image-gallery-with-slideshow/admin_setting.php. | ||
| CVE-2017-1002012 | Cri | 0.64 | 9.8 | 0.03 | Sep 14, 2017 | Vulnerability in wordpress plugin image-gallery-with-slideshow v1.5.2, In image-gallery-with-slideshow/admin_setting.php the following snippet of code does not sanitize input via the gid variable before passing it into an SQL statement. | ||
| CVE-2017-1002010 | Cri | 0.64 | 9.8 | 0.02 | Sep 14, 2017 | Vulnerability in wordpress plugin Membership Simplified v1.58, The code in membership-simplified-for-oap-members-only/updateDB.php is vulnerable to blind SQL injection because it doesn't sanitize user input via recordId in the delete_media function. | ||
| CVE-2017-1002009 | Cri | 0.64 | 9.8 | 0.02 | Sep 14, 2017 | Vulnerability in wordpress plugin Membership Simplified v1.58, The code in membership-simplified-for-oap-members-only/updateDB.php is vulnerable to blind SQL injection because it doesn't sanitize user input via recordId in the delete function. | ||
| CVE-2017-14403 | Cri | 0.64 | 9.8 | 0.01 | Sep 13, 2017 | The EyesOfNetwork web interface (aka eonweb) 5.1-0 has SQL injection via the term parameter to module/admin_group/search.php. | ||
| CVE-2017-14402 | Cri | 0.64 | 9.8 | 0.01 | Sep 13, 2017 | The EyesOfNetwork web interface (aka eonweb) 5.1-0 has SQL injection via the user_name parameter to module/admin_user/add_modify_user.php in the "ACCOUNT CREATION" section, related to lack of input validation in include/function.php. | ||
| CVE-2017-14401 | Cri | 0.64 | 9.8 | 0.01 | Sep 13, 2017 | The EyesOfNetwork web interface (aka eonweb) 5.1-0 has SQL injection via the user_name parameter to module/admin_user/add_modify_user.php in the "ACCOUNT UPDATE" section. | ||
| CVE-2017-8015 | Cri | 0.64 | 9.8 | 0.02 | Sep 12, 2017 | EMC AppSync (all versions prior to 3.5) contains a SQL injection vulnerability that could potentially be exploited by malicious users to compromise the affected system. | ||
| CVE-2017-14345 | Cri | 0.64 | 9.8 | 0.01 | Sep 12, 2017 | SQL Injection exists in tianchoy/blog through 2017-09-12 via the id parameter to view.php. | ||
| CVE-2015-7877 | Cri | 0.64 | 9.8 | 0.01 | Sep 11, 2017 | Multiple SQL injection vulnerabilities in the User Dashboard module 7.x before 7.x-1.4 for Drupal allow remote attackers to execute arbitrary SQL commands via unspecified vectors. | ||
| CVE-2017-14252 | Cri | 0.64 | 9.8 | 0.01 | Sep 11, 2017 | SQL Injection exists in the EyesOfNetwork web interface (aka eonweb) 5.1-0 via the group_id cookie to side.php. | ||
| CVE-2017-14247 | Cri | 0.64 | 9.8 | 0.01 | Sep 11, 2017 | SQL Injection exists in the EyesOfNetwork web interface (aka eonweb) 5.1-0 via the user_id cookie to header.php, a related issue to CVE-2017-1000060. | ||
| CVE-2017-12731 | Cri | 0.64 | 9.8 | 0.02 | Sep 9, 2017 | A SQL Injection issue was discovered in OPW Fuel Management Systems SiteSentinel Integra 100, SiteSentinel Integra 500, and SiteSentinel iSite ATG consoles with the following software versions: older than V175, V175-V189, V191-V195, and V16Q3.1. The application is vulnerable to… | ||
| CVE-2017-11161 | Cri | 0.64 | 9.8 | 0.01 | Sep 8, 2017 | Multiple SQL injection vulnerabilities in Synology Photo Station before 6.7.4-3433 and 6.3-2968 allow remote attackers to execute arbitrary SQL commands via the (1) article_id parameter to label.php; or (2) type parameter to synotheme.php. |
- risk 0.64cvss 9.8epss 0.04
Vulnerability in wordpress plugin surveys v1.01.8, The code in individual_responses.php does not sanitize the survey_id variable before placing it inside of an SQL query.
- risk 0.64cvss 9.8epss 0.04
Vulnerability in wordpress plugin surveys v1.01.8, The code in survey_form.php does not sanitize the action variable before placing it inside of an SQL query.
- risk 0.64cvss 9.8epss 0.02
Vulnerability in wordpress plugin eventr v1.02.2, The edit.php form and event_form.php code do not sanitize input, this allows for blind SQL injection via the event parameter.
- risk 0.64cvss 9.8epss 0.02
Vulnerability in wordpress plugin eventr v1.02.2, The edit.php form and attendees.php code do not sanitize input, this allows for blind SQL injection via the event parameter.
- risk 0.64cvss 9.8epss 0.03
Vulnerability in wordpress plugin image-gallery-with-slideshow v1.5.2, Blind SQL Injection in image-gallery-with-slideshow/admin_setting.php via selectMulGallery parameter.
- risk 0.64cvss 9.8epss 0.03
Vulnerability in wordpress plugin image-gallery-with-slideshow v1.5.2, Blind SQL Injection in image-gallery-with-slideshow/admin_setting.php via gallery_name parameter.
- risk 0.64cvss 9.8epss 0.03
Vulnerability in wordpress plugin image-gallery-with-slideshow v1.5.2, Blind SQL Injection via imgid parameter in image-gallery-with-slideshow/admin_setting.php.
- risk 0.64cvss 9.8epss 0.03
Vulnerability in wordpress plugin image-gallery-with-slideshow v1.5.2, In image-gallery-with-slideshow/admin_setting.php the following snippet of code does not sanitize input via the gid variable before passing it into an SQL statement.
- risk 0.64cvss 9.8epss 0.02
Vulnerability in wordpress plugin Membership Simplified v1.58, The code in membership-simplified-for-oap-members-only/updateDB.php is vulnerable to blind SQL injection because it doesn't sanitize user input via recordId in the delete_media function.
- risk 0.64cvss 9.8epss 0.02
Vulnerability in wordpress plugin Membership Simplified v1.58, The code in membership-simplified-for-oap-members-only/updateDB.php is vulnerable to blind SQL injection because it doesn't sanitize user input via recordId in the delete function.
- risk 0.64cvss 9.8epss 0.01
The EyesOfNetwork web interface (aka eonweb) 5.1-0 has SQL injection via the term parameter to module/admin_group/search.php.
- risk 0.64cvss 9.8epss 0.01
The EyesOfNetwork web interface (aka eonweb) 5.1-0 has SQL injection via the user_name parameter to module/admin_user/add_modify_user.php in the "ACCOUNT CREATION" section, related to lack of input validation in include/function.php.
- risk 0.64cvss 9.8epss 0.01
The EyesOfNetwork web interface (aka eonweb) 5.1-0 has SQL injection via the user_name parameter to module/admin_user/add_modify_user.php in the "ACCOUNT UPDATE" section.
- risk 0.64cvss 9.8epss 0.02
EMC AppSync (all versions prior to 3.5) contains a SQL injection vulnerability that could potentially be exploited by malicious users to compromise the affected system.
- risk 0.64cvss 9.8epss 0.01
SQL Injection exists in tianchoy/blog through 2017-09-12 via the id parameter to view.php.
- risk 0.64cvss 9.8epss 0.01
Multiple SQL injection vulnerabilities in the User Dashboard module 7.x before 7.x-1.4 for Drupal allow remote attackers to execute arbitrary SQL commands via unspecified vectors.
- risk 0.64cvss 9.8epss 0.01
SQL Injection exists in the EyesOfNetwork web interface (aka eonweb) 5.1-0 via the group_id cookie to side.php.
- risk 0.64cvss 9.8epss 0.01
SQL Injection exists in the EyesOfNetwork web interface (aka eonweb) 5.1-0 via the user_id cookie to header.php, a related issue to CVE-2017-1000060.
- risk 0.64cvss 9.8epss 0.02
A SQL Injection issue was discovered in OPW Fuel Management Systems SiteSentinel Integra 100, SiteSentinel Integra 500, and SiteSentinel iSite ATG consoles with the following software versions: older than V175, V175-V189, V191-V195, and V16Q3.1. The application is vulnerable to…
- risk 0.64cvss 9.8epss 0.01
Multiple SQL injection vulnerabilities in Synology Photo Station before 6.7.4-3433 and 6.3-2968 allow remote attackers to execute arbitrary SQL commands via the (1) article_id parameter to label.php; or (2) type parameter to synotheme.php.