VYPR

CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

BaseStableLikelihood: High

Description

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Hierarchy (View 1000)

Parents

Children

Related attack patterns (CAPEC)

CAPEC-108 · CAPEC-109 · CAPEC-110 · CAPEC-470 · CAPEC-66 · CAPEC-7

CVEs mapped to this weakness (10,236)

page 44 of 512
  • CVE-2017-1002021CriSep 14, 2017
    risk 0.64cvss 9.8epss 0.04

    Vulnerability in wordpress plugin surveys v1.01.8, The code in individual_responses.php does not sanitize the survey_id variable before placing it inside of an SQL query.

  • CVE-2017-1002020CriSep 14, 2017
    risk 0.64cvss 9.8epss 0.04

    Vulnerability in wordpress plugin surveys v1.01.8, The code in survey_form.php does not sanitize the action variable before placing it inside of an SQL query.

  • CVE-2017-1002019CriSep 14, 2017
    risk 0.64cvss 9.8epss 0.02

    Vulnerability in wordpress plugin eventr v1.02.2, The edit.php form and event_form.php code do not sanitize input, this allows for blind SQL injection via the event parameter.

  • CVE-2017-1002018CriSep 14, 2017
    risk 0.64cvss 9.8epss 0.02

    Vulnerability in wordpress plugin eventr v1.02.2, The edit.php form and attendees.php code do not sanitize input, this allows for blind SQL injection via the event parameter.

  • CVE-2017-1002015CriSep 14, 2017
    risk 0.64cvss 9.8epss 0.03

    Vulnerability in wordpress plugin image-gallery-with-slideshow v1.5.2, Blind SQL Injection in image-gallery-with-slideshow/admin_setting.php via selectMulGallery parameter.

  • CVE-2017-1002014CriSep 14, 2017
    risk 0.64cvss 9.8epss 0.03

    Vulnerability in wordpress plugin image-gallery-with-slideshow v1.5.2, Blind SQL Injection in image-gallery-with-slideshow/admin_setting.php via gallery_name parameter.

  • CVE-2017-1002013CriSep 14, 2017
    risk 0.64cvss 9.8epss 0.03

    Vulnerability in wordpress plugin image-gallery-with-slideshow v1.5.2, Blind SQL Injection via imgid parameter in image-gallery-with-slideshow/admin_setting.php.

  • CVE-2017-1002012CriSep 14, 2017
    risk 0.64cvss 9.8epss 0.03

    Vulnerability in wordpress plugin image-gallery-with-slideshow v1.5.2, In image-gallery-with-slideshow/admin_setting.php the following snippet of code does not sanitize input via the gid variable before passing it into an SQL statement.

  • CVE-2017-1002010CriSep 14, 2017
    risk 0.64cvss 9.8epss 0.02

    Vulnerability in wordpress plugin Membership Simplified v1.58, The code in membership-simplified-for-oap-members-only/updateDB.php is vulnerable to blind SQL injection because it doesn't sanitize user input via recordId in the delete_media function.

  • CVE-2017-1002009CriSep 14, 2017
    risk 0.64cvss 9.8epss 0.02

    Vulnerability in wordpress plugin Membership Simplified v1.58, The code in membership-simplified-for-oap-members-only/updateDB.php is vulnerable to blind SQL injection because it doesn't sanitize user input via recordId in the delete function.

  • CVE-2017-14403CriSep 13, 2017
    risk 0.64cvss 9.8epss 0.01

    The EyesOfNetwork web interface (aka eonweb) 5.1-0 has SQL injection via the term parameter to module/admin_group/search.php.

  • CVE-2017-14402CriSep 13, 2017
    risk 0.64cvss 9.8epss 0.01

    The EyesOfNetwork web interface (aka eonweb) 5.1-0 has SQL injection via the user_name parameter to module/admin_user/add_modify_user.php in the "ACCOUNT CREATION" section, related to lack of input validation in include/function.php.

  • CVE-2017-14401CriSep 13, 2017
    risk 0.64cvss 9.8epss 0.01

    The EyesOfNetwork web interface (aka eonweb) 5.1-0 has SQL injection via the user_name parameter to module/admin_user/add_modify_user.php in the "ACCOUNT UPDATE" section.

  • CVE-2017-8015CriSep 12, 2017
    risk 0.64cvss 9.8epss 0.02

    EMC AppSync (all versions prior to 3.5) contains a SQL injection vulnerability that could potentially be exploited by malicious users to compromise the affected system.

  • CVE-2017-14345CriSep 12, 2017
    risk 0.64cvss 9.8epss 0.01

    SQL Injection exists in tianchoy/blog through 2017-09-12 via the id parameter to view.php.

  • CVE-2015-7877CriSep 11, 2017
    risk 0.64cvss 9.8epss 0.01

    Multiple SQL injection vulnerabilities in the User Dashboard module 7.x before 7.x-1.4 for Drupal allow remote attackers to execute arbitrary SQL commands via unspecified vectors.

  • CVE-2017-14252CriSep 11, 2017
    risk 0.64cvss 9.8epss 0.01

    SQL Injection exists in the EyesOfNetwork web interface (aka eonweb) 5.1-0 via the group_id cookie to side.php.

  • CVE-2017-14247CriSep 11, 2017
    risk 0.64cvss 9.8epss 0.01

    SQL Injection exists in the EyesOfNetwork web interface (aka eonweb) 5.1-0 via the user_id cookie to header.php, a related issue to CVE-2017-1000060.

  • CVE-2017-12731CriSep 9, 2017
    risk 0.64cvss 9.8epss 0.02

    A SQL Injection issue was discovered in OPW Fuel Management Systems SiteSentinel Integra 100, SiteSentinel Integra 500, and SiteSentinel iSite ATG consoles with the following software versions: older than V175, V175-V189, V191-V195, and V16Q3.1. The application is vulnerable to…

  • CVE-2017-11161CriSep 8, 2017
    risk 0.64cvss 9.8epss 0.01

    Multiple SQL injection vulnerabilities in Synology Photo Station before 6.7.4-3433 and 6.3-2968 allow remote attackers to execute arbitrary SQL commands via the (1) article_id parameter to label.php; or (2) type parameter to synotheme.php.