CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

BaseStableLikelihood: High

Description

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Hierarchy (View 1000)

Parents

CWE-943

Children

CWE-564

Related attack patterns (CAPEC)

CAPEC-108 · CAPEC-109 · CAPEC-110 · CAPEC-470 · CAPEC-66 · CAPEC-7

CVEs mapped to this weakness (9,859)

page 447 of 493

CVE	Vendor / Product	CVSS	EPSS	Published	Description
CVE-2013-3081	Jojocms Jojo	—	0.02	Jun 9, 2014	SQL injection vulnerability in the checkEmailFormat function in plugins/jojo_core/classes/Jojo.php in Jojo before 1.2.2 allows remote attackers to execute arbitrary SQL commands via the X-Forwarded-For HTTP header to /articles/test/.
CVE-2014-3973	Frontaccounting Frontaccounting	—	0.01	Jun 5, 2014	Multiple SQL injection vulnerabilities in FrontAccounting (FA) before 2.3.21 allow remote attackers to execute arbitrary SQL commands via unspecified vectors.
CVE-2014-3937	WordPress Contextual Related Posts	—	0.02	Jun 2, 2014	SQL injection vulnerability in the Contextual Related Posts plugin before 1.8.10.2 for WordPress allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
CVE-2014-3932	Cososys Endpoint Protector	—	0.01	Jun 2, 2014	SQL injection vulnerability in the device registration component in wsf/webservice.php in CoSoSys Endpoint Protector 4 4.3.0.4 and 4.4.0.2 allows remote attackers to execute arbitrary SQL commands via unspecified parameters.
CVE-2014-3872	Dlink Dap 1350	—	0.01	May 27, 2014	Multiple SQL injection vulnerabilities in the administration login page in D-Link DAP-1350 (Rev. A1) with firmware 1.14 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) username or (2) password.
CVE-2013-4016	IBM Maximo Asset Management	—	0.01	May 26, 2014	SQL injection vulnerability in IBM Maximo Asset Management 7.x before 7.1.1.7 LAFIX.20140319-0837, 7.1.1.11 before IFIX.20140323-0749, 7.1.1.12 before IFIX.20140321-1336, 7.5.x before 7.5.0.3 IFIX027, 7.5.0.4 before IFIX011, and 7.5.0.5 before IFIX006; SmartCloud Control Desk…
CVE-2014-3275	Cisco Systems, Inc. Identity Services Engine Software	—	0.02	May 26, 2014	SQL injection vulnerability in the web framework in Cisco Identity Services Engine (ISE) 1.2(.1 patch 2) and earlier allows remote authenticated users to execute arbitrary SQL commands via a crafted URL, aka Bug ID CSCul21337.
CVE-2014-2948	Bizagi Bizagi BPM Suite	—	0.01	May 22, 2014	SQL injection vulnerability in workflowenginesoa.asmx in Bizagi BPM Suite through 10.4 allows remote authenticated users to execute arbitrary SQL commands via a crafted SOAP request.
CVE-2014-3783	Dotclear Dotclear	—	0.02	May 22, 2014	SQL injection vulnerability in admin/categories.php in Dotclear before 2.6.3 allows remote authenticated users with the manage categories permission to execute arbitrary SQL commands via the categories_order parameter.
CVE-2014-2351	Codeworks Csworks	—	0.03	May 20, 2014	SQL injection vulnerability in the LiveData service in CSWorks before 2.5.5233.0 allows remote attackers to execute arbitrary SQL commands via vectors related to pathnames contained in web API requests.
CVE-2014-3759	Karlen Walter Si Bibtex	—	0.01	May 16, 2014	Multiple SQL injection vulnerabilities in the BibTex Publications (si_bibtex) extension 0.2.3 for TYPO3 allow remote attackers to execute arbitrary SQL commands via vectors related to the (1) search or (2) list functionality.
CVE-2014-0137	Red Hat Cloudforms Management Engine	—	0.01	May 14, 2014	SQL injection vulnerability in the saved_report_delete action in the ReportController in Red Hat CloudForms Management Engine (CFME) before 5.2.3.2 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors, related to MiqReportResult.exists.
CVE-2011-4970	Disk Pool Manager Project Disk Pool Manager	—	0.02	May 13, 2014	Multiple SQL injection vulnerabilities in LCG Disk Pool Manager (DPM) before 1.8.6, as used in EGI UDM, allow remote attackers to execute arbitrary SQL commands via the (1) r_token variable in the dpm_get_pending_req_by_token, (2) dpm_get_cpr_by_fullid, (3) dpm_get_cpr_by_surl,…
CVE-2014-2736	Modx Revolution	—	0.01	Apr 24, 2014	Multiple SQL injection vulnerabilities in MODX Revolution before 2.2.14 allow remote attackers to execute arbitrary SQL commands via the (1) session ID (PHPSESSID) to index.php or remote authenticated users to execute arbitrary SQL commands via the (2) user parameter to…
CVE-2014-0474	Djangoproject Django	—	0.05	Apr 23, 2014	The (1) FilePathField, (2) GenericIPAddressField, and (3) IPAddressField model field classes in Django before 1.4.11, 1.5.x before 1.5.6, 1.6.x before 1.6.3, and 1.7.x before 1.7 beta 2 do not properly perform type conversion, which allows remote attackers to have unspecified…
CVE-2014-2737	Knowledgetree Knowledgetree	—	0.01	Apr 22, 2014	SQL injection vulnerability in the get_active_session function in the KTAPI_UserSession class in webservice/clienttools/services/mdownload.php in KnowledgeTree 3.7.0.2 and earlier allows remote attackers to execute arbitrary SQL commands via the u parameter, related to the…
CVE-2014-2654	Mobfox Madserve	—	0.01	Apr 22, 2014	Multiple SQL injection vulnerabilities in MobFox mAdserve 2.0 and earlier allow remote authenticated users to execute arbitrary SQL commands via the id parameter to (1) edit_ad_unit.php, (2) view_adunits.php, or (3) edit_campaign.php in www/cp/.
CVE-2013-7369	F-Secure Email And Server Security	—	0.01	Apr 18, 2014	SQL injection vulnerability in an unspecified DLL in the FSDBCom ActiveX control in F-Secure Anti-Virus for Microsoft Exchange Server before HF02, Anti-Virus for Windows Servers 9.00 before HF09, Anti-Virus for Citrix Servers 9.00 before HF09, and F-Secure Email and Server…
CVE-2013-7355	SAP Business Warehouse Universal Data Integration	—	0.01	Apr 10, 2014	SQL injection vulnerability in SAP BI Universal Data Integration allows remote attackers to execute arbitrary SQL commands via unspecified vectors, related to the J2EE schema.
CVE-2014-2708	Cacti (software) Cacti	—	0.02	Apr 10, 2014	Multiple SQL injection vulnerabilities in graph_xport.php in Cacti 0.8.7g, 0.8.8b, and earlier allow remote attackers to execute arbitrary SQL commands via the (1) graph_start, (2) graph_end, (3) graph_height, (4) graph_width, (5) graph_nolegend, (6) print_source, (7)…

CVE-2013-3081Jun 9, 2014
Jojocms
Jojo
risk 0.00cvss —epss 0.02
SQL injection vulnerability in the checkEmailFormat function in plugins/jojo_core/classes/Jojo.php in Jojo before 1.2.2 allows remote attackers to execute arbitrary SQL commands via the X-Forwarded-For HTTP header to /articles/test/.
CVE-2014-3973Jun 5, 2014
Frontaccounting
Frontaccounting
risk 0.00cvss —epss 0.01
Multiple SQL injection vulnerabilities in FrontAccounting (FA) before 2.3.21 allow remote attackers to execute arbitrary SQL commands via unspecified vectors.
CVE-2014-3937Jun 2, 2014
WordPress
Contextual Related Posts
risk 0.00cvss —epss 0.02
SQL injection vulnerability in the Contextual Related Posts plugin before 1.8.10.2 for WordPress allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
CVE-2014-3932Jun 2, 2014
Cososys
Endpoint Protector
risk 0.00cvss —epss 0.01
SQL injection vulnerability in the device registration component in wsf/webservice.php in CoSoSys Endpoint Protector 4 4.3.0.4 and 4.4.0.2 allows remote attackers to execute arbitrary SQL commands via unspecified parameters.
CVE-2014-3872May 27, 2014
Dlink
Dap 1350
risk 0.00cvss —epss 0.01
Multiple SQL injection vulnerabilities in the administration login page in D-Link DAP-1350 (Rev. A1) with firmware 1.14 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) username or (2) password.
CVE-2013-4016May 26, 2014
IBM
Maximo Asset Management
risk 0.00cvss —epss 0.01
SQL injection vulnerability in IBM Maximo Asset Management 7.x before 7.1.1.7 LAFIX.20140319-0837, 7.1.1.11 before IFIX.20140323-0749, 7.1.1.12 before IFIX.20140321-1336, 7.5.x before 7.5.0.3 IFIX027, 7.5.0.4 before IFIX011, and 7.5.0.5 before IFIX006; SmartCloud Control Desk…
CVE-2014-3275May 26, 2014
Cisco Systems, Inc.
Identity Services Engine Software
risk 0.00cvss —epss 0.02
SQL injection vulnerability in the web framework in Cisco Identity Services Engine (ISE) 1.2(.1 patch 2) and earlier allows remote authenticated users to execute arbitrary SQL commands via a crafted URL, aka Bug ID CSCul21337.
CVE-2014-2948May 22, 2014
Bizagi
Bizagi BPM Suite
risk 0.00cvss —epss 0.01
SQL injection vulnerability in workflowenginesoa.asmx in Bizagi BPM Suite through 10.4 allows remote authenticated users to execute arbitrary SQL commands via a crafted SOAP request.
CVE-2014-3783May 22, 2014
Dotclear
Dotclear
risk 0.00cvss —epss 0.02
SQL injection vulnerability in admin/categories.php in Dotclear before 2.6.3 allows remote authenticated users with the manage categories permission to execute arbitrary SQL commands via the categories_order parameter.
CVE-2014-2351May 20, 2014
Codeworks
Csworks
risk 0.00cvss —epss 0.03
SQL injection vulnerability in the LiveData service in CSWorks before 2.5.5233.0 allows remote attackers to execute arbitrary SQL commands via vectors related to pathnames contained in web API requests.
CVE-2014-3759May 16, 2014
Karlen Walter
Si Bibtex
risk 0.00cvss —epss 0.01
Multiple SQL injection vulnerabilities in the BibTex Publications (si_bibtex) extension 0.2.3 for TYPO3 allow remote attackers to execute arbitrary SQL commands via vectors related to the (1) search or (2) list functionality.
CVE-2014-0137May 14, 2014
Red Hat
Cloudforms Management Engine
risk 0.00cvss —epss 0.01
SQL injection vulnerability in the saved_report_delete action in the ReportController in Red Hat CloudForms Management Engine (CFME) before 5.2.3.2 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors, related to MiqReportResult.exists.
CVE-2011-4970May 13, 2014
Disk Pool Manager Project
Disk Pool Manager
risk 0.00cvss —epss 0.02
Multiple SQL injection vulnerabilities in LCG Disk Pool Manager (DPM) before 1.8.6, as used in EGI UDM, allow remote attackers to execute arbitrary SQL commands via the (1) r_token variable in the dpm_get_pending_req_by_token, (2) dpm_get_cpr_by_fullid, (3) dpm_get_cpr_by_surl,…
CVE-2014-2736Apr 24, 2014
Modx
Revolution
risk 0.00cvss —epss 0.01
Multiple SQL injection vulnerabilities in MODX Revolution before 2.2.14 allow remote attackers to execute arbitrary SQL commands via the (1) session ID (PHPSESSID) to index.php or remote authenticated users to execute arbitrary SQL commands via the (2) user parameter to…
CVE-2014-0474Apr 23, 2014
Djangoproject
Django
risk 0.00cvss —epss 0.05
The (1) FilePathField, (2) GenericIPAddressField, and (3) IPAddressField model field classes in Django before 1.4.11, 1.5.x before 1.5.6, 1.6.x before 1.6.3, and 1.7.x before 1.7 beta 2 do not properly perform type conversion, which allows remote attackers to have unspecified…
CVE-2014-2737Apr 22, 2014
Knowledgetree
Knowledgetree
risk 0.00cvss —epss 0.01
SQL injection vulnerability in the get_active_session function in the KTAPI_UserSession class in webservice/clienttools/services/mdownload.php in KnowledgeTree 3.7.0.2 and earlier allows remote attackers to execute arbitrary SQL commands via the u parameter, related to the…
CVE-2014-2654Apr 22, 2014
Mobfox
Madserve
risk 0.00cvss —epss 0.01
Multiple SQL injection vulnerabilities in MobFox mAdserve 2.0 and earlier allow remote authenticated users to execute arbitrary SQL commands via the id parameter to (1) edit_ad_unit.php, (2) view_adunits.php, or (3) edit_campaign.php in www/cp/.
CVE-2013-7369Apr 18, 2014
F-Secure
Email And Server Security
risk 0.00cvss —epss 0.01
SQL injection vulnerability in an unspecified DLL in the FSDBCom ActiveX control in F-Secure Anti-Virus for Microsoft Exchange Server before HF02, Anti-Virus for Windows Servers 9.00 before HF09, Anti-Virus for Citrix Servers 9.00 before HF09, and F-Secure Email and Server…
CVE-2013-7355Apr 10, 2014
SAP
Business Warehouse Universal Data Integration
risk 0.00cvss —epss 0.01
SQL injection vulnerability in SAP BI Universal Data Integration allows remote attackers to execute arbitrary SQL commands via unspecified vectors, related to the J2EE schema.
CVE-2014-2708Apr 10, 2014
Cacti (software)
Cacti
risk 0.00cvss —epss 0.02
Multiple SQL injection vulnerabilities in graph_xport.php in Cacti 0.8.7g, 0.8.8b, and earlier allow remote attackers to execute arbitrary SQL commands via the (1) graph_start, (2) graph_end, (3) graph_height, (4) graph_width, (5) graph_nolegend, (6) print_source, (7)…