VYPR

CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

BaseStableLikelihood: High

Description

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Hierarchy (View 1000)

Parents

Children

Related attack patterns (CAPEC)

CAPEC-108 · CAPEC-109 · CAPEC-110 · CAPEC-470 · CAPEC-66 · CAPEC-7

CVEs mapped to this weakness (9,859)

page 449 of 493
  • CVE-2014-2245Mar 5, 2014
    Vincent Leclercq
    News
    risk 0.00cvss epss 0.01

    SQL injection vulnerability in the News module in CMS Made Simple (CMSMS) before 1.11.10 allows remote authenticated users with the "Modify News" permission to execute arbitrary SQL commands via the sortby parameter to admin/moduleinterface.php. NOTE: some of these details are…

  • CVE-2013-3478Mar 5, 2014
    Apptha
    Wordpress Video Gallery
    risk 0.00cvss epss 0.02

    SQL injection vulnerability in Apptha WordPress Video Gallery 2.0, 1.6, and earlier for WordPress allows remote attackers to execute arbitrary SQL commands via the playid parameter to index.php.

  • CVE-2013-6331Mar 5, 2014
    IBM
    Algo One
    risk 0.00cvss epss 0.01

    SQL injection vulnerability in IBM Algo One, as used in MetaData Management Tools in UDS 4.7.0 through 5.0.0, ACSWeb in Algo Security Access Control Management 4.7.0 through 4.9.0, and ACSWeb in AlgoWebApps 5.0.0, allows remote authenticated users to execute arbitrary SQL…

  • CVE-2013-6302Mar 5, 2014
    IBM
    Algo One
    risk 0.00cvss epss 0.01

    SQL injection vulnerability in IBM Algo One, as used in MetaData Management Tools in UDS 4.7.0 through 5.0.0, ACSWeb in Algo Security Access Control Management 4.7.0 through 4.9.0, and ACSWeb in AlgoWebApps 5.0.0, allows remote authenticated users to execute arbitrary SQL…

  • CVE-2014-0821Feb 27, 2014
    Cybozu
    Garoon
    risk 0.00cvss epss 0.01

    SQL injection vulnerability in the download feature in Cybozu Garoon 2.x through 2.5.4 and 3.x through 3.7 SP3 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors, a different vulnerability than CVE-2013-6930 and CVE-2013-6931.

  • CVE-2014-0080Feb 20, 2014
    Rubyonrails
    Rails
    risk 0.00cvss epss 0.01

    SQL injection vulnerability in activerecord/lib/active_record/connection_adapters/postgresql/cast.rb in Active Record in Ruby on Rails 4.0.x before 4.0.3, and 4.1.0.beta1, when PostgreSQL is used, allows remote attackers to execute "add data" SQL commands via vectors involving \…

  • CVE-2014-0734Feb 20, 2014
    Cisco Systems, Inc.
    Unified Communications Manager
    risk 0.00cvss epss 0.01

    SQL injection vulnerability in the Certificate Authority Proxy Function (CAPF) implementation in Cisco Unified Communications Manager (Unified CM) 10.0(1) and earlier allows remote attackers to execute arbitrary SQL commands via a crafted URL, aka Bug ID CSCum46483.

  • CVE-2014-0729Feb 13, 2014
    Cisco Systems, Inc.
    Unified Communications Manager
    risk 0.00cvss epss 0.01

    SQL injection vulnerability in the Enterprise Mobility Application (EMApp) interface in Cisco Unified Communications Manager (UCM) allows remote attackers to execute arbitrary SQL commands via a crafted URL, aka Bug ID CSCum05302.

  • CVE-2014-0728Feb 13, 2014
    Cisco Systems, Inc.
    Unified Communications Manager
    risk 0.00cvss epss 0.02

    SQL injection vulnerability in the Java database interface in Cisco Unified Communications Manager (UCM) 10.0(1) and earlier allows remote attackers to execute arbitrary SQL commands via a crafted URL, aka Bug ID CSCum05313.

  • CVE-2014-0727Feb 13, 2014
    Cisco Systems, Inc.
    Unified Communications Manager
    risk 0.00cvss epss 0.01

    SQL injection vulnerability in the CallManager Interactive Voice Response (CMIVR) interface in Cisco Unified Communications Manager (UCM) allows remote attackers to execute arbitrary SQL commands via a crafted URL, aka Bug ID CSCum05318.

  • CVE-2014-0726Feb 13, 2014
    Cisco Systems, Inc.
    Unified Communications Manager
    risk 0.00cvss epss 0.01

    SQL injection vulnerability in the IP Manager Assistant (IPMA) interface in Cisco Unified Communications Manager (UCM) 10.0(1) and earlier allows remote attackers to execute arbitrary SQL commands via a crafted URL, aka Bug ID CSCum05326.

  • CVE-2014-1459Feb 11, 2014
    Doorgets
    Doorgets
    risk 0.00cvss epss 0.02

    SQL injection vulnerability in dg-admin/index.php in doorGets CMS 5.2 and earlier allows remote authenticated administrators to execute arbitrary SQL commands via the _position_down_id parameter. NOTE: this can be leveraged using CSRF to allow remote attackers to execute…

  • CVE-2014-1401Feb 11, 2014
    Auracms
    Auracms
    risk 0.00cvss epss 0.03

    Multiple SQL injection vulnerabilities in AuraCMS 2.3 and earlier allow remote authenticated users to execute arbitrary SQL commands via the (1) search parameter to mod/content/content.php or (2) CLIENT_IP, (3) X_FORWARDED_FOR, (4) X_FORWARDED, (5) FORWARDED_FOR, or (6)…

  • CVE-2013-5012Feb 11, 2014
    Symantec
    Web Gateway
    risk 0.00cvss epss 0.02

    Multiple SQL injection vulnerabilities in the management console on the Symantec Web Gateway (SWG) appliance before 5.2 allow remote authenticated users to execute arbitrary SQL commands via unspecified vectors.

  • CVE-2014-1471Feb 4, 2014
    OTRS
    Otrs
    risk 0.00cvss epss 0.02

    SQL injection vulnerability in the StateGetStatesByType function in Kernel/System/State.pm in Open Ticket Request System (OTRS) 3.1.x before 3.1.19, 3.2.x before 3.2.14, and 3.3.x before 3.3.4 allows remote attackers to execute arbitrary SQL commands via vectors related to a…

  • CVE-2012-3000Jan 30, 2014
    F5, Inc.
    Big IP
    risk 0.00cvss epss 0.02

    Multiple SQL injection vulnerabilities in sam/admin/reports/php/saveSettings.php in the (1) APM WebGUI in F5 BIG-IP LTM, GTM, ASM, Link Controller, PSM, APM, Edge Gateway, and Analytics and (2) AVR WebGUI in WebAccelerator and WOM 11.2.x before 11.2.0-HF3 and 11.2.x before…

  • CVE-2013-4887Jan 29, 2014
    Xibosignage
    Xibo
    risk 0.00cvss epss 0.01

    SQL injection vulnerability in index.php in Digital Signage Xibo 1.4.2 allows remote attackers to execute arbitrary SQL commands via the displayid parameter.

  • CVE-2013-4662Jan 29, 2014
    Civicrm
    Civicrm
    risk 0.00cvss epss 0.01

    The Quick Search API in CiviCRM 4.2.0 through 4.2.9 and 4.3.0 through 4.3.3 allows remote authenticated users to bypass the validation layer and conduct SQL injection attacks via a direct request to the "second layer" of the API, related to contact.getquick.

  • CVE-2013-6931Jan 29, 2014
    Cybozu
    Garoon
    risk 0.00cvss epss 0.01

    SQL injection vulnerability in the API in Cybozu Garoon 3.7.x before 3.7.3 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors, a different vulnerability than CVE-2013-6929.

  • CVE-2013-6930Jan 29, 2014
    Cybozu
    Garoon
    risk 0.00cvss epss 0.01

    SQL injection vulnerability in the page-navigation implementation in Cybozu Garoon 2.0.0 through 2.0.6, 2.1.0 through 2.1.3, 2.5.0 through 2.5.4, 3.0.0 through 3.0.3, 3.5.0 through 3.5.5, and 3.7.x before 3.7.3 allows remote authenticated users to execute arbitrary SQL commands…