VYPR

CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

BaseStableLikelihood: High

Description

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Hierarchy (View 1000)

Parents

Children

Related attack patterns (CAPEC)

CAPEC-108 · CAPEC-109 · CAPEC-110 · CAPEC-470 · CAPEC-66 · CAPEC-7

CVEs mapped to this weakness (10,236)

page 45 of 512
  • CVE-2015-5052CriSep 7, 2017
    risk 0.64cvss 9.8epss 0.01

    SQL injection vulnerability in Sefrengo before 1.6.5 beta2.

  • CVE-2015-4627CriSep 7, 2017
    risk 0.64cvss 9.8epss 0.01

    SQL injection vulnerability in Pragyan CMS 3.0.

  • CVE-2017-14145CriSep 5, 2017
    risk 0.64cvss 9.8epss 0.01

    HelpDEZk 1.1.1 has SQL Injection in app\modules\admin\controllers\loginController.php via the admin/login/getWarningInfo/id/ PATH_INFO, related to the selectWarning function.

  • CVE-2017-14076CriAug 31, 2017
    risk 0.64cvss 9.8epss 0.01

    SQL Injection exists in NexusPHP 1.5.beta5.20120707 via the id parameter to linksmanage.php in an editlink action.

  • CVE-2017-14069CriAug 31, 2017
    risk 0.64cvss 9.8epss 0.01

    SQL Injection exists in NexusPHP 1.5.beta5.20120707 via the usernw array parameter to nowarn.php.

  • CVE-2015-7517CriAug 29, 2017
    risk 0.64cvss 9.8epss 0.04

    Multiple SQL injection vulnerabilities in the Double Opt-In for Download plugin before 2.0.9 for WordPress allow remote attackers to execute arbitrary SQL commands via the ver parameter to (1) class-doifd-download.php or (2) class-doifd-landing-page.php in public/includes/.

  • CVE-2017-10842CriAug 29, 2017
    risk 0.64cvss 9.8epss 0.02

    SQL injection vulnerability in the baserCMS 3.0.14 and earlier, 4.0.5 and earlier allows remote attackers to execute arbitrary SQL commands via unspecified vectors.

  • CVE-2017-13669CriAug 24, 2017
    risk 0.64cvss 9.8epss 0.01

    SQL Injection exists in NexusPHP 1.5.beta5.20120707 via the setanswered parameter to staffbox.php.

  • CVE-2017-12679CriAug 24, 2017
    risk 0.64cvss 9.8epss 0.01

    SQL Injection exists in NexusPHP 1.5.beta5.20120707 via the delcheater parameter to cheaterbox.php.

  • CVE-2017-13137CriAug 23, 2017
    risk 0.64cvss 9.8epss 0.02

    The FormCraft Basic plugin 1.0.5 for WordPress has SQL injection in the id parameter to form.php.

  • CVE-2017-12981CriAug 21, 2017
    risk 0.64cvss 9.8epss 0.01

    NexusPHP 1.5.beta5.20120707 has SQL Injection in forummanage.php via the sort parameter in an addforum action.

  • CVE-2017-12776CriAug 18, 2017
    risk 0.64cvss 9.8epss 0.01

    SQL injection vulnerability in reports.php in NexusPHP 1.5 allows remote attackers to execute arbitrary SQL commands via the delreport parameter.

  • CVE-2017-12910CriAug 17, 2017
    risk 0.64cvss 9.8epss 0.01

    SQL injection vulnerability in massmail.php in NexusPHP 1.5 allows remote attackers to execute arbitrary SQL commands via the or parameter.

  • CVE-2017-12909CriAug 17, 2017
    risk 0.64cvss 9.8epss 0.01

    SQL injection vulnerability in modtask.php in NexusPHP 1.5 allows remote attackers to execute arbitrary SQL commands via the userid parameter.

  • CVE-2017-12908CriAug 17, 2017
    risk 0.64cvss 9.8epss 0.01

    SQL injection vulnerability in takeconfirm.php in NexusPHP 1.5 allows remote attackers to execute arbitrary SQL commands via the conusr parameter.

  • CVE-2015-3616CriAug 11, 2017
    risk 0.64cvss 9.8epss 0.02

    SQL injection vulnerability in Fortinet FortiManager 5.0.x before 5.0.11, 5.2.x before 5.2.2 allows remote attackers to execute arbitrary commands via unspecified parameters.

  • CVE-2017-12774CriAug 9, 2017
    risk 0.64cvss 9.8epss 0.02

    finecms in 1.9.5\controllers\member\ContentController.php allows remote attackers to operate website database

  • CVE-2015-0782CriAug 9, 2017
    risk 0.64cvss 9.8epss 0.07

    SQL injection vulnerability in the ScheduleQuery method of the schedule class in Novell ZENworks Configuration Management (ZCM) allows remote attackers to execute arbitrary SQL commands via unspecified vectors.

  • CVE-2015-0780CriAug 9, 2017
    risk 0.64cvss 9.8epss 0.08

    SQL injection vulnerability in the GetReRequestData method of the GetStoredResult class in Novell ZENworks Configuration Management (ZCM) allows remote attackers to execute arbitrary SQL commands via unspecified vectors.

  • CVE-2017-12650CriAug 7, 2017
    risk 0.64cvss 9.8epss 0.02

    SQL Injection exists in the Loginizer plugin before 1.3.6 for WordPress via the X-Forwarded-For HTTP header.