CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Description
The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-108 · CAPEC-109 · CAPEC-110 · CAPEC-470 · CAPEC-66 · CAPEC-7
CVEs mapped to this weakness (10,236)
page 45 of 512| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2015-5052 | Cri | 0.64 | 9.8 | 0.01 | Sep 7, 2017 | SQL injection vulnerability in Sefrengo before 1.6.5 beta2. | ||
| CVE-2015-4627 | Cri | 0.64 | 9.8 | 0.01 | Sep 7, 2017 | SQL injection vulnerability in Pragyan CMS 3.0. | ||
| CVE-2017-14145 | Cri | 0.64 | 9.8 | 0.01 | Sep 5, 2017 | HelpDEZk 1.1.1 has SQL Injection in app\modules\admin\controllers\loginController.php via the admin/login/getWarningInfo/id/ PATH_INFO, related to the selectWarning function. | ||
| CVE-2017-14076 | Cri | 0.64 | 9.8 | 0.01 | Aug 31, 2017 | SQL Injection exists in NexusPHP 1.5.beta5.20120707 via the id parameter to linksmanage.php in an editlink action. | ||
| CVE-2017-14069 | Cri | 0.64 | 9.8 | 0.01 | Aug 31, 2017 | SQL Injection exists in NexusPHP 1.5.beta5.20120707 via the usernw array parameter to nowarn.php. | ||
| CVE-2015-7517 | Cri | 0.64 | 9.8 | 0.04 | Aug 29, 2017 | Multiple SQL injection vulnerabilities in the Double Opt-In for Download plugin before 2.0.9 for WordPress allow remote attackers to execute arbitrary SQL commands via the ver parameter to (1) class-doifd-download.php or (2) class-doifd-landing-page.php in public/includes/. | ||
| CVE-2017-10842 | Cri | 0.64 | 9.8 | 0.02 | Aug 29, 2017 | SQL injection vulnerability in the baserCMS 3.0.14 and earlier, 4.0.5 and earlier allows remote attackers to execute arbitrary SQL commands via unspecified vectors. | ||
| CVE-2017-13669 | Cri | 0.64 | 9.8 | 0.01 | Aug 24, 2017 | SQL Injection exists in NexusPHP 1.5.beta5.20120707 via the setanswered parameter to staffbox.php. | ||
| CVE-2017-12679 | Cri | 0.64 | 9.8 | 0.01 | Aug 24, 2017 | SQL Injection exists in NexusPHP 1.5.beta5.20120707 via the delcheater parameter to cheaterbox.php. | ||
| CVE-2017-13137 | Cri | 0.64 | 9.8 | 0.02 | Aug 23, 2017 | The FormCraft Basic plugin 1.0.5 for WordPress has SQL injection in the id parameter to form.php. | ||
| CVE-2017-12981 | Cri | 0.64 | 9.8 | 0.01 | Aug 21, 2017 | NexusPHP 1.5.beta5.20120707 has SQL Injection in forummanage.php via the sort parameter in an addforum action. | ||
| CVE-2017-12776 | Cri | 0.64 | 9.8 | 0.01 | Aug 18, 2017 | SQL injection vulnerability in reports.php in NexusPHP 1.5 allows remote attackers to execute arbitrary SQL commands via the delreport parameter. | ||
| CVE-2017-12910 | Cri | 0.64 | 9.8 | 0.01 | Aug 17, 2017 | SQL injection vulnerability in massmail.php in NexusPHP 1.5 allows remote attackers to execute arbitrary SQL commands via the or parameter. | ||
| CVE-2017-12909 | Cri | 0.64 | 9.8 | 0.01 | Aug 17, 2017 | SQL injection vulnerability in modtask.php in NexusPHP 1.5 allows remote attackers to execute arbitrary SQL commands via the userid parameter. | ||
| CVE-2017-12908 | Cri | 0.64 | 9.8 | 0.01 | Aug 17, 2017 | SQL injection vulnerability in takeconfirm.php in NexusPHP 1.5 allows remote attackers to execute arbitrary SQL commands via the conusr parameter. | ||
| CVE-2015-3616 | Cri | 0.64 | 9.8 | 0.02 | Aug 11, 2017 | SQL injection vulnerability in Fortinet FortiManager 5.0.x before 5.0.11, 5.2.x before 5.2.2 allows remote attackers to execute arbitrary commands via unspecified parameters. | ||
| CVE-2017-12774 | Cri | 0.64 | 9.8 | 0.02 | Aug 9, 2017 | finecms in 1.9.5\controllers\member\ContentController.php allows remote attackers to operate website database | ||
| CVE-2015-0782 | Cri | 0.64 | 9.8 | 0.07 | Aug 9, 2017 | SQL injection vulnerability in the ScheduleQuery method of the schedule class in Novell ZENworks Configuration Management (ZCM) allows remote attackers to execute arbitrary SQL commands via unspecified vectors. | ||
| CVE-2015-0780 | Cri | 0.64 | 9.8 | 0.08 | Aug 9, 2017 | SQL injection vulnerability in the GetReRequestData method of the GetStoredResult class in Novell ZENworks Configuration Management (ZCM) allows remote attackers to execute arbitrary SQL commands via unspecified vectors. | ||
| CVE-2017-12650 | Cri | 0.64 | 9.8 | 0.02 | Aug 7, 2017 | SQL Injection exists in the Loginizer plugin before 1.3.6 for WordPress via the X-Forwarded-For HTTP header. |
- risk 0.64cvss 9.8epss 0.01
SQL injection vulnerability in Sefrengo before 1.6.5 beta2.
- risk 0.64cvss 9.8epss 0.01
SQL injection vulnerability in Pragyan CMS 3.0.
- risk 0.64cvss 9.8epss 0.01
HelpDEZk 1.1.1 has SQL Injection in app\modules\admin\controllers\loginController.php via the admin/login/getWarningInfo/id/ PATH_INFO, related to the selectWarning function.
- risk 0.64cvss 9.8epss 0.01
SQL Injection exists in NexusPHP 1.5.beta5.20120707 via the id parameter to linksmanage.php in an editlink action.
- risk 0.64cvss 9.8epss 0.01
SQL Injection exists in NexusPHP 1.5.beta5.20120707 via the usernw array parameter to nowarn.php.
- risk 0.64cvss 9.8epss 0.04
Multiple SQL injection vulnerabilities in the Double Opt-In for Download plugin before 2.0.9 for WordPress allow remote attackers to execute arbitrary SQL commands via the ver parameter to (1) class-doifd-download.php or (2) class-doifd-landing-page.php in public/includes/.
- risk 0.64cvss 9.8epss 0.02
SQL injection vulnerability in the baserCMS 3.0.14 and earlier, 4.0.5 and earlier allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
- risk 0.64cvss 9.8epss 0.01
SQL Injection exists in NexusPHP 1.5.beta5.20120707 via the setanswered parameter to staffbox.php.
- risk 0.64cvss 9.8epss 0.01
SQL Injection exists in NexusPHP 1.5.beta5.20120707 via the delcheater parameter to cheaterbox.php.
- risk 0.64cvss 9.8epss 0.02
The FormCraft Basic plugin 1.0.5 for WordPress has SQL injection in the id parameter to form.php.
- risk 0.64cvss 9.8epss 0.01
NexusPHP 1.5.beta5.20120707 has SQL Injection in forummanage.php via the sort parameter in an addforum action.
- risk 0.64cvss 9.8epss 0.01
SQL injection vulnerability in reports.php in NexusPHP 1.5 allows remote attackers to execute arbitrary SQL commands via the delreport parameter.
- risk 0.64cvss 9.8epss 0.01
SQL injection vulnerability in massmail.php in NexusPHP 1.5 allows remote attackers to execute arbitrary SQL commands via the or parameter.
- risk 0.64cvss 9.8epss 0.01
SQL injection vulnerability in modtask.php in NexusPHP 1.5 allows remote attackers to execute arbitrary SQL commands via the userid parameter.
- risk 0.64cvss 9.8epss 0.01
SQL injection vulnerability in takeconfirm.php in NexusPHP 1.5 allows remote attackers to execute arbitrary SQL commands via the conusr parameter.
- risk 0.64cvss 9.8epss 0.02
SQL injection vulnerability in Fortinet FortiManager 5.0.x before 5.0.11, 5.2.x before 5.2.2 allows remote attackers to execute arbitrary commands via unspecified parameters.
- risk 0.64cvss 9.8epss 0.02
finecms in 1.9.5\controllers\member\ContentController.php allows remote attackers to operate website database
- risk 0.64cvss 9.8epss 0.07
SQL injection vulnerability in the ScheduleQuery method of the schedule class in Novell ZENworks Configuration Management (ZCM) allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
- risk 0.64cvss 9.8epss 0.08
SQL injection vulnerability in the GetReRequestData method of the GetStoredResult class in Novell ZENworks Configuration Management (ZCM) allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
- risk 0.64cvss 9.8epss 0.02
SQL Injection exists in the Loginizer plugin before 1.3.6 for WordPress via the X-Forwarded-For HTTP header.