CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

BaseStableLikelihood: High

Description

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Hierarchy (View 1000)

Parents

CWE-943

Children

CWE-564

Related attack patterns (CAPEC)

CAPEC-108 · CAPEC-109 · CAPEC-110 · CAPEC-470 · CAPEC-66 · CAPEC-7

CVEs mapped to this weakness (9,859)

page 450 of 493

CVE	Vendor / Product	CVSS	EPSS	Published	Description
CVE-2013-7175	Avanset Visual Certexam Manager	—	0.01	Jan 24, 2014	Multiple SQL injection vulnerabilities in Avanset Visual CertExam Manager 3.3 and earlier allow remote authenticated users to execute arbitrary SQL commands via the (1) Title, (2) File name, or (3) Candidate Name field.
CVE-2012-6625	WordPress Forum Server	—	0.05	Jan 16, 2014	SQL injection vulnerability in fs-admin/fs-admin.php in the ForumPress WP Forum Server plugin before 1.7.4 for WordPress allows remote attackers to execute arbitrary SQL commands via the groupid parameter in an editgroup action.
CVE-2014-1466	Csp Mysql User Manager Project Csp Mysql User Manager	—	0.02	Jan 15, 2014	SQL injection vulnerability in CSP MySQL User Manager 2.3 allows remote attackers to execute arbitrary SQL commands via the login field of the login page.
CVE-2014-1206	Owa Owa	—	0.03	Jan 15, 2014	SQL injection vulnerability in the password reset page in Open Web Analytics (OWA) before 1.5.5 allows remote attackers to execute arbitrary SQL commands via the owa_email_address parameter in a base.passwordResetRequest action to index.php.
CVE-2013-6321	IBM Atlas Ediscovery Process Management	—	0.01	Jan 10, 2014	SQL injection vulnerability in IBM Atlas eDiscovery Process Management 6.0.1.5 and earlier and 6.0.2, Disposal and Governance Management for IT 6.0.1.5 and earlier and 6.0.2, and Global Retention Policy and Schedule Management 6.0.1.5 and earlier and 6.0.2 in IBM Atlas Suite…
CVE-2013-7262	MapServer Mapserver	—	0.02	Jan 5, 2014	SQL injection vulnerability in the msPostGISLayerSetTimeFilter function in mappostgis.c in MapServer before 6.4.1, when a WMS-Time service is used, allows remote attackers to execute arbitrary SQL commands via a crafted string in a PostGIS TIME filter.
CVE-2013-7225	Fatfreecrm Fat Free CRM	—	0.02	Jan 2, 2014	Multiple SQL injection vulnerabilities in app/controllers/home_controller.rb in Fat Free CRM before 0.12.1 allow remote authenticated users to execute arbitrary SQL commands via (1) the homepage timeline feature or (2) the activity feature.
CVE-2013-7242	Zenphoto Zenphoto	—	0.02	Dec 31, 2013	SQL injection vulnerability in zp-core/zp-extensions/wordpress_import.php in Zenphoto before 1.4.5.4 allows remote authenticated administrators to execute arbitrary SQL commands via the tableprefix parameter.
CVE-2013-6983	Cisco Systems, Inc. Unified Presence Server	—	0.02	Dec 31, 2013	SQL injection vulnerability in the web interface in Cisco Unified Presence Server allows remote authenticated users to execute arbitrary SQL commands via a crafted URL, aka Bug ID CSCuh35615.
CVE-2013-7232	Esri Arcgis Server	—	0.02	Dec 30, 2013	SQL injection vulnerability in ESRI ArcGIS for Server through 10.2 allows remote attackers to execute arbitrary SQL commands via unspecified input to the map or feature service.
CVE-2013-7149	Openx Openx	—	0.02	Dec 28, 2013	SQL injection vulnerability in www/delivery/axmlrpc.php (aka the XML-RPC delivery invocation script) in Revive Adserver before 3.0.2, and OpenX Source 2.8.11 and earlier, allows remote attackers to execute arbitrary SQL commands via the what parameter to an XML-RPC method.
CVE-2013-6929	Cybozu Garoon	—	0.02	Dec 28, 2013	SQL injection vulnerability in Cybozu Garoon 3.7 SP2 and earlier allows remote authenticated users to execute arbitrary SQL commands via crafted API input.
CVE-2013-7216	Etoshop Classifieds Creator	—	0.01	Dec 24, 2013	Multiple SQL injection vulnerabilities in Classifieds Creator 2.0 allow remote attackers to execute arbitrary SQL commands via the (1) ID parameter to demo/classifieds/product.asp, or (2) UserID or (3) Password field to demo/classifieds/admin.asp.
CVE-2013-4461	Trevor Mckay Cumin	—	0.02	Dec 23, 2013	SQL injection vulnerability in the web interface for cumin in Red Hat Enterprise MRG Grid 2.4 allows remote attackers to execute arbitrary SQL commands via vectors related to the "filtering table operator."
CVE-2013-5409	IBM Sterling B2b Integrator	—	0.01	Dec 21, 2013	Multiple SQL injection vulnerabilities in IBM Sterling B2B Integrator 5.2 and Sterling File Gateway 2.2 allow remote authenticated users to execute arbitrary SQL commands via unspecified vectors.
CVE-2013-7096	SAP Emr Unwired	—	0.02	Dec 13, 2013	Multiple SQL injection vulnerabilities in SAP EMR Unwired allow remote attackers to execute arbitrary SQL commands via unspecified vectors.
CVE-2013-7094	SAP Netweaver	—	0.01	Dec 13, 2013	SQL injection vulnerability in the RSDDCVER_COUNT_TAB_COLS function in SAP NetWeaver 7.30 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
CVE-2013-7092	McAfee Email Gateway	—	0.02	Dec 13, 2013	Multiple SQL injection vulnerabilities in /admin/cgi-bin/rpc/doReport/18 in McAfee Email Gateway 7.6 allow remote authenticated users to execute arbitrary SQL commands via the (1) events_col, (2) event_id, (3) reason, (4) events_order, (5) emailstatus_order, or (6)…
CVE-2013-5354	Sharetronix Sharetronix	—	0.01	Dec 9, 2013	Multiple SQL injection vulnerabilities in Sharetronix 3.1.1 allow remote attackers to execute arbitrary SQL commands via the (1) fb_user_id or (2) tw_user_id parameter to signup.
CVE-2013-6001	Cybozu Garoon	—	0.01	Dec 5, 2013	SQL injection vulnerability in the Space function in Cybozu Garoon before 3.7 SP1 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors.

CVE-2013-7175Jan 24, 2014
Avanset
Visual Certexam Manager
risk 0.00cvss —epss 0.01
Multiple SQL injection vulnerabilities in Avanset Visual CertExam Manager 3.3 and earlier allow remote authenticated users to execute arbitrary SQL commands via the (1) Title, (2) File name, or (3) Candidate Name field.
CVE-2012-6625Jan 16, 2014
WordPress
Forum Server
risk 0.00cvss —epss 0.05
SQL injection vulnerability in fs-admin/fs-admin.php in the ForumPress WP Forum Server plugin before 1.7.4 for WordPress allows remote attackers to execute arbitrary SQL commands via the groupid parameter in an editgroup action.
CVE-2014-1466Jan 15, 2014
Csp Mysql User Manager Project
Csp Mysql User Manager
risk 0.00cvss —epss 0.02
SQL injection vulnerability in CSP MySQL User Manager 2.3 allows remote attackers to execute arbitrary SQL commands via the login field of the login page.
CVE-2014-1206Jan 15, 2014
Owa
Owa
risk 0.00cvss —epss 0.03
SQL injection vulnerability in the password reset page in Open Web Analytics (OWA) before 1.5.5 allows remote attackers to execute arbitrary SQL commands via the owa_email_address parameter in a base.passwordResetRequest action to index.php.
CVE-2013-6321Jan 10, 2014
IBM
Atlas Ediscovery Process Management
risk 0.00cvss —epss 0.01
SQL injection vulnerability in IBM Atlas eDiscovery Process Management 6.0.1.5 and earlier and 6.0.2, Disposal and Governance Management for IT 6.0.1.5 and earlier and 6.0.2, and Global Retention Policy and Schedule Management 6.0.1.5 and earlier and 6.0.2 in IBM Atlas Suite…
CVE-2013-7262Jan 5, 2014
MapServer
Mapserver
risk 0.00cvss —epss 0.02
SQL injection vulnerability in the msPostGISLayerSetTimeFilter function in mappostgis.c in MapServer before 6.4.1, when a WMS-Time service is used, allows remote attackers to execute arbitrary SQL commands via a crafted string in a PostGIS TIME filter.
CVE-2013-7225Jan 2, 2014
Fatfreecrm
Fat Free CRM
risk 0.00cvss —epss 0.02
Multiple SQL injection vulnerabilities in app/controllers/home_controller.rb in Fat Free CRM before 0.12.1 allow remote authenticated users to execute arbitrary SQL commands via (1) the homepage timeline feature or (2) the activity feature.
CVE-2013-7242Dec 31, 2013
Zenphoto
Zenphoto
risk 0.00cvss —epss 0.02
SQL injection vulnerability in zp-core/zp-extensions/wordpress_import.php in Zenphoto before 1.4.5.4 allows remote authenticated administrators to execute arbitrary SQL commands via the tableprefix parameter.
CVE-2013-6983Dec 31, 2013
Cisco Systems, Inc.
Unified Presence Server
risk 0.00cvss —epss 0.02
SQL injection vulnerability in the web interface in Cisco Unified Presence Server allows remote authenticated users to execute arbitrary SQL commands via a crafted URL, aka Bug ID CSCuh35615.
CVE-2013-7232Dec 30, 2013
Esri
Arcgis Server
risk 0.00cvss —epss 0.02
SQL injection vulnerability in ESRI ArcGIS for Server through 10.2 allows remote attackers to execute arbitrary SQL commands via unspecified input to the map or feature service.
CVE-2013-7149Dec 28, 2013
Openx
Openx
risk 0.00cvss —epss 0.02
SQL injection vulnerability in www/delivery/axmlrpc.php (aka the XML-RPC delivery invocation script) in Revive Adserver before 3.0.2, and OpenX Source 2.8.11 and earlier, allows remote attackers to execute arbitrary SQL commands via the what parameter to an XML-RPC method.
CVE-2013-6929Dec 28, 2013
Cybozu
Garoon
risk 0.00cvss —epss 0.02
SQL injection vulnerability in Cybozu Garoon 3.7 SP2 and earlier allows remote authenticated users to execute arbitrary SQL commands via crafted API input.
CVE-2013-7216Dec 24, 2013
Etoshop
Classifieds Creator
risk 0.00cvss —epss 0.01
Multiple SQL injection vulnerabilities in Classifieds Creator 2.0 allow remote attackers to execute arbitrary SQL commands via the (1) ID parameter to demo/classifieds/product.asp, or (2) UserID or (3) Password field to demo/classifieds/admin.asp.
CVE-2013-4461Dec 23, 2013
Trevor Mckay
Cumin
risk 0.00cvss —epss 0.02
SQL injection vulnerability in the web interface for cumin in Red Hat Enterprise MRG Grid 2.4 allows remote attackers to execute arbitrary SQL commands via vectors related to the "filtering table operator."
CVE-2013-5409Dec 21, 2013
IBM
Sterling B2b Integrator
risk 0.00cvss —epss 0.01
Multiple SQL injection vulnerabilities in IBM Sterling B2B Integrator 5.2 and Sterling File Gateway 2.2 allow remote authenticated users to execute arbitrary SQL commands via unspecified vectors.
CVE-2013-7096Dec 13, 2013
SAP
Emr Unwired
risk 0.00cvss —epss 0.02
Multiple SQL injection vulnerabilities in SAP EMR Unwired allow remote attackers to execute arbitrary SQL commands via unspecified vectors.
CVE-2013-7094Dec 13, 2013
SAP
Netweaver
risk 0.00cvss —epss 0.01
SQL injection vulnerability in the RSDDCVER_COUNT_TAB_COLS function in SAP NetWeaver 7.30 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
CVE-2013-7092Dec 13, 2013
McAfee
Email Gateway
risk 0.00cvss —epss 0.02
Multiple SQL injection vulnerabilities in /admin/cgi-bin/rpc/doReport/18 in McAfee Email Gateway 7.6 allow remote authenticated users to execute arbitrary SQL commands via the (1) events_col, (2) event_id, (3) reason, (4) events_order, (5) emailstatus_order, or (6)…
CVE-2013-5354Dec 9, 2013
Sharetronix
Sharetronix
risk 0.00cvss —epss 0.01
Multiple SQL injection vulnerabilities in Sharetronix 3.1.1 allow remote attackers to execute arbitrary SQL commands via the (1) fb_user_id or (2) tw_user_id parameter to signup.
CVE-2013-6001Dec 5, 2013
Cybozu
Garoon
risk 0.00cvss —epss 0.01
SQL injection vulnerability in the Space function in Cybozu Garoon before 3.7 SP1 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors.