VYPR

CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

BaseStableLikelihood: High

Description

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Hierarchy (View 1000)

Parents

Children

Related attack patterns (CAPEC)

CAPEC-108 · CAPEC-109 · CAPEC-110 · CAPEC-470 · CAPEC-66 · CAPEC-7

CVEs mapped to this weakness (10,236)

page 46 of 512
  • CVE-2017-12567CriAug 7, 2017
    risk 0.64cvss 9.8epss 0.01

    SQL injection exists in Quest KACE Asset Management Appliance 6.4.120822 through 7.2, Systems Management Appliance 6.4.120822 through 7.2.101, and K1000 as a Service 7.0 through 7.2.

  • CVE-2017-10816CriAug 4, 2017
    risk 0.64cvss 9.8epss 0.02

    SQL injection vulnerability in the MaLion for Windows and Mac 5.0.0 to 5.2.1 allows remote attackers to execute arbitrary SQL commands via Relay Service Server.

  • CVE-2017-12199CriAug 2, 2017
    risk 0.64cvss 9.8epss 0.02

    The Etoile Ultimate Product Catalog plugin 4.2.11 for WordPress has SQL injection with these wp-admin/admin-ajax.php POST actions: catalogue_update_order list-item, video_update_order video-item, image_update_order list-item, tag_group_update_order list_item,…

  • CVE-2017-11184CriJul 28, 2017
    risk 0.64cvss 9.8epss 0.02

    SQL injection exists in front/devicesoundcard.php in GLPI before 9.1.5 via the start parameter.

  • CVE-2017-11631CriJul 26, 2017
    risk 0.64cvss 9.8epss 0.01

    dapur/app/app_user/controller/status.php in Fiyo CMS 2.0.7 has SQL injection via the id parameter.

  • CVE-2017-11324CriJul 24, 2017
    risk 0.64cvss 9.8epss 0.01

    An issue was discovered in Tilde CMS 1.0.1. Due to missing escaping of the backtick character, a SELECT query in class.SystemAction.php is vulnerable to SQL Injection. The vulnerability can be triggered via a POST request to /actionphp/action.input.php with the id parameter.

  • CVE-2017-11584CriJul 24, 2017
    risk 0.64cvss 9.8epss 0.02

    dayrui FineCms 5.0.9 has SQL Injection via the field parameter in an action=module, action=member, action=form, or action=related request to libraries/Template.php.

  • CVE-2017-11583CriJul 24, 2017
    risk 0.64cvss 9.8epss 0.01

    dayrui FineCms 5.0.9 has SQL Injection via the catid parameter in an action=related request to libraries/Template.php.

  • CVE-2017-11582CriJul 24, 2017
    risk 0.64cvss 9.8epss 0.01

    dayrui FineCms 5.0.9 has SQL Injection via the num parameter in an action=related or action=tags request to libraries/Template.php.

  • CVE-2017-3221CriJul 22, 2017
    risk 0.64cvss 9.8epss 0.04

    Blind SQL injection in Inmarsat AmosConnect 8 login form allows remote attackers to access user credentials, including user names and passwords.

  • CVE-2017-11474CriJul 20, 2017
    risk 0.64cvss 9.8epss 0.01

    GLPI before 9.1.5.1 has SQL Injection in the $crit variable in inc/computer_softwareversion.class.php, exploitable via ajax/common.tabs.php.

  • CVE-2017-11445CriJul 19, 2017
    risk 0.64cvss 9.8epss 0.01

    Subrion CMS before 4.1.6 has a SQL injection vulnerability in /front/actions.php via the $_POST array.

  • CVE-2017-11419CriJul 18, 2017
    risk 0.64cvss 9.8epss 0.01

    Fiyo CMS 2.0.7 has SQL injection in /apps/app_article/controller/editor.php via $_POST['id'] and $_POST['art_title'].

  • CVE-2017-11418CriJul 18, 2017
    risk 0.64cvss 9.8epss 0.01

    Fiyo CMS 2.0.7 has SQL injection in dapur/apps/app_article/controller/article_list.php via $_GET['cat'], $_GET['user'], $_GET['level'], and $_GET['iSortCol_'.$i].

  • CVE-2017-11417CriJul 18, 2017
    risk 0.64cvss 9.8epss 0.01

    Fiyo CMS 2.0.7 has SQL injection in dapur/apps/app_article/controller/article_status.php via $_GET['id'].

  • CVE-2017-11416CriJul 18, 2017
    risk 0.64cvss 9.8epss 0.01

    Fiyo CMS 2.0.7 has SQL injection in /apps/app_comment/controller/insert.php via the name parameter.

  • CVE-2017-11415CriJul 18, 2017
    risk 0.64cvss 9.8epss 0.01

    Fiyo CMS 2.0.7 has SQL injection in dapur/apps/app_article/sys_article.php via $_POST['parent_id'], $_POST['desc'], $_POST['keys'], and $_POST['level'].

  • CVE-2017-11414CriJul 18, 2017
    risk 0.64cvss 9.8epss 0.01

    Fiyo CMS 2.0.7 has SQL injection in dapur/apps/app_comment/sys_comment.php via $_POST['comment'], $_POST['name'], $_POST['web'], $_POST['email'], $_POST['status'], $_POST['id'], and $_REQUEST['id'].

  • CVE-2017-11413CriJul 18, 2017
    risk 0.64cvss 9.8epss 0.01

    Fiyo CMS 2.0.7 has SQL injection in dapur/apps/app_article/controller/comment_status.php via $_GET['id'].

  • CVE-2017-11412CriJul 18, 2017
    risk 0.64cvss 9.8epss 0.01

    Fiyo CMS 2.0.7 has SQL injection in dapur/apps/app_comment/controller/comment_status.php via $_GET['id'].