CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Description
The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-108 · CAPEC-109 · CAPEC-110 · CAPEC-470 · CAPEC-66 · CAPEC-7
CVEs mapped to this weakness (10,236)
page 46 of 512| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2017-12567 | Cri | 0.64 | 9.8 | 0.01 | Aug 7, 2017 | SQL injection exists in Quest KACE Asset Management Appliance 6.4.120822 through 7.2, Systems Management Appliance 6.4.120822 through 7.2.101, and K1000 as a Service 7.0 through 7.2. | ||
| CVE-2017-10816 | Cri | 0.64 | 9.8 | 0.02 | Aug 4, 2017 | SQL injection vulnerability in the MaLion for Windows and Mac 5.0.0 to 5.2.1 allows remote attackers to execute arbitrary SQL commands via Relay Service Server. | ||
| CVE-2017-12199 | Cri | 0.64 | 9.8 | 0.02 | Aug 2, 2017 | The Etoile Ultimate Product Catalog plugin 4.2.11 for WordPress has SQL injection with these wp-admin/admin-ajax.php POST actions: catalogue_update_order list-item, video_update_order video-item, image_update_order list-item, tag_group_update_order list_item,… | ||
| CVE-2017-11184 | Cri | 0.64 | 9.8 | 0.02 | Jul 28, 2017 | SQL injection exists in front/devicesoundcard.php in GLPI before 9.1.5 via the start parameter. | ||
| CVE-2017-11631 | Cri | 0.64 | 9.8 | 0.01 | Jul 26, 2017 | dapur/app/app_user/controller/status.php in Fiyo CMS 2.0.7 has SQL injection via the id parameter. | ||
| CVE-2017-11324 | Cri | 0.64 | 9.8 | 0.01 | Jul 24, 2017 | An issue was discovered in Tilde CMS 1.0.1. Due to missing escaping of the backtick character, a SELECT query in class.SystemAction.php is vulnerable to SQL Injection. The vulnerability can be triggered via a POST request to /actionphp/action.input.php with the id parameter. | ||
| CVE-2017-11584 | Cri | 0.64 | 9.8 | 0.02 | Jul 24, 2017 | dayrui FineCms 5.0.9 has SQL Injection via the field parameter in an action=module, action=member, action=form, or action=related request to libraries/Template.php. | ||
| CVE-2017-11583 | Cri | 0.64 | 9.8 | 0.01 | Jul 24, 2017 | dayrui FineCms 5.0.9 has SQL Injection via the catid parameter in an action=related request to libraries/Template.php. | ||
| CVE-2017-11582 | Cri | 0.64 | 9.8 | 0.01 | Jul 24, 2017 | dayrui FineCms 5.0.9 has SQL Injection via the num parameter in an action=related or action=tags request to libraries/Template.php. | ||
| CVE-2017-3221 | Cri | 0.64 | 9.8 | 0.04 | Jul 22, 2017 | Blind SQL injection in Inmarsat AmosConnect 8 login form allows remote attackers to access user credentials, including user names and passwords. | ||
| CVE-2017-11474 | Cri | 0.64 | 9.8 | 0.01 | Jul 20, 2017 | GLPI before 9.1.5.1 has SQL Injection in the $crit variable in inc/computer_softwareversion.class.php, exploitable via ajax/common.tabs.php. | ||
| CVE-2017-11445 | Cri | 0.64 | 9.8 | 0.01 | Jul 19, 2017 | Subrion CMS before 4.1.6 has a SQL injection vulnerability in /front/actions.php via the $_POST array. | ||
| CVE-2017-11419 | Cri | 0.64 | 9.8 | 0.01 | Jul 18, 2017 | Fiyo CMS 2.0.7 has SQL injection in /apps/app_article/controller/editor.php via $_POST['id'] and $_POST['art_title']. | ||
| CVE-2017-11418 | Cri | 0.64 | 9.8 | 0.01 | Jul 18, 2017 | Fiyo CMS 2.0.7 has SQL injection in dapur/apps/app_article/controller/article_list.php via $_GET['cat'], $_GET['user'], $_GET['level'], and $_GET['iSortCol_'.$i]. | ||
| CVE-2017-11417 | Cri | 0.64 | 9.8 | 0.01 | Jul 18, 2017 | Fiyo CMS 2.0.7 has SQL injection in dapur/apps/app_article/controller/article_status.php via $_GET['id']. | ||
| CVE-2017-11416 | Cri | 0.64 | 9.8 | 0.01 | Jul 18, 2017 | Fiyo CMS 2.0.7 has SQL injection in /apps/app_comment/controller/insert.php via the name parameter. | ||
| CVE-2017-11415 | Cri | 0.64 | 9.8 | 0.01 | Jul 18, 2017 | Fiyo CMS 2.0.7 has SQL injection in dapur/apps/app_article/sys_article.php via $_POST['parent_id'], $_POST['desc'], $_POST['keys'], and $_POST['level']. | ||
| CVE-2017-11414 | Cri | 0.64 | 9.8 | 0.01 | Jul 18, 2017 | Fiyo CMS 2.0.7 has SQL injection in dapur/apps/app_comment/sys_comment.php via $_POST['comment'], $_POST['name'], $_POST['web'], $_POST['email'], $_POST['status'], $_POST['id'], and $_REQUEST['id']. | ||
| CVE-2017-11413 | Cri | 0.64 | 9.8 | 0.01 | Jul 18, 2017 | Fiyo CMS 2.0.7 has SQL injection in dapur/apps/app_article/controller/comment_status.php via $_GET['id']. | ||
| CVE-2017-11412 | Cri | 0.64 | 9.8 | 0.01 | Jul 18, 2017 | Fiyo CMS 2.0.7 has SQL injection in dapur/apps/app_comment/controller/comment_status.php via $_GET['id']. |
- risk 0.64cvss 9.8epss 0.01
SQL injection exists in Quest KACE Asset Management Appliance 6.4.120822 through 7.2, Systems Management Appliance 6.4.120822 through 7.2.101, and K1000 as a Service 7.0 through 7.2.
- risk 0.64cvss 9.8epss 0.02
SQL injection vulnerability in the MaLion for Windows and Mac 5.0.0 to 5.2.1 allows remote attackers to execute arbitrary SQL commands via Relay Service Server.
- risk 0.64cvss 9.8epss 0.02
The Etoile Ultimate Product Catalog plugin 4.2.11 for WordPress has SQL injection with these wp-admin/admin-ajax.php POST actions: catalogue_update_order list-item, video_update_order video-item, image_update_order list-item, tag_group_update_order list_item,…
- risk 0.64cvss 9.8epss 0.02
SQL injection exists in front/devicesoundcard.php in GLPI before 9.1.5 via the start parameter.
- risk 0.64cvss 9.8epss 0.01
dapur/app/app_user/controller/status.php in Fiyo CMS 2.0.7 has SQL injection via the id parameter.
- risk 0.64cvss 9.8epss 0.01
An issue was discovered in Tilde CMS 1.0.1. Due to missing escaping of the backtick character, a SELECT query in class.SystemAction.php is vulnerable to SQL Injection. The vulnerability can be triggered via a POST request to /actionphp/action.input.php with the id parameter.
- risk 0.64cvss 9.8epss 0.02
dayrui FineCms 5.0.9 has SQL Injection via the field parameter in an action=module, action=member, action=form, or action=related request to libraries/Template.php.
- risk 0.64cvss 9.8epss 0.01
dayrui FineCms 5.0.9 has SQL Injection via the catid parameter in an action=related request to libraries/Template.php.
- risk 0.64cvss 9.8epss 0.01
dayrui FineCms 5.0.9 has SQL Injection via the num parameter in an action=related or action=tags request to libraries/Template.php.
- risk 0.64cvss 9.8epss 0.04
Blind SQL injection in Inmarsat AmosConnect 8 login form allows remote attackers to access user credentials, including user names and passwords.
- risk 0.64cvss 9.8epss 0.01
GLPI before 9.1.5.1 has SQL Injection in the $crit variable in inc/computer_softwareversion.class.php, exploitable via ajax/common.tabs.php.
- risk 0.64cvss 9.8epss 0.01
Subrion CMS before 4.1.6 has a SQL injection vulnerability in /front/actions.php via the $_POST array.
- risk 0.64cvss 9.8epss 0.01
Fiyo CMS 2.0.7 has SQL injection in /apps/app_article/controller/editor.php via $_POST['id'] and $_POST['art_title'].
- risk 0.64cvss 9.8epss 0.01
Fiyo CMS 2.0.7 has SQL injection in dapur/apps/app_article/controller/article_list.php via $_GET['cat'], $_GET['user'], $_GET['level'], and $_GET['iSortCol_'.$i].
- risk 0.64cvss 9.8epss 0.01
Fiyo CMS 2.0.7 has SQL injection in dapur/apps/app_article/controller/article_status.php via $_GET['id'].
- risk 0.64cvss 9.8epss 0.01
Fiyo CMS 2.0.7 has SQL injection in /apps/app_comment/controller/insert.php via the name parameter.
- risk 0.64cvss 9.8epss 0.01
Fiyo CMS 2.0.7 has SQL injection in dapur/apps/app_article/sys_article.php via $_POST['parent_id'], $_POST['desc'], $_POST['keys'], and $_POST['level'].
- risk 0.64cvss 9.8epss 0.01
Fiyo CMS 2.0.7 has SQL injection in dapur/apps/app_comment/sys_comment.php via $_POST['comment'], $_POST['name'], $_POST['web'], $_POST['email'], $_POST['status'], $_POST['id'], and $_REQUEST['id'].
- risk 0.64cvss 9.8epss 0.01
Fiyo CMS 2.0.7 has SQL injection in dapur/apps/app_article/controller/comment_status.php via $_GET['id'].
- risk 0.64cvss 9.8epss 0.01
Fiyo CMS 2.0.7 has SQL injection in dapur/apps/app_comment/controller/comment_status.php via $_GET['id'].