CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Description
The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-108 · CAPEC-109 · CAPEC-110 · CAPEC-470 · CAPEC-66 · CAPEC-7
CVEs mapped to this weakness (9,793)
page 470 of 490| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2009-3820 | 0.00 | — | 0.00 | Oct 28, 2009 | SQL injection vulnerability in the Flagbit Filebase (fb_filebase) extension 0.1.0 for TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors. | |||
| CVE-2009-3813 | 0.00 | — | 0.00 | Oct 27, 2009 | Multiple SQL injection vulnerabilities in RunCMS 2M1 allow remote authenticated users to execute arbitrary SQL commands via the (1) forum parameter to modules/forum/post.php and possibly (2) forum_id variable to modules/forum/class/class.permissions.php. | |||
| CVE-2009-3801 | 0.00 | — | 0.00 | Oct 27, 2009 | SQL injection vulnerability in index.php in OpenDocMan 1.2.5 allows remote attackers to execute arbitrary SQL commands via the frmpass (aka Password) parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. | |||
| CVE-2009-3788 | 0.00 | — | 0.00 | Oct 26, 2009 | SQL injection vulnerability in index.php in OpenDocMan 1.2.5 allows remote attackers to execute arbitrary SQL commands via the frmuser (aka Username) parameter. | |||
| CVE-2009-3778 | 0.00 | — | 0.01 | Oct 26, 2009 | SQL injection vulnerability in Moodle Course List 6.x before 6.x-1.2, a module for Drupal, allows remote attackers to execute arbitrary SQL commands via unspecified vectors. | |||
| CVE-2009-2940 | 0.00 | — | 0.01 | Oct 22, 2009 | The pygresql module 3.8.1 and 4.0 for Python does not properly support the PQescapeStringConn function, which might allow remote attackers to leverage escaping issues involving multibyte character encodings. | |||
| CVE-2009-3697 | 0.00 | — | 0.03 | Oct 16, 2009 | SQL injection vulnerability in the PDF schema generator functionality in phpMyAdmin 2.11.x before 2.11.9.6 and 3.x before 3.2.2.1 allows remote attackers to execute arbitrary SQL commands via unspecified interface parameters. | |||
| CVE-2009-3533 | 0.00 | — | 0.00 | Oct 2, 2009 | SQL injection vulnerability in report.php in Meeting Room Booking System (MRBS) before 1.4.2 allows remote attackers to execute arbitrary SQL commands via the typematch parameter. NOTE: some of these details are obtained from third party information. | |||
| CVE-2009-3532 | 0.00 | — | 0.00 | Oct 2, 2009 | Multiple SQL injection vulnerabilities in login.asp (aka the login screen) in LogRover 2.3 and 2.3.3 on Windows allow remote attackers to execute arbitrary SQL commands via the (1) uname and (2) pword parameters. NOTE: some of these details are obtained from third party… | |||
| CVE-2009-3505 | 0.00 | — | 0.00 | Sep 30, 2009 | SQL injection vulnerability in view_news.php in Vastal I-Tech MMORPG Zone allows remote attackers to execute arbitrary SQL commands via the news_id parameter. NOTE: the game_id vector is already covered by CVE-2008-4460. | |||
| CVE-2009-3501 | 0.00 | — | 0.00 | Sep 30, 2009 | SQL injection vulnerability in students.php in BPowerHouse BPStudents 1.0 allows remote attackers to execute arbitrary SQL commands via the test parameter in a preview action. | |||
| CVE-2009-3498 | 0.00 | — | 0.00 | Sep 30, 2009 | SQL injection vulnerability in php/update_article_hits.php in HBcms 1.7 allows remote attackers to execute arbitrary SQL commands via the article_id parameter. | |||
| CVE-2009-3497 | 0.00 | — | 0.00 | Sep 30, 2009 | SQL injection vulnerability in view_listing.php in Vastal I-Tech Agent Zone (aka The Real Estate Script) allows remote attackers to execute arbitrary SQL commands via the id parameter. | |||
| CVE-2009-3480 | 0.00 | — | 0.00 | Sep 30, 2009 | SQL injection vulnerability in the iCRM Basic (com_icrmbasic) component 1.4.2.31 for Joomla! allows remote attackers to execute arbitrary SQL commands via the p3 parameter to index.php. NOTE: the provenance of this information is unknown; the details are obtained solely from… | |||
| CVE-2009-3337 | 0.00 | — | 0.01 | Sep 24, 2009 | SQL injection vulnerability in the Freetag (serendipity_event_freetag) plugin before 3.09 for Serendipity (S9Y) allows remote attackers to execute arbitrary SQL commands via an unspecified parameter associated with Meta keywords in a blog entry. | |||
| CVE-2009-3319 | 0.00 | — | 0.00 | Sep 23, 2009 | SQL injection vulnerability in poems.php in DCI-Designs Dawaween 1.03 allows remote attackers to execute arbitrary SQL commands via the id parameter in a sec list action, a different vector than CVE-2006-1018. | |||
| CVE-2009-3259 | 0.00 | — | 0.00 | Sep 18, 2009 | Multiple SQL injection vulnerabilities in RASH Quote Management System (RQMS) 1.2.2 allow remote attackers to execute arbitrary SQL commands via (1) the search parameter in a search action, (2) the quote parameter in a quote addition, or (3) a User_Name cookie in unspecified… | |||
| CVE-2009-3255 | 0.00 | — | 0.00 | Sep 18, 2009 | SQL injection vulnerability in RASH Quote Management System (RQMS) 1.2.2 and earlier, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the user parameter in an admin action to the default URI. | |||
| CVE-2009-3212 | 0.00 | — | 0.00 | Sep 16, 2009 | SQL injection vulnerability in VivaPrograms Infinity Script 2.x.x, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the username field. | |||
| CVE-2009-3165 | 0.00 | — | 0.00 | Sep 15, 2009 | SQL injection vulnerability in the Bug.create WebService function in Bugzilla 2.23.4 through 3.0.8, 3.1.1 through 3.2.4, and 3.3.1 through 3.4.1 allows remote attackers to execute arbitrary SQL commands via unspecified parameters. |
- CVE-2009-3820Oct 28, 2009risk 0.00cvss —epss 0.00
SQL injection vulnerability in the Flagbit Filebase (fb_filebase) extension 0.1.0 for TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
- CVE-2009-3813Oct 27, 2009risk 0.00cvss —epss 0.00
Multiple SQL injection vulnerabilities in RunCMS 2M1 allow remote authenticated users to execute arbitrary SQL commands via the (1) forum parameter to modules/forum/post.php and possibly (2) forum_id variable to modules/forum/class/class.permissions.php.
- CVE-2009-3801Oct 27, 2009risk 0.00cvss —epss 0.00
SQL injection vulnerability in index.php in OpenDocMan 1.2.5 allows remote attackers to execute arbitrary SQL commands via the frmpass (aka Password) parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
- CVE-2009-3788Oct 26, 2009risk 0.00cvss —epss 0.00
SQL injection vulnerability in index.php in OpenDocMan 1.2.5 allows remote attackers to execute arbitrary SQL commands via the frmuser (aka Username) parameter.
- CVE-2009-3778Oct 26, 2009risk 0.00cvss —epss 0.01
SQL injection vulnerability in Moodle Course List 6.x before 6.x-1.2, a module for Drupal, allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
- CVE-2009-2940Oct 22, 2009risk 0.00cvss —epss 0.01
The pygresql module 3.8.1 and 4.0 for Python does not properly support the PQescapeStringConn function, which might allow remote attackers to leverage escaping issues involving multibyte character encodings.
- CVE-2009-3697Oct 16, 2009risk 0.00cvss —epss 0.03
SQL injection vulnerability in the PDF schema generator functionality in phpMyAdmin 2.11.x before 2.11.9.6 and 3.x before 3.2.2.1 allows remote attackers to execute arbitrary SQL commands via unspecified interface parameters.
- CVE-2009-3533Oct 2, 2009risk 0.00cvss —epss 0.00
SQL injection vulnerability in report.php in Meeting Room Booking System (MRBS) before 1.4.2 allows remote attackers to execute arbitrary SQL commands via the typematch parameter. NOTE: some of these details are obtained from third party information.
- CVE-2009-3532Oct 2, 2009risk 0.00cvss —epss 0.00
Multiple SQL injection vulnerabilities in login.asp (aka the login screen) in LogRover 2.3 and 2.3.3 on Windows allow remote attackers to execute arbitrary SQL commands via the (1) uname and (2) pword parameters. NOTE: some of these details are obtained from third party…
- CVE-2009-3505Sep 30, 2009risk 0.00cvss —epss 0.00
SQL injection vulnerability in view_news.php in Vastal I-Tech MMORPG Zone allows remote attackers to execute arbitrary SQL commands via the news_id parameter. NOTE: the game_id vector is already covered by CVE-2008-4460.
- CVE-2009-3501Sep 30, 2009risk 0.00cvss —epss 0.00
SQL injection vulnerability in students.php in BPowerHouse BPStudents 1.0 allows remote attackers to execute arbitrary SQL commands via the test parameter in a preview action.
- CVE-2009-3498Sep 30, 2009risk 0.00cvss —epss 0.00
SQL injection vulnerability in php/update_article_hits.php in HBcms 1.7 allows remote attackers to execute arbitrary SQL commands via the article_id parameter.
- CVE-2009-3497Sep 30, 2009risk 0.00cvss —epss 0.00
SQL injection vulnerability in view_listing.php in Vastal I-Tech Agent Zone (aka The Real Estate Script) allows remote attackers to execute arbitrary SQL commands via the id parameter.
- CVE-2009-3480Sep 30, 2009risk 0.00cvss —epss 0.00
SQL injection vulnerability in the iCRM Basic (com_icrmbasic) component 1.4.2.31 for Joomla! allows remote attackers to execute arbitrary SQL commands via the p3 parameter to index.php. NOTE: the provenance of this information is unknown; the details are obtained solely from…
- CVE-2009-3337Sep 24, 2009risk 0.00cvss —epss 0.01
SQL injection vulnerability in the Freetag (serendipity_event_freetag) plugin before 3.09 for Serendipity (S9Y) allows remote attackers to execute arbitrary SQL commands via an unspecified parameter associated with Meta keywords in a blog entry.
- CVE-2009-3319Sep 23, 2009risk 0.00cvss —epss 0.00
SQL injection vulnerability in poems.php in DCI-Designs Dawaween 1.03 allows remote attackers to execute arbitrary SQL commands via the id parameter in a sec list action, a different vector than CVE-2006-1018.
- CVE-2009-3259Sep 18, 2009risk 0.00cvss —epss 0.00
Multiple SQL injection vulnerabilities in RASH Quote Management System (RQMS) 1.2.2 allow remote attackers to execute arbitrary SQL commands via (1) the search parameter in a search action, (2) the quote parameter in a quote addition, or (3) a User_Name cookie in unspecified…
- CVE-2009-3255Sep 18, 2009risk 0.00cvss —epss 0.00
SQL injection vulnerability in RASH Quote Management System (RQMS) 1.2.2 and earlier, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the user parameter in an admin action to the default URI.
- CVE-2009-3212Sep 16, 2009risk 0.00cvss —epss 0.00
SQL injection vulnerability in VivaPrograms Infinity Script 2.x.x, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the username field.
- CVE-2009-3165Sep 15, 2009risk 0.00cvss —epss 0.00
SQL injection vulnerability in the Bug.create WebService function in Bugzilla 2.23.4 through 3.0.8, 3.1.1 through 3.2.4, and 3.3.1 through 3.4.1 allows remote attackers to execute arbitrary SQL commands via unspecified parameters.