CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Description
The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-108 · CAPEC-109 · CAPEC-110 · CAPEC-470 · CAPEC-66 · CAPEC-7
CVEs mapped to this weakness (9,793)
page 473 of 490| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2008-6697 | 0.00 | — | 0.00 | Apr 10, 2009 | SQL injection vulnerability in TARGET-E WorldCup Bets (worldcup) 2.0.0 and earlier extension for TYPO3 allows remote attackers to execute arbitrary SQL commands via unknown vectors. | |||
| CVE-2008-6696 | 0.00 | — | 0.00 | Apr 10, 2009 | SQL injection vulnerability in Fussballtippspiel (toto) 0.1.1 and earlier extension for TYPO3 allows remote attackers to execute arbitrary SQL commands via unknown vectors. | |||
| CVE-2008-6695 | 0.00 | — | 0.01 | Apr 10, 2009 | SQL injection vulnerability in TIMTAB social bookmark icons (timtab_sociable) 2.0.4 and earlier extension for TYPO3 allows remote attackers to execute arbitrary SQL commands via unknown vectors. | |||
| CVE-2008-6694 | 0.00 | — | 0.00 | Apr 10, 2009 | SQL injection vulnerability in Random Prayer (ste_prayer) 0.0.1 for TYPO3 allows remote attackers to execute arbitrary SQL commands via unknown vectors. | |||
| CVE-2008-6693 | 0.00 | — | 0.00 | Apr 10, 2009 | SQL injection vulnerability in Download system (sb_downloader) extension 0.1.4 and earlier for TYPO3 allows remote attackers to execute arbitrary SQL commands via unknown vectors. | |||
| CVE-2008-6692 | 0.00 | — | 0.00 | Apr 10, 2009 | SQL injection vulnerability in Diocese of Portsmouth Training Courses (pd_trainingcourses) extension 0.1.1 for TYPO3 allows remote attackers to execute arbitrary SQL commands via unknown vectors. | |||
| CVE-2008-6691 | 0.00 | — | 0.00 | Apr 10, 2009 | SQL injection vulnerability in Diocese of Portsmouth Calendar Today (pd_calendar_today) extension 0.0.3 for TYPO3 allows remote attackers to execute arbitrary SQL commands via unknown vectors. | |||
| CVE-2008-6689 | 0.00 | — | 0.00 | Apr 10, 2009 | SQL injection vulnerability in JobControl (dmmjobcontrol) 1.15.0 and earlier extension for TYPO3 allows remote attackers to execute arbitrary SQL commands via unknown vectors. | |||
| CVE-2008-6686 | 0.00 | — | 0.00 | Apr 10, 2009 | SQL injection vulnerability in CoolURI (cooluri) 1.0.11 and earlier extension for TYPO3 allows remote attackers to execute arbitrary SQL commands via unknown vectors. | |||
| CVE-2009-1258 | 0.00 | — | 0.00 | Apr 7, 2009 | SQL injection vulnerability in the RD-Autos (com_rdautos) component 1.5.7 for Joomla! allows remote attackers to execute arbitrary SQL commands via the makeid parameter in index.php. NOTE: the provenance of this information is unknown; the details are obtained solely from third… | |||
| CVE-2008-6614 | 0.00 | — | 0.01 | Apr 6, 2009 | Multiple SQL injection vulnerabilities in microcms-admin-login.php in Implied By Design (IBD) Micro CMS 3.5 (aka 0.3.5) allow remote attackers to execute arbitrary SQL commands via (1) the administrators_username parameter (aka the Username field) or (2) the administrators_pass… | |||
| CVE-2009-1245 | 0.00 | — | 0.00 | Apr 6, 2009 | Multiple SQL injection vulnerabilities in the insert_to_pastebin function in php/cccp-admin/inc/functions.php in CCCP Community Clan Portal Pastebin before 2.80 allow remote attackers to execute arbitrary SQL commands via the (1) subject, (2) language, and (3) nickname… | |||
| CVE-2008-6595 | 0.00 | — | 0.00 | Apr 3, 2009 | SQL injection vulnerability in the pmk_rssnewsexport extension for TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors. | |||
| CVE-2008-6594 | 0.00 | — | 0.01 | Apr 3, 2009 | SQL injection vulnerability in the cm_rdfexport extension for TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors. | |||
| CVE-2008-6573 | 0.00 | — | 0.01 | Apr 1, 2009 | Multiple SQL injection vulnerabilities in Avaya SIP Enablement Services (SES) in Avaya Avaya Communication Manager 3.x, 4.0, and 5.0 (1) allow remote attackers to execute arbitrary SQL commands via unspecified vectors related to profiles in the SIP Personal Information Manager… | |||
| CVE-2009-1208 | 0.00 | — | 0.01 | Apr 1, 2009 | SQL injection vulnerability in auth2db 0.2.5, and possibly other versions before 0.2.7, uses the addslashes function instead of the mysql_real_escape_string function, which allows remote attackers to conduct SQL injection attacks using multibyte character encodings. | |||
| CVE-2009-1065 | 0.00 | — | 0.00 | Mar 26, 2009 | SQL injection vulnerability in index.php in Pixie CMS 1.01a allows remote attackers to execute arbitrary SQL commands via the x parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. | |||
| CVE-2009-1034 | 0.00 | — | 0.00 | Mar 20, 2009 | SQL injection vulnerability in the Tasklist module 5.x-1.x before 5.x-1.3 and 5.x-2.x before 5.x-2.0-alpha1, a module for Drupal, allows remote attackers to execute arbitrary SQL commands via values in the URI. | |||
| CVE-2009-1027 | 0.00 | — | 0.00 | Mar 20, 2009 | SQL injection vulnerability in OpenCart 1.1.8 allows remote attackers to execute arbitrary SQL commands via the order parameter. | |||
| CVE-2008-6463 | 0.00 | — | 0.00 | Mar 13, 2009 | SQL injection vulnerability in the Diocese of Portsmouth Church Search (pd_churchsearch) extension before 0.1.1, and 0.2.10 and earlier 0.2.x versions, an extension for TYPO3, allows remote attackers to execute arbitrary SQL commands via unspecified vectors. |
- CVE-2008-6697Apr 10, 2009risk 0.00cvss —epss 0.00
SQL injection vulnerability in TARGET-E WorldCup Bets (worldcup) 2.0.0 and earlier extension for TYPO3 allows remote attackers to execute arbitrary SQL commands via unknown vectors.
- CVE-2008-6696Apr 10, 2009risk 0.00cvss —epss 0.00
SQL injection vulnerability in Fussballtippspiel (toto) 0.1.1 and earlier extension for TYPO3 allows remote attackers to execute arbitrary SQL commands via unknown vectors.
- CVE-2008-6695Apr 10, 2009risk 0.00cvss —epss 0.01
SQL injection vulnerability in TIMTAB social bookmark icons (timtab_sociable) 2.0.4 and earlier extension for TYPO3 allows remote attackers to execute arbitrary SQL commands via unknown vectors.
- CVE-2008-6694Apr 10, 2009risk 0.00cvss —epss 0.00
SQL injection vulnerability in Random Prayer (ste_prayer) 0.0.1 for TYPO3 allows remote attackers to execute arbitrary SQL commands via unknown vectors.
- CVE-2008-6693Apr 10, 2009risk 0.00cvss —epss 0.00
SQL injection vulnerability in Download system (sb_downloader) extension 0.1.4 and earlier for TYPO3 allows remote attackers to execute arbitrary SQL commands via unknown vectors.
- CVE-2008-6692Apr 10, 2009risk 0.00cvss —epss 0.00
SQL injection vulnerability in Diocese of Portsmouth Training Courses (pd_trainingcourses) extension 0.1.1 for TYPO3 allows remote attackers to execute arbitrary SQL commands via unknown vectors.
- CVE-2008-6691Apr 10, 2009risk 0.00cvss —epss 0.00
SQL injection vulnerability in Diocese of Portsmouth Calendar Today (pd_calendar_today) extension 0.0.3 for TYPO3 allows remote attackers to execute arbitrary SQL commands via unknown vectors.
- CVE-2008-6689Apr 10, 2009risk 0.00cvss —epss 0.00
SQL injection vulnerability in JobControl (dmmjobcontrol) 1.15.0 and earlier extension for TYPO3 allows remote attackers to execute arbitrary SQL commands via unknown vectors.
- CVE-2008-6686Apr 10, 2009risk 0.00cvss —epss 0.00
SQL injection vulnerability in CoolURI (cooluri) 1.0.11 and earlier extension for TYPO3 allows remote attackers to execute arbitrary SQL commands via unknown vectors.
- CVE-2009-1258Apr 7, 2009risk 0.00cvss —epss 0.00
SQL injection vulnerability in the RD-Autos (com_rdautos) component 1.5.7 for Joomla! allows remote attackers to execute arbitrary SQL commands via the makeid parameter in index.php. NOTE: the provenance of this information is unknown; the details are obtained solely from third…
- CVE-2008-6614Apr 6, 2009risk 0.00cvss —epss 0.01
Multiple SQL injection vulnerabilities in microcms-admin-login.php in Implied By Design (IBD) Micro CMS 3.5 (aka 0.3.5) allow remote attackers to execute arbitrary SQL commands via (1) the administrators_username parameter (aka the Username field) or (2) the administrators_pass…
- CVE-2009-1245Apr 6, 2009risk 0.00cvss —epss 0.00
Multiple SQL injection vulnerabilities in the insert_to_pastebin function in php/cccp-admin/inc/functions.php in CCCP Community Clan Portal Pastebin before 2.80 allow remote attackers to execute arbitrary SQL commands via the (1) subject, (2) language, and (3) nickname…
- CVE-2008-6595Apr 3, 2009risk 0.00cvss —epss 0.00
SQL injection vulnerability in the pmk_rssnewsexport extension for TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
- CVE-2008-6594Apr 3, 2009risk 0.00cvss —epss 0.01
SQL injection vulnerability in the cm_rdfexport extension for TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
- CVE-2008-6573Apr 1, 2009risk 0.00cvss —epss 0.01
Multiple SQL injection vulnerabilities in Avaya SIP Enablement Services (SES) in Avaya Avaya Communication Manager 3.x, 4.0, and 5.0 (1) allow remote attackers to execute arbitrary SQL commands via unspecified vectors related to profiles in the SIP Personal Information Manager…
- CVE-2009-1208Apr 1, 2009risk 0.00cvss —epss 0.01
SQL injection vulnerability in auth2db 0.2.5, and possibly other versions before 0.2.7, uses the addslashes function instead of the mysql_real_escape_string function, which allows remote attackers to conduct SQL injection attacks using multibyte character encodings.
- CVE-2009-1065Mar 26, 2009risk 0.00cvss —epss 0.00
SQL injection vulnerability in index.php in Pixie CMS 1.01a allows remote attackers to execute arbitrary SQL commands via the x parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
- CVE-2009-1034Mar 20, 2009risk 0.00cvss —epss 0.00
SQL injection vulnerability in the Tasklist module 5.x-1.x before 5.x-1.3 and 5.x-2.x before 5.x-2.0-alpha1, a module for Drupal, allows remote attackers to execute arbitrary SQL commands via values in the URI.
- CVE-2009-1027Mar 20, 2009risk 0.00cvss —epss 0.00
SQL injection vulnerability in OpenCart 1.1.8 allows remote attackers to execute arbitrary SQL commands via the order parameter.
- CVE-2008-6463Mar 13, 2009risk 0.00cvss —epss 0.00
SQL injection vulnerability in the Diocese of Portsmouth Church Search (pd_churchsearch) extension before 0.1.1, and 0.2.10 and earlier 0.2.x versions, an extension for TYPO3, allows remote attackers to execute arbitrary SQL commands via unspecified vectors.