CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Description
The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-108 · CAPEC-109 · CAPEC-110 · CAPEC-470 · CAPEC-66 · CAPEC-7
CVEs mapped to this weakness (9,793)
page 476 of 490| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2008-5800 | 0.00 | — | 0.00 | Dec 31, 2008 | SQL injection vulnerability in the Wir ber uns [sic] (fsmi_people) extension 0.0.24 and earlier for TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors. | |||
| CVE-2008-5798 | 0.00 | — | 0.00 | Dec 31, 2008 | SQL injection vulnerability in the CMS Poll system (cms_poll) extension before 0.1.1 for TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors. | |||
| CVE-2008-5797 | 0.00 | — | 0.00 | Dec 31, 2008 | SQL injection vulnerability in the advCalendar extension 0.3.1 and earlier for TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors. | |||
| CVE-2008-5796 | 0.00 | — | 0.00 | Dec 31, 2008 | SQL injection vulnerability in the eluna Page Comments (eluna_pagecomments) extension 1.1.2 and earlier for TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors. | |||
| CVE-2008-4303 | 0.00 | — | 0.01 | Dec 23, 2008 | Multiple SQL injection vulnerabilities in phpCollab 2.5 rc3, 2.4, and earlier allow remote attackers to execute arbitrary SQL commands via the loginForm parameter to general/login.php, and unspecified other vectors. | |||
| CVE-2008-2380 | 0.00 | — | 0.01 | Dec 22, 2008 | SQL injection vulnerability in authpgsqllib.c in Courier-Authlib before 0.62.0, when a non-Latin locale Postgres database is used, allows remote attackers to execute arbitrary SQL commands via query parameters containing apostrophes. | |||
| CVE-2008-5609 | 0.00 | — | 0.00 | Dec 17, 2008 | SQL injection vulnerability in the Commerce extension 0.9.6 and earlier for TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors. | |||
| CVE-2008-5488 | 0.00 | — | 0.01 | Dec 12, 2008 | SQL injection vulnerability in admin.php in E-topbiz Domain Shop 2 allows remote attackers to execute arbitrary SQL commands via the passfromform parameter. | |||
| CVE-2008-5434 | 0.00 | — | 0.01 | Dec 11, 2008 | Multiple SQL injection vulnerabilities in PunBB 1.3 and 1.3.1 allow remote authenticated administrators to execute arbitrary SQL commands via the (1) order_by or (2) direction parameter to admin/users.php, or (3) configuration options to admin/settings.php. | |||
| CVE-2007-6719 | 0.00 | — | 0.00 | Dec 5, 2008 | SQL injection vulnerability in Wiz-Ad 1.3 allows remote attackers to execute arbitrary SQL commands via unknown vectors. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. | |||
| CVE-2008-2429 | 0.00 | — | 0.00 | Nov 26, 2008 | Multiple SQL injection vulnerabilities in Calendarix Basic 0.8.20071118 allow remote attackers to execute arbitrary SQL commands via (1) the catsearch parameter to cal_search.php or (2) the catview parameter to cal_cat.php. NOTE: vector 1 might overlap CVE-2007-3183.3, and… | |||
| CVE-2008-5165 | 0.00 | — | 0.01 | Nov 19, 2008 | Multiple SQL injection vulnerabilities in eTicket 1.5.7 allow remote attackers to execute arbitrary SQL commands via the pri parameter to (1) index.php, (2) open.php, (3) open_raw.php, and (4) newticket.php. | |||
| CVE-2008-5122 | 0.00 | — | 0.00 | Nov 18, 2008 | SQL injection vulnerability in WorkArea/ContentRatingGraph.aspx in Ektron CMS400.NET 7.5.2 and earlier allows remote attackers to execute arbitrary SQL commands via the res parameter. | |||
| CVE-2008-5087 | 0.00 | — | 0.00 | Nov 14, 2008 | SQL injection vulnerability in TYPO3 Another Backend Login (wrg_anotherbelogin) extension before 0.0.4 allows remote attackers to execute arbitrary SQL commands via unspecified vectors. | |||
| CVE-2008-5055 | 0.00 | — | 0.01 | Nov 13, 2008 | SQL injection vulnerability in department_offline_context.php in ActiveCampaign TrioLive before 1.58.7 allows remote attackers to execute arbitrary SQL commands via the department_id parameter to index.php. | |||
| CVE-2008-4991 | 0.00 | — | 0.00 | Nov 6, 2008 | SQL injection vulnerability in LOCKON CO.,LTD. EC-CUBE 2.3.0 and earlier, 1.4.7 and earlier, and 1.5.0-beta2 and earlier; and Community Edition 1.3.5 and earlier allows remote attackers to execute arbitrary SQL commands via the parameter. | |||
| CVE-2008-4904 | 0.00 | — | 0.00 | Nov 4, 2008 | SQL injection vulnerability in the "Manage pages" feature (admin/pages) in Typo 5.1.3 and earlier allows remote authenticated users with "blog publisher" rights to execute arbitrary SQL commands via the search[published_at] parameter. | |||
| CVE-2008-3867 | 0.00 | — | 0.01 | Nov 3, 2008 | SQL injection vulnerability in spaces/emailuser.php in Interact 2.4.1 allows remote attackers to execute arbitrary SQL commands via the email_user_key parameter. | |||
| CVE-2008-4806 | 0.00 | — | 0.00 | Oct 31, 2008 | Multiple SQL injection vulnerabilities in IBM Lotus Connections 2.x before 2.0.1 allow remote attackers to execute arbitrary SQL commands via the sortField parameter to unspecified components. NOTE: the provenance of this information is unknown; the details are obtained solely… | |||
| CVE-2008-4804 | 0.00 | — | 0.00 | Oct 31, 2008 | SQL injection vulnerability in the Gallery module 1.3 for PHP-Nuke allows remote attackers to execute arbitrary SQL commands via the aid parameter in a showalbum action to index.php. NOTE: some of these details are obtained from third party information. NOTE: this issue was… |
- CVE-2008-5800Dec 31, 2008risk 0.00cvss —epss 0.00
SQL injection vulnerability in the Wir ber uns [sic] (fsmi_people) extension 0.0.24 and earlier for TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
- CVE-2008-5798Dec 31, 2008risk 0.00cvss —epss 0.00
SQL injection vulnerability in the CMS Poll system (cms_poll) extension before 0.1.1 for TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
- CVE-2008-5797Dec 31, 2008risk 0.00cvss —epss 0.00
SQL injection vulnerability in the advCalendar extension 0.3.1 and earlier for TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
- CVE-2008-5796Dec 31, 2008risk 0.00cvss —epss 0.00
SQL injection vulnerability in the eluna Page Comments (eluna_pagecomments) extension 1.1.2 and earlier for TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
- CVE-2008-4303Dec 23, 2008risk 0.00cvss —epss 0.01
Multiple SQL injection vulnerabilities in phpCollab 2.5 rc3, 2.4, and earlier allow remote attackers to execute arbitrary SQL commands via the loginForm parameter to general/login.php, and unspecified other vectors.
- CVE-2008-2380Dec 22, 2008risk 0.00cvss —epss 0.01
SQL injection vulnerability in authpgsqllib.c in Courier-Authlib before 0.62.0, when a non-Latin locale Postgres database is used, allows remote attackers to execute arbitrary SQL commands via query parameters containing apostrophes.
- CVE-2008-5609Dec 17, 2008risk 0.00cvss —epss 0.00
SQL injection vulnerability in the Commerce extension 0.9.6 and earlier for TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
- CVE-2008-5488Dec 12, 2008risk 0.00cvss —epss 0.01
SQL injection vulnerability in admin.php in E-topbiz Domain Shop 2 allows remote attackers to execute arbitrary SQL commands via the passfromform parameter.
- CVE-2008-5434Dec 11, 2008risk 0.00cvss —epss 0.01
Multiple SQL injection vulnerabilities in PunBB 1.3 and 1.3.1 allow remote authenticated administrators to execute arbitrary SQL commands via the (1) order_by or (2) direction parameter to admin/users.php, or (3) configuration options to admin/settings.php.
- CVE-2007-6719Dec 5, 2008risk 0.00cvss —epss 0.00
SQL injection vulnerability in Wiz-Ad 1.3 allows remote attackers to execute arbitrary SQL commands via unknown vectors. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
- CVE-2008-2429Nov 26, 2008risk 0.00cvss —epss 0.00
Multiple SQL injection vulnerabilities in Calendarix Basic 0.8.20071118 allow remote attackers to execute arbitrary SQL commands via (1) the catsearch parameter to cal_search.php or (2) the catview parameter to cal_cat.php. NOTE: vector 1 might overlap CVE-2007-3183.3, and…
- CVE-2008-5165Nov 19, 2008risk 0.00cvss —epss 0.01
Multiple SQL injection vulnerabilities in eTicket 1.5.7 allow remote attackers to execute arbitrary SQL commands via the pri parameter to (1) index.php, (2) open.php, (3) open_raw.php, and (4) newticket.php.
- CVE-2008-5122Nov 18, 2008risk 0.00cvss —epss 0.00
SQL injection vulnerability in WorkArea/ContentRatingGraph.aspx in Ektron CMS400.NET 7.5.2 and earlier allows remote attackers to execute arbitrary SQL commands via the res parameter.
- CVE-2008-5087Nov 14, 2008risk 0.00cvss —epss 0.00
SQL injection vulnerability in TYPO3 Another Backend Login (wrg_anotherbelogin) extension before 0.0.4 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
- CVE-2008-5055Nov 13, 2008risk 0.00cvss —epss 0.01
SQL injection vulnerability in department_offline_context.php in ActiveCampaign TrioLive before 1.58.7 allows remote attackers to execute arbitrary SQL commands via the department_id parameter to index.php.
- CVE-2008-4991Nov 6, 2008risk 0.00cvss —epss 0.00
SQL injection vulnerability in LOCKON CO.,LTD. EC-CUBE 2.3.0 and earlier, 1.4.7 and earlier, and 1.5.0-beta2 and earlier; and Community Edition 1.3.5 and earlier allows remote attackers to execute arbitrary SQL commands via the parameter.
- CVE-2008-4904Nov 4, 2008risk 0.00cvss —epss 0.00
SQL injection vulnerability in the "Manage pages" feature (admin/pages) in Typo 5.1.3 and earlier allows remote authenticated users with "blog publisher" rights to execute arbitrary SQL commands via the search[published_at] parameter.
- CVE-2008-3867Nov 3, 2008risk 0.00cvss —epss 0.01
SQL injection vulnerability in spaces/emailuser.php in Interact 2.4.1 allows remote attackers to execute arbitrary SQL commands via the email_user_key parameter.
- CVE-2008-4806Oct 31, 2008risk 0.00cvss —epss 0.00
Multiple SQL injection vulnerabilities in IBM Lotus Connections 2.x before 2.0.1 allow remote attackers to execute arbitrary SQL commands via the sortField parameter to unspecified components. NOTE: the provenance of this information is unknown; the details are obtained solely…
- CVE-2008-4804Oct 31, 2008risk 0.00cvss —epss 0.00
SQL injection vulnerability in the Gallery module 1.3 for PHP-Nuke allows remote attackers to execute arbitrary SQL commands via the aid parameter in a showalbum action to index.php. NOTE: some of these details are obtained from third party information. NOTE: this issue was…