CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

BaseStableLikelihood: High

Description

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Hierarchy (View 1000)

Parents

CWE-943

Children

CWE-564

Related attack patterns (CAPEC)

CAPEC-108 · CAPEC-109 · CAPEC-110 · CAPEC-470 · CAPEC-66 · CAPEC-7

CVEs mapped to this weakness (9,793)

page 477 of 490

CVE	Vendor / Product	CVSS	EPSS	Published	Description
CVE-2008-4766	Bulletin Board Ace Bulletin Board Ace	—	0.00	Oct 28, 2008	SQL injection vulnerability in member.php in Oxygen Bulletin Board 1.1.3 allows remote attackers to execute arbitrary SQL commands via the member parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
CVE-2008-4746	Uniwin Ecart Professional	—	0.00	Oct 27, 2008	Multiple SQL injection vulnerabilities in Uniwin eCart Professional 2.0.17 allow remote attackers to execute arbitrary SQL commands via unspecified vectors to (1) search.asp and (2) cartUtil.asp.
CVE-2008-4660	TYPO3 M1 Intern	—	0.00	Oct 22, 2008	SQL injection vulnerability in the M1 Intern (m1_intern) 1.0.0 extension for TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
CVE-2008-4659	TYPO3 Mannschaftsliste	—	0.00	Oct 22, 2008	SQL injection vulnerability in the Mannschaftsliste (kiddog_playerlist) 1.0.3 and earlier extension for TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
CVE-2008-4658	TYPO3 Jobcontrol	—	0.00	Oct 22, 2008	SQL injection vulnerability in the JobControl (dmmjobcontrol) 1.15.4 and earlier extension for TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
CVE-2008-4657	TYPO3 Econda Plugin	—	0.00	Oct 22, 2008	SQL injection vulnerability in the Econda Plugin (econda) 0.0.2 and earlier extension for TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
CVE-2008-4656	TYPO3 Frontend Users View	—	0.00	Oct 22, 2008	SQL injection vulnerability in the Frontend Users View (feusersview) 0.1.6 and earlier extension for TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
CVE-2008-4655	TYPO3 Simplesurvey	—	0.00	Oct 22, 2008	SQL injection vulnerability in the Simple survey (simplesurvey) 1.7.0 and earlier extension for TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
CVE-2008-4647	Sweetcms Sweetcms	—	0.00	Oct 22, 2008	SQL injection vulnerability in index.php in sweetCMS 1.5.2 allows remote attackers to execute arbitrary SQL commands via the page parameter.
CVE-2008-4633	Drupal Node Vote	—	0.00	Oct 21, 2008	SQL injection vulnerability in Node Vote 5.x before 5.x-1.1 and 6.x before 6.x-1.0, a module for Drupal, when "Allow user to vote again" is enabled, allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors related to a "previously cast vote."
CVE-2008-4534	Ec Cube Co.,ltd. Ec Cube	—	0.01	Oct 10, 2008	SQL injection vulnerability in EC-CUBE Ver2 2.1.2a and earlier, and Ver2 RC 2.3.0-rc1 and earlier, allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
CVE-2008-4531	Drupal Brilliant Gallery	—	0.00	Oct 9, 2008	SQL injection vulnerability in Brilliant Gallery 5.x before 5.x-4.2, a module for Drupal, allows remote attackers to execute arbitrary SQL commands via unspecified vectors, related to queries. NOTE: this might be the same issue as CVE-2008-4338.
CVE-2008-4487	Atarone Atarone	—	0.00	Oct 8, 2008	SQL injection vulnerability in ap-save.php in Atarone CMS 1.2.0 allows remote attackers to execute arbitrary SQL commands via the (1) site_name, (2) email, (3) theme_chosen, (4) hp, (5) c_meta, (6) id, and (7) c_js parameters. NOTE: the provenance of this information is…
CVE-2008-3063	V Webmail V Webmail	—	0.00	Oct 8, 2008	SQL injection vulnerability in login.php in V-webmail 1.5.0 might allow remote attackers to execute arbitrary SQL commands via the username parameter.
CVE-2008-4433	Rmsoft Minishop Module	—	0.00	Oct 3, 2008	SQL injection vulnerability in search.php in the RMSOFT MiniShop module 1.0 for Xoops might allow remote attackers to execute arbitrary SQL commands via the itemsxpag parameter.
CVE-2008-4431	Icebb Icebb	—	0.00	Oct 3, 2008	SQL injection vulnerability in index.php in IceBB 1.0-rc9.3 and earlier allows remote attackers to execute arbitrary SQL commands via the skin parameter, probably related to an incorrect protection mechanism in the clean_string function in includes/functions.php.
CVE-2008-4348	Outshine Phportfolio	—	0.00	Sep 30, 2008	SQL injection vulnerability in photo.php in PHPortfolio, possibly 1.3, allows remote attackers to execute arbitrary SQL commands via the id parameter.
CVE-2008-4338	Drupal Brilliant Gallery	—	0.00	Sep 30, 2008	SQL injection vulnerability in the brilliant_gallery_checklist_save function in the bgchecklist/save script in Brilliant Gallery 5.x and 6.x, a module for Drupal, allows remote authenticated users with "access brilliant_gallery" permissions to execute arbitrary SQL commands via…
CVE-2008-4094	Rubyonrails Rails	—	0.03	Sep 30, 2008	Multiple SQL injection vulnerabilities in Ruby on Rails before 2.1.1 allow remote attackers to execute arbitrary SQL commands via the (1) :limit and (2) :offset parameters, related to ActiveRecord, ActiveSupport, ActiveResource, ActionPack, and ActionMailer.
CVE-2008-4148	Drupal Mailhandler	—	0.00	Sep 24, 2008	SQL injection vulnerability in the Mailhandler module 5.x before 5.x-1.4 and 6.x before 6.x-1.4, a module for Drupal, allows remote attackers to execute arbitrary SQL commands via unspecified vectors, related to composing queries without using the Drupal database API.

CVE-2008-4766Oct 28, 2008
Bulletin Board Ace
Bulletin Board Ace
risk 0.00cvss —epss 0.00
SQL injection vulnerability in member.php in Oxygen Bulletin Board 1.1.3 allows remote attackers to execute arbitrary SQL commands via the member parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
CVE-2008-4746Oct 27, 2008
Uniwin
Ecart Professional
risk 0.00cvss —epss 0.00
Multiple SQL injection vulnerabilities in Uniwin eCart Professional 2.0.17 allow remote attackers to execute arbitrary SQL commands via unspecified vectors to (1) search.asp and (2) cartUtil.asp.
CVE-2008-4660Oct 22, 2008
TYPO3
M1 Intern
risk 0.00cvss —epss 0.00
SQL injection vulnerability in the M1 Intern (m1_intern) 1.0.0 extension for TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
CVE-2008-4659Oct 22, 2008
TYPO3
Mannschaftsliste
risk 0.00cvss —epss 0.00
SQL injection vulnerability in the Mannschaftsliste (kiddog_playerlist) 1.0.3 and earlier extension for TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
CVE-2008-4658Oct 22, 2008
TYPO3
Jobcontrol
risk 0.00cvss —epss 0.00
SQL injection vulnerability in the JobControl (dmmjobcontrol) 1.15.4 and earlier extension for TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
CVE-2008-4657Oct 22, 2008
TYPO3
Econda Plugin
risk 0.00cvss —epss 0.00
SQL injection vulnerability in the Econda Plugin (econda) 0.0.2 and earlier extension for TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
CVE-2008-4656Oct 22, 2008
TYPO3
Frontend Users View
risk 0.00cvss —epss 0.00
SQL injection vulnerability in the Frontend Users View (feusersview) 0.1.6 and earlier extension for TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
CVE-2008-4655Oct 22, 2008
TYPO3
Simplesurvey
risk 0.00cvss —epss 0.00
SQL injection vulnerability in the Simple survey (simplesurvey) 1.7.0 and earlier extension for TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
CVE-2008-4647Oct 22, 2008
Sweetcms
Sweetcms
risk 0.00cvss —epss 0.00
SQL injection vulnerability in index.php in sweetCMS 1.5.2 allows remote attackers to execute arbitrary SQL commands via the page parameter.
CVE-2008-4633Oct 21, 2008
Drupal
Node Vote
risk 0.00cvss —epss 0.00
SQL injection vulnerability in Node Vote 5.x before 5.x-1.1 and 6.x before 6.x-1.0, a module for Drupal, when "Allow user to vote again" is enabled, allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors related to a "previously cast vote."
CVE-2008-4534Oct 10, 2008
Ec Cube Co.,ltd.
Ec Cube
risk 0.00cvss —epss 0.01
SQL injection vulnerability in EC-CUBE Ver2 2.1.2a and earlier, and Ver2 RC 2.3.0-rc1 and earlier, allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
CVE-2008-4531Oct 9, 2008
Drupal
Brilliant Gallery
risk 0.00cvss —epss 0.00
SQL injection vulnerability in Brilliant Gallery 5.x before 5.x-4.2, a module for Drupal, allows remote attackers to execute arbitrary SQL commands via unspecified vectors, related to queries. NOTE: this might be the same issue as CVE-2008-4338.
CVE-2008-4487Oct 8, 2008
Atarone
Atarone
risk 0.00cvss —epss 0.00
SQL injection vulnerability in ap-save.php in Atarone CMS 1.2.0 allows remote attackers to execute arbitrary SQL commands via the (1) site_name, (2) email, (3) theme_chosen, (4) hp, (5) c_meta, (6) id, and (7) c_js parameters. NOTE: the provenance of this information is…
CVE-2008-3063Oct 8, 2008
V Webmail
V Webmail
risk 0.00cvss —epss 0.00
SQL injection vulnerability in login.php in V-webmail 1.5.0 might allow remote attackers to execute arbitrary SQL commands via the username parameter.
CVE-2008-4433Oct 3, 2008
Rmsoft
Minishop Module
risk 0.00cvss —epss 0.00
SQL injection vulnerability in search.php in the RMSOFT MiniShop module 1.0 for Xoops might allow remote attackers to execute arbitrary SQL commands via the itemsxpag parameter.
CVE-2008-4431Oct 3, 2008
Icebb
Icebb
risk 0.00cvss —epss 0.00
SQL injection vulnerability in index.php in IceBB 1.0-rc9.3 and earlier allows remote attackers to execute arbitrary SQL commands via the skin parameter, probably related to an incorrect protection mechanism in the clean_string function in includes/functions.php.
CVE-2008-4348Sep 30, 2008
Outshine
Phportfolio
risk 0.00cvss —epss 0.00
SQL injection vulnerability in photo.php in PHPortfolio, possibly 1.3, allows remote attackers to execute arbitrary SQL commands via the id parameter.
CVE-2008-4338Sep 30, 2008
Drupal
Brilliant Gallery
risk 0.00cvss —epss 0.00
SQL injection vulnerability in the brilliant_gallery_checklist_save function in the bgchecklist/save script in Brilliant Gallery 5.x and 6.x, a module for Drupal, allows remote authenticated users with "access brilliant_gallery" permissions to execute arbitrary SQL commands via…
CVE-2008-4094Sep 30, 2008
Rubyonrails
Rails
risk 0.00cvss —epss 0.03
Multiple SQL injection vulnerabilities in Ruby on Rails before 2.1.1 allow remote attackers to execute arbitrary SQL commands via the (1) :limit and (2) :offset parameters, related to ActiveRecord, ActiveSupport, ActiveResource, ActionPack, and ActionMailer.
CVE-2008-4148Sep 24, 2008
Drupal
Mailhandler
risk 0.00cvss —epss 0.00
SQL injection vulnerability in the Mailhandler module 5.x before 5.x-1.4 and 6.x before 6.x-1.4, a module for Drupal, allows remote attackers to execute arbitrary SQL commands via unspecified vectors, related to composing queries without using the Drupal database API.