CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Description
The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-108 · CAPEC-109 · CAPEC-110 · CAPEC-470 · CAPEC-66 · CAPEC-7
CVEs mapped to this weakness (10,236)
page 48 of 512| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2016-6818 | Cri | 0.64 | 9.8 | 0.02 | Apr 13, 2017 | SQL injection vulnerability in SAP Business Intelligence platform before January 2017 allows remote attackers to obtain sensitive information, modify data, cause a denial of service (data deletion), or launch administrative operations or possibly OS commands via a crafted SQL… | ||
| CVE-2016-2566 | Cri | 0.64 | 9.8 | 0.02 | Apr 13, 2017 | Samsung SecEmailSync on SM-G920F build G920FXXU2COH2 (Galaxy S6) devices has SQL injection, aka SVE-2015-5081. | ||
| CVE-2017-7628 | Cri | 0.64 | 9.8 | 0.01 | Apr 13, 2017 | The "Smart related articles" extension 1.1 for Joomla! has SQL injection in dialog.php (attacker must use search_cats variable in POST method to exploit this vulnerability). | ||
| CVE-2017-7719 | Cri | 0.64 | 9.8 | 0.02 | Apr 12, 2017 | SQL injection in the Spider Event Calendar (aka spider-event-calendar) plugin before 1.5.52 for WordPress is exploitable with the order_by parameter to calendar_functions.php or widget_Theme_functions.php, related to front_end/frontend_functions.php. | ||
| CVE-2017-7410 | Cri | 0.64 | 9.8 | 0.03 | Apr 3, 2017 | Multiple SQL injection vulnerabilities in account/signup.php and account/signup2.php in WebsiteBaker 2.10.0 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) username, (2) display_name parameter. | ||
| CVE-2017-6013 | Cri | 0.64 | 9.8 | 0.02 | Mar 27, 2017 | Subrion CMS 4.0.5.10 has SQL injection in admin/database/ via the query parameter. | ||
| CVE-2016-9087 | Cri | 0.64 | 9.8 | 0.02 | Mar 7, 2017 | SQL injection vulnerability in framework/modules/filedownloads/controllers/filedownloadController.php in Exponent CMS 2.3.9 and earlier allows remote attackers to execute arbitrary SQL commands via the fileid parameter. | ||
| CVE-2016-9020 | Cri | 0.64 | 9.8 | 0.03 | Mar 7, 2017 | SQL injection vulnerability in framework/modules/help/controllers/helpController.php in Exponent CMS 2.3.9 and earlier allows remote attackers to execute arbitrary SQL commands via the version parameter. | ||
| CVE-2016-9019 | Cri | 0.64 | 9.8 | 0.03 | Mar 7, 2017 | SQL injection vulnerability in the activate_address function in framework/modules/addressbook/controllers/addressController.php in Exponent CMS 2.3.9 and earlier allows remote attackers to execute arbitrary SQL commands via the is_what parameter. | ||
| CVE-2016-7789 | Cri | 0.64 | 9.8 | 0.03 | Mar 7, 2017 | SQL injection vulnerability in framework/core/models/expConfig.php in Exponent CMS 2.3.9 and earlier allows remote attackers to execute arbitrary SQL commands via the apikey parameter. | ||
| CVE-2016-7788 | Cri | 0.64 | 9.8 | 0.03 | Mar 7, 2017 | SQL injection vulnerability in framework/modules/users/models/user.php in Exponent CMS 2.3.9 and earlier allows remote attackers to execute arbitrary SQL commands via the username parameter. | ||
| CVE-2016-7784 | Cri | 0.64 | 9.8 | 0.03 | Mar 7, 2017 | SQL injection vulnerability in the getSection function in framework/core/subsystems/expRouter.php in Exponent CMS 2.3.9 and earlier allows remote attackers to execute arbitrary SQL commands via the section parameter. | ||
| CVE-2016-7783 | Cri | 0.64 | 9.8 | 0.03 | Mar 7, 2017 | SQL injection vulnerability in framework/core/models/expRecord.php in Exponent CMS 2.3.9 and earlier allows remote attackers to execute arbitrary SQL commands via the title parameter. | ||
| CVE-2016-7782 | Cri | 0.64 | 9.8 | 0.03 | Mar 7, 2017 | SQL injection vulnerability in framework/core/models/expConfig.php in Exponent CMS 2.3.9 and earlier allows remote attackers to execute arbitrary SQL commands via the src parameter. | ||
| CVE-2016-7781 | Cri | 0.64 | 9.8 | 0.03 | Mar 7, 2017 | SQL injection vulnerability in framework/modules/blog/controllers/blogController.php in Exponent CMS 2.3.9 and earlier allows remote attackers to execute arbitrary SQL commands via the author parameter. | ||
| CVE-2016-7780 | Cri | 0.64 | 9.8 | 0.03 | Mar 7, 2017 | SQL injection vulnerability in cron/find_help.php in Exponent CMS 2.3.9 and earlier allows remote attackers to execute arbitrary SQL commands via the version parameter. | ||
| CVE-2016-10204 | Cri | 0.64 | 9.8 | 0.02 | Mar 3, 2017 | SQL injection vulnerability in Zoneminder 1.30 and earlier allows remote attackers to execute arbitrary SQL commands via the limit parameter in a log query request to index.php. | ||
| CVE-2016-6233 | Cri | 0.64 | 9.8 | 0.02 | Feb 17, 2017 | The (1) order and (2) group methods in Zend_Db_Select in the Zend Framework before 1.12.19 might allow remote attackers to conduct SQL injection attacks via vectors related to use of the character pattern [\w]* in a regular expression. | ||
| CVE-2016-4861 | Cri | 0.64 | 9.8 | 0.04 | Feb 17, 2017 | The (1) order and (2) group methods in Zend_Db_Select in the Zend Framework before 1.12.20 might allow remote attackers to conduct SQL injection attacks by leveraging failure to remove comments from an SQL statement before validation. | ||
| CVE-2017-5154 | Cri | 0.64 | 9.8 | 0.04 | Feb 13, 2017 | An issue was discovered in Advantech WebAccess Version 8.1. To be able to exploit the SQL injection vulnerability, an attacker must supply malformed input to the WebAccess software. Successful attack could result in administrative access to the application and its data files. |
- risk 0.64cvss 9.8epss 0.02
SQL injection vulnerability in SAP Business Intelligence platform before January 2017 allows remote attackers to obtain sensitive information, modify data, cause a denial of service (data deletion), or launch administrative operations or possibly OS commands via a crafted SQL…
- risk 0.64cvss 9.8epss 0.02
Samsung SecEmailSync on SM-G920F build G920FXXU2COH2 (Galaxy S6) devices has SQL injection, aka SVE-2015-5081.
- risk 0.64cvss 9.8epss 0.01
The "Smart related articles" extension 1.1 for Joomla! has SQL injection in dialog.php (attacker must use search_cats variable in POST method to exploit this vulnerability).
- risk 0.64cvss 9.8epss 0.02
SQL injection in the Spider Event Calendar (aka spider-event-calendar) plugin before 1.5.52 for WordPress is exploitable with the order_by parameter to calendar_functions.php or widget_Theme_functions.php, related to front_end/frontend_functions.php.
- risk 0.64cvss 9.8epss 0.03
Multiple SQL injection vulnerabilities in account/signup.php and account/signup2.php in WebsiteBaker 2.10.0 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) username, (2) display_name parameter.
- risk 0.64cvss 9.8epss 0.02
Subrion CMS 4.0.5.10 has SQL injection in admin/database/ via the query parameter.
- risk 0.64cvss 9.8epss 0.02
SQL injection vulnerability in framework/modules/filedownloads/controllers/filedownloadController.php in Exponent CMS 2.3.9 and earlier allows remote attackers to execute arbitrary SQL commands via the fileid parameter.
- risk 0.64cvss 9.8epss 0.03
SQL injection vulnerability in framework/modules/help/controllers/helpController.php in Exponent CMS 2.3.9 and earlier allows remote attackers to execute arbitrary SQL commands via the version parameter.
- risk 0.64cvss 9.8epss 0.03
SQL injection vulnerability in the activate_address function in framework/modules/addressbook/controllers/addressController.php in Exponent CMS 2.3.9 and earlier allows remote attackers to execute arbitrary SQL commands via the is_what parameter.
- risk 0.64cvss 9.8epss 0.03
SQL injection vulnerability in framework/core/models/expConfig.php in Exponent CMS 2.3.9 and earlier allows remote attackers to execute arbitrary SQL commands via the apikey parameter.
- risk 0.64cvss 9.8epss 0.03
SQL injection vulnerability in framework/modules/users/models/user.php in Exponent CMS 2.3.9 and earlier allows remote attackers to execute arbitrary SQL commands via the username parameter.
- risk 0.64cvss 9.8epss 0.03
SQL injection vulnerability in the getSection function in framework/core/subsystems/expRouter.php in Exponent CMS 2.3.9 and earlier allows remote attackers to execute arbitrary SQL commands via the section parameter.
- risk 0.64cvss 9.8epss 0.03
SQL injection vulnerability in framework/core/models/expRecord.php in Exponent CMS 2.3.9 and earlier allows remote attackers to execute arbitrary SQL commands via the title parameter.
- risk 0.64cvss 9.8epss 0.03
SQL injection vulnerability in framework/core/models/expConfig.php in Exponent CMS 2.3.9 and earlier allows remote attackers to execute arbitrary SQL commands via the src parameter.
- risk 0.64cvss 9.8epss 0.03
SQL injection vulnerability in framework/modules/blog/controllers/blogController.php in Exponent CMS 2.3.9 and earlier allows remote attackers to execute arbitrary SQL commands via the author parameter.
- risk 0.64cvss 9.8epss 0.03
SQL injection vulnerability in cron/find_help.php in Exponent CMS 2.3.9 and earlier allows remote attackers to execute arbitrary SQL commands via the version parameter.
- risk 0.64cvss 9.8epss 0.02
SQL injection vulnerability in Zoneminder 1.30 and earlier allows remote attackers to execute arbitrary SQL commands via the limit parameter in a log query request to index.php.
- risk 0.64cvss 9.8epss 0.02
The (1) order and (2) group methods in Zend_Db_Select in the Zend Framework before 1.12.19 might allow remote attackers to conduct SQL injection attacks via vectors related to use of the character pattern [\w]* in a regular expression.
- risk 0.64cvss 9.8epss 0.04
The (1) order and (2) group methods in Zend_Db_Select in the Zend Framework before 1.12.20 might allow remote attackers to conduct SQL injection attacks by leveraging failure to remove comments from an SQL statement before validation.
- risk 0.64cvss 9.8epss 0.04
An issue was discovered in Advantech WebAccess Version 8.1. To be able to exploit the SQL injection vulnerability, an attacker must supply malformed input to the WebAccess software. Successful attack could result in administrative access to the application and its data files.