VYPR

CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

BaseStableLikelihood: High

Description

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Hierarchy (View 1000)

Parents

Children

Related attack patterns (CAPEC)

CAPEC-108 · CAPEC-109 · CAPEC-110 · CAPEC-470 · CAPEC-66 · CAPEC-7

CVEs mapped to this weakness (9,793)

page 482 of 490
  • CVE-2008-0607Feb 6, 2008
    Sigsiu.net
    Sobi2
    risk 0.00cvss epss 0.00

    SQL injection vulnerability in index.php in the Sigsiu Online Business Index 2 (SOBI2, com_sobi2) 2.5.3 component for Joomla! and Mambo allows remote attackers to execute arbitrary SQL commands via the catid parameter. NOTE: the provenance of this information is unknown; the…

  • CVE-2008-0543Feb 1, 2008
    Preprojects
    Pre Dynamic Institution
    risk 0.00cvss epss 0.00

    Multiple SQL injection vulnerabilities in Pre Dynamic Institution allow remote attackers to execute arbitrary SQL commands via the (1) sloginid and (2) spass parameters to (a) login.asp and (b) siteadmin/login.asp. NOTE: some of these details are obtained from third party…

  • CVE-2008-0499Jan 30, 2008
    Mambo LaiThai
    Mambo LaiThai
    risk 0.00cvss epss 0.00

    SQL injection vulnerability in Mambo LaiThai 4.5.5 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.

  • CVE-2008-0449Jan 25, 2008
    Rocksalt International
    Vp Asp
    risk 0.00cvss epss 0.00

    SQL injection vulnerability in paypalresult.asp in VP-ASP Shopping Cart 6.50 and earlier allows remote attackers to execute arbitrary SQL commands via unspecified vectors. NOTE: the provenance of this information is unknown; the details are obtained solely from third party…

  • CVE-2008-0363Jan 18, 2008
    Clever Copy
    Clever Copy
    risk 0.00cvss epss 0.01

    Multiple SQL injection vulnerabilities in Clever Copy 3.0 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) ID parameter to postcomment.php and the (2) album parameter to gallery.php.

  • CVE-2008-0173Jan 15, 2008
    GForge
    Gforge
    risk 0.00cvss epss 0.01

    SQL injection vulnerability in Gforge 4.6.99 and earlier allows remote attackers to execute arbitrary SQL commands via unspecified parameters, related to RSS exports.

  • CVE-2007-5402Jan 9, 2008
    Layton Technology
    Helpbox
    risk 0.00cvss epss 0.00

    Multiple SQL injection vulnerabilities in Layton HelpBox 3.7.1 allow (1) remote attackers to execute arbitrary SQL commands via the sys_request_id parameter to editrequestenduser.asp; and allow remote authenticated users to execute arbitrary SQL commands via (2) the oldpassword…

  • CVE-2008-0130Jan 8, 2008
    Instantsoftwares
    Dating Site
    risk 0.00cvss epss 0.00

    SQL injection vulnerability in login_form.asp in Instant Softwares Dating Site allows remote attackers to execute arbitrary SQL commands via the Username parameter, a different vulnerability than CVE-2007-6671. NOTE: the provenance of this information is unknown; the details…

  • CVE-2007-6540Dec 27, 2007
    Neuron News
    News
    risk 0.00cvss epss 0.00

    SQL injection vulnerability in neuron news 1.0 allows remote attackers to execute arbitrary SQL commands via the q parameter to the default URI in patch/.

  • CVE-2007-6517Dec 24, 2007
    Aeries
    Aeries Browser Interface
    risk 0.00cvss epss 0.01

    SQL injection vulnerability in the forget password section (LostPwd.asp) in Eagle Software Aeries Browser Interface (ABI) 3.7.9.17 allows remote attackers to execute arbitrary SQL commands via the EmailAddress parameter. NOTE: some of these details are obtained from third party…

  • CVE-2007-6484Dec 20, 2007
    Phprpg
    Phprpg
    risk 0.00cvss epss 0.00

    SQL injection vulnerability in index.php in phpRPG 0.8 allows remote attackers to execute arbitrary SQL commands via the password parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.

  • CVE-2007-6491Dec 20, 2007
    Kvaliitti
    WebDoc 3.0
    risk 0.00cvss epss 0.00

    Multiple SQL injection vulnerabilities in Kvaliitti WebDoc 3.0 CMS allow remote attackers to execute arbitrary SQL commands via (1) the cat_id parameter to categories.asp; and probably (2) the document_id parameter to categories.asp, and the (3) cat_id and (4) document_id…

  • CVE-2007-6469Dec 20, 2007
    Phprpg
    Phprpg
    risk 0.00cvss epss 0.01

    SQL injection vulnerability in index.php in phpRPG 0.8, when magic_qutoes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the username parameter. NOTE: some of these details are obtained from third party information.

  • CVE-2007-6381Dec 15, 2007
    TYPO3
    Typo3
    risk 0.00cvss epss 0.01

    SQL injection vulnerability in the indexed_search system extension in TYPO3 3.x, 4.0 through 4.0.7, and 4.1 through 4.1.3 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors.

  • CVE-2007-6373Dec 15, 2007
    Gestdown
    Gestdown
    risk 0.00cvss epss 0.00

    Multiple SQL injection vulnerabilities in GestDown 1.00 Beta allow remote attackers to execute arbitrary SQL commands via the (1) categorie parameter to catdownload.php, or the id parameter to (2) download.php or (3) hitcounter.php.

  • CVE-2007-6338Dec 15, 2007
    Trivantis
    Coursemill Learning Management System
    risk 0.00cvss epss 0.01

    SQL injection vulnerability in userlogin.jsp in Trivantis CourseMill Enterprise Learning Management System 4.1 SP4 allows remote attackers to execute arbitrary SQL commands via the user parameter (username field). NOTE: some of these details are obtained from third party…

  • CVE-2007-6345Dec 13, 2007
    Aurora
    Aurora Framework
    risk 0.00cvss epss 0.00

    SQL injection vulnerability in aurora framework before 20071208 allows remote attackers to execute arbitrary SQL commands via unspecified vectors, possibly the value parameter to the pack_var function in module/db.lib/db_mysql.lib. NOTE: some of these details are obtained from…

  • CVE-2007-6342Dec 13, 2007
    David Castro
    Apache Authcas
    risk 0.00cvss epss 0.01

    SQL injection vulnerability in the David Castro AuthCAS module (AuthCAS.pm) 0.4 for the Apache HTTP Server allows remote attackers to execute arbitrary SQL commands via the SESSION_COOKIE_NAME (session ID) in a cookie.

  • CVE-2007-6288Dec 10, 2007
    TCExam
    TCExam
    risk 0.00cvss epss 0.00

    Multiple SQL injection vulnerabilities in TCExam before 5.1.000 allow remote attackers to execute arbitrary SQL commands via unspecified vectors.

  • CVE-2007-6299Dec 10, 2007
    Drupal
    Drupal
    risk 0.00cvss epss 0.02

    Multiple SQL injection vulnerabilities in Drupal and vbDrupal 4.7.x before 4.7.9 and 5.x before 5.4 allow remote attackers to execute arbitrary SQL commands via modules that pass input to the taxonomy_select_nodes function, as demonstrated by the (1) taxonomy_menu, (2)…