CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

BaseStableLikelihood: High

Description

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Hierarchy (View 1000)

Parents

CWE-943

Children

CWE-564

Related attack patterns (CAPEC)

CAPEC-108 · CAPEC-109 · CAPEC-110 · CAPEC-470 · CAPEC-66 · CAPEC-7

CVEs mapped to this weakness (9,858)

page 491 of 493

CVE	Vendor / Product	CVSS	EPSS	Published	Description
CVE-2006-2090	Mysmartbb Mysmartbb	—	0.01	Apr 29, 2006	Multiple SQL injection vulnerabilities in misc.php in MySmartBB 1.1.x allow remote attackers to execute arbitrary SQL commands via the (1) id and (2) username parameters.
CVE-2006-1962	Pcpin Pcpin Chat	—	0.02	Apr 21, 2006	SQL injection vulnerability in PCPIN Chat 5.0.4 and earlier allows remote attackers to execute arbitrary SQL commands via the username field (login parameter) to main.php.
CVE-2006-1871	Oracle Corporation Database Server	—	0.02	Apr 20, 2006	SQL injection vulnerability in Oracle Database Server 9.2.0.7 and 10.1.0.5 allows remote attackers to execute arbitrary SQL commands via the DELETE_FROM_TABLE function in the DBMS_LOGMNR_SESSION (Log Miner) package, aka Vuln# DB06.
CVE-2006-1751	Michiel Van Baak Mvblog	—	0.01	Apr 12, 2006	Multiple SQL injection vulnerabilities in MvBlog before 1.6 allow remote attackers to execute arbitrary SQL commands via unknown vectors.
CVE-2006-1500	Tilde CMS Project Tilde CMS	—	0.01	Mar 30, 2006	SQL injection vulnerability in index.php in Tilde CMS 3.0 allows remote attackers to execute arbitrary SQL commands via the id parameter.
CVE-2006-1423	Ubbcentral Ubb.threads	—	0.01	Mar 28, 2006	SQL injection vulnerability in showflat.php in UBB.threads 5.5.1, 6.0 br5, 6.0.1, 6.0.2, and earlier, allows remote attackers to execute arbitrary SQL commands via the Number parameter.
CVE-2006-1360	Musicbox Musicbox	—	0.01	Mar 23, 2006	Multiple SQL injection vulnerabilities in MusicBox 2.3 Beta 2 allow remote attackers to execute arbitrary SQL commands via the (1) id, (2) type, or (3) show parameter to (a) index.php; or the (4) message1 or (5) message parameter to (b) cart.php.
CVE-2006-1049	Joomla Joomla!	—	0.01	Mar 7, 2006	Multiple SQL injection vulnerabilities in the Admin functionality in Joomla! 1.0.7 and earlier allow remote authenticated administrators to execute arbitrary SQL commands via unknown attack vectors.
CVE-2006-1006	Sendcard Sendcard	—	0.01	Mar 6, 2006	Multiple SQL injection vulnerabilities in sendcard.php in sendcard before 3.3.0 allow remote attackers to execute arbitrary SQL commands via unspecified parameters.
CVE-2006-0897	VCS Virtual Program Management Intranet (VPMi) Enterprise	—	0.01	Feb 25, 2006	SQL injection vulnerability in VCS Virtual Program Management Intranet (VPMi) Enterprise 3.3 allows remote attackers to execute arbitrary SQL commands via the UpdateID0 parameter to Service_Requests.asp. NOTE: the provenance of this information is unknown; the details are…
CVE-2006-0772	Hitachi Business Logic	—	0.02	Feb 19, 2006	SQL injection vulnerability in Hitachi Business Logic - Container 02-03 through 03-00-/B on Windows, and 03-00 through 03-00-/B on Linux, allows remote attackers to execute arbitrary SQL commands via unspecified vectors in the extended receiving box function.
CVE-2006-0692	Carey Briggs PHP Mysql Timesheet	—	0.01	Feb 15, 2006	Multiple SQL injection vulnerabilities in Carey Briggs PHP/MYSQL Timesheet 1 and 2 allow remote attackers to execute arbitrary SQL commands via the (1) yr, (2) month, (3) day, and (4) job parameters in (a) index.php and (b) changehrs.php.
CVE-2006-0602	Hinton Design Phphg Guestbook	—	0.02	Feb 8, 2006	Multiple SQL injection vulnerabilities in Hinton Design phphg Guestbook 1.2 allow remote attackers to execute arbitrary SQL commands via the (1) username parameter to check.php or the id parameter to (2) admin/edit_smilie.php, (3) admin/add_theme.php, (4) admin/ban_ip.php, (5)…
CVE-2006-0412	Gencbeyin Web Programlama Cybershop	—	0.01	Jan 25, 2006	SQL injection vulnerability in CyberShop allows remote attackers to execute arbitrary SQL commands and bypass authentication via the username parameter in a login action.
CVE-2006-0403	E Moblog E Moblog	—	0.02	Jan 25, 2006	Multiple SQL injection vulnerabilities in e-moBLOG 1.3 allow remote attackers to execute arbitrary SQL commands via the (1) monthy parameter to index.php or (2) login parameter to admin/index.php. NOTE: some sources have reported item 1 as involving the "monthly" parameter, but…
CVE-2006-0269	Oracle Corporation Oracle10g	—	0.02	Jan 18, 2006	Unspecified vulnerability in the Streams Capture component of Oracle Database server 10.1.0.5 and 10.2.0.1 has unspecified impact and attack vectors, as identified by Oracle Vuln# DB25. NOTE: details are unavailable from Oracle, but they have not publicly disputed a claim by a…
CVE-2006-0205	Wordcircle Wordcircle	—	0.02	Jan 13, 2006	Multiple SQL injection vulnerabilities in Wordcircle 2.17 allow remote attackers to (1) execute arbitrary SQL commands and bypass authentication via the password field in the login action to index.php (involving v_login.php and s_user.php) and (2) have other unknown impact via…
CVE-2006-0192	Philip Loftin Aspsurvey	—	0.02	Jan 13, 2006	SQL injection vulnerability in Login_Validate.asp in ASPSurvey 1.10 allows remote attackers to execute arbitrary SQL commands via the Password parameter to login.asp.
CVE-2006-0159	Javier Suarez Sanz Foro Domus	—	0.01	Jan 10, 2006	SQL injection vulnerability in escribir.php in Foro Domus 2.10 allows remote attackers to execute arbitrary SQL commands via the email parameter. NOTE: the provenance of this information is unknown, although it may be based on post-disclosure analysis of CVE-2006-0110; the…
CVE-2005-4632	Vote Pro Vote Pro	—	0.01	Dec 31, 2005	SQL injection vulnerability in poll_frame.php in Vote! Pro 4.0 and earlier allows remote attackers to execute arbitrary SQL commands via the poll_id parameter.

CVE-2006-2090Apr 29, 2006
Mysmartbb
Mysmartbb
risk 0.00cvss —epss 0.01
Multiple SQL injection vulnerabilities in misc.php in MySmartBB 1.1.x allow remote attackers to execute arbitrary SQL commands via the (1) id and (2) username parameters.
CVE-2006-1962Apr 21, 2006
Pcpin
Pcpin Chat
risk 0.00cvss —epss 0.02
SQL injection vulnerability in PCPIN Chat 5.0.4 and earlier allows remote attackers to execute arbitrary SQL commands via the username field (login parameter) to main.php.
CVE-2006-1871Apr 20, 2006
Oracle Corporation
Database Server
risk 0.00cvss —epss 0.02
SQL injection vulnerability in Oracle Database Server 9.2.0.7 and 10.1.0.5 allows remote attackers to execute arbitrary SQL commands via the DELETE_FROM_TABLE function in the DBMS_LOGMNR_SESSION (Log Miner) package, aka Vuln# DB06.
CVE-2006-1751Apr 12, 2006
Michiel Van Baak
Mvblog
risk 0.00cvss —epss 0.01
Multiple SQL injection vulnerabilities in MvBlog before 1.6 allow remote attackers to execute arbitrary SQL commands via unknown vectors.
CVE-2006-1500Mar 30, 2006
Tilde CMS Project
Tilde CMS
risk 0.00cvss —epss 0.01
SQL injection vulnerability in index.php in Tilde CMS 3.0 allows remote attackers to execute arbitrary SQL commands via the id parameter.
CVE-2006-1423Mar 28, 2006
Ubbcentral
Ubb.threads
risk 0.00cvss —epss 0.01
SQL injection vulnerability in showflat.php in UBB.threads 5.5.1, 6.0 br5, 6.0.1, 6.0.2, and earlier, allows remote attackers to execute arbitrary SQL commands via the Number parameter.
CVE-2006-1360Mar 23, 2006
Musicbox
Musicbox
risk 0.00cvss —epss 0.01
Multiple SQL injection vulnerabilities in MusicBox 2.3 Beta 2 allow remote attackers to execute arbitrary SQL commands via the (1) id, (2) type, or (3) show parameter to (a) index.php; or the (4) message1 or (5) message parameter to (b) cart.php.
CVE-2006-1049Mar 7, 2006
Joomla
Joomla!
risk 0.00cvss —epss 0.01
Multiple SQL injection vulnerabilities in the Admin functionality in Joomla! 1.0.7 and earlier allow remote authenticated administrators to execute arbitrary SQL commands via unknown attack vectors.
CVE-2006-1006Mar 6, 2006
Sendcard
Sendcard
risk 0.00cvss —epss 0.01
Multiple SQL injection vulnerabilities in sendcard.php in sendcard before 3.3.0 allow remote attackers to execute arbitrary SQL commands via unspecified parameters.
CVE-2006-0897Feb 25, 2006
VCS
Virtual Program Management Intranet (VPMi) Enterprise
risk 0.00cvss —epss 0.01
SQL injection vulnerability in VCS Virtual Program Management Intranet (VPMi) Enterprise 3.3 allows remote attackers to execute arbitrary SQL commands via the UpdateID0 parameter to Service_Requests.asp. NOTE: the provenance of this information is unknown; the details are…
CVE-2006-0772Feb 19, 2006
Hitachi
Business Logic
risk 0.00cvss —epss 0.02
SQL injection vulnerability in Hitachi Business Logic - Container 02-03 through 03-00-/B on Windows, and 03-00 through 03-00-/B on Linux, allows remote attackers to execute arbitrary SQL commands via unspecified vectors in the extended receiving box function.
CVE-2006-0692Feb 15, 2006
Carey Briggs
PHP Mysql Timesheet
risk 0.00cvss —epss 0.01
Multiple SQL injection vulnerabilities in Carey Briggs PHP/MYSQL Timesheet 1 and 2 allow remote attackers to execute arbitrary SQL commands via the (1) yr, (2) month, (3) day, and (4) job parameters in (a) index.php and (b) changehrs.php.
CVE-2006-0602Feb 8, 2006
Hinton Design
Phphg Guestbook
risk 0.00cvss —epss 0.02
Multiple SQL injection vulnerabilities in Hinton Design phphg Guestbook 1.2 allow remote attackers to execute arbitrary SQL commands via the (1) username parameter to check.php or the id parameter to (2) admin/edit_smilie.php, (3) admin/add_theme.php, (4) admin/ban_ip.php, (5)…
CVE-2006-0412Jan 25, 2006
Gencbeyin Web Programlama
Cybershop
risk 0.00cvss —epss 0.01
SQL injection vulnerability in CyberShop allows remote attackers to execute arbitrary SQL commands and bypass authentication via the username parameter in a login action.
CVE-2006-0403Jan 25, 2006
E Moblog
E Moblog
risk 0.00cvss —epss 0.02
Multiple SQL injection vulnerabilities in e-moBLOG 1.3 allow remote attackers to execute arbitrary SQL commands via the (1) monthy parameter to index.php or (2) login parameter to admin/index.php. NOTE: some sources have reported item 1 as involving the "monthly" parameter, but…
CVE-2006-0269Jan 18, 2006
Oracle Corporation
Oracle10g
risk 0.00cvss —epss 0.02
Unspecified vulnerability in the Streams Capture component of Oracle Database server 10.1.0.5 and 10.2.0.1 has unspecified impact and attack vectors, as identified by Oracle Vuln# DB25. NOTE: details are unavailable from Oracle, but they have not publicly disputed a claim by a…
CVE-2006-0205Jan 13, 2006
Wordcircle
Wordcircle
risk 0.00cvss —epss 0.02
Multiple SQL injection vulnerabilities in Wordcircle 2.17 allow remote attackers to (1) execute arbitrary SQL commands and bypass authentication via the password field in the login action to index.php (involving v_login.php and s_user.php) and (2) have other unknown impact via…
CVE-2006-0192Jan 13, 2006
Philip Loftin
Aspsurvey
risk 0.00cvss —epss 0.02
SQL injection vulnerability in Login_Validate.asp in ASPSurvey 1.10 allows remote attackers to execute arbitrary SQL commands via the Password parameter to login.asp.
CVE-2006-0159Jan 10, 2006
Javier Suarez Sanz
Foro Domus
risk 0.00cvss —epss 0.01
SQL injection vulnerability in escribir.php in Foro Domus 2.10 allows remote attackers to execute arbitrary SQL commands via the email parameter. NOTE: the provenance of this information is unknown, although it may be based on post-disclosure analysis of CVE-2006-0110; the…
CVE-2005-4632Dec 31, 2005
Vote Pro
Vote Pro
risk 0.00cvss —epss 0.01
SQL injection vulnerability in poll_frame.php in Vote! Pro 4.0 and earlier allows remote attackers to execute arbitrary SQL commands via the poll_id parameter.