CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

BaseStableLikelihood: High

Description

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Hierarchy (View 1000)

Parents

CWE-943

Children

CWE-564

Related attack patterns (CAPEC)

CAPEC-108 · CAPEC-109 · CAPEC-110 · CAPEC-470 · CAPEC-66 · CAPEC-7

CVEs mapped to this weakness (8,797)

page 5 of 440

CVE	Sev	Risk	CVSS	EPSS	Published	Description
CVE-2017-17629	Cri	0.67	9.8	0.03	Dec 13, 2017	Secure E-commerce Script 2.0.1 has SQL Injection via the category.php searchmain or searchcat parameter, or the single_detail.php sid parameter.
CVE-2017-17628	Cri	0.67	9.8	0.03	Dec 13, 2017	Responsive Realestate Script 3.2 has SQL Injection via the property-list tbud parameter.
CVE-2017-17627	Cri	0.67	9.8	0.03	Dec 13, 2017	Readymade Video Sharing Script 3.2 has SQL Injection via the single-video-detail.php report_videos array parameter.
CVE-2017-17626	Cri	0.67	9.8	0.03	Dec 13, 2017	Readymade PHP Classified Script 3.3 has SQL Injection via the /categories subctid or mctid parameter.
CVE-2017-17625	Cri	0.67	9.8	0.02	Dec 13, 2017	Professional Service Script 1.0 has SQL Injection via the service-list city parameter.
CVE-2017-17624	Cri	0.67	9.8	0.03	Dec 13, 2017	PHP Multivendor Ecommerce 1.0 has SQL Injection via the single_detail.php sid parameter, or the category.php searchcat or chid1 parameter.
CVE-2017-17623	Cri	0.67	9.8	0.03	Dec 13, 2017	Opensource Classified Ads Script 3.2 has SQL Injection via the advance_result.php keyword parameter.
CVE-2017-17622	Cri	0.67	9.8	0.04	Dec 13, 2017	Online Exam Test Application Script 1.6 has SQL Injection via the exams.php sort parameter.
CVE-2017-17621	Cri	0.67	9.8	0.04	Dec 13, 2017	Multivendor Penny Auction Clone Script 1.0 has SQL Injection via the PATH_INFO to the /detail URI.
CVE-2017-17620	Cri	0.67	9.8	0.03	Dec 13, 2017	Lawyer Search Script 1.1 has SQL Injection via the /lawyer-list city parameter.
CVE-2017-17619	Cri	0.67	9.8	0.04	Dec 13, 2017	Laundry Booking Script 1.0 has SQL Injection via the /list city parameter.
CVE-2017-17618	Cri	0.67	9.8	0.03	Dec 13, 2017	Kickstarter Clone Script 2.0 has SQL Injection via the investcalc.php projid parameter.
CVE-2017-17617	Cri	0.67	9.8	0.03	Dec 13, 2017	Foodspotting Clone Script 1.0 has SQL Injection via the quicksearch.php q parameter.
CVE-2017-17616	Cri	0.67	9.8	0.03	Dec 13, 2017	Event Search Script 1.0 has SQL Injection via the /event-list city parameter.
CVE-2017-17614	Cri	0.67	9.8	0.03	Dec 13, 2017	Food Order Script 1.0 has SQL Injection via the /list city parameter.
CVE-2017-17613	Cri	0.67	9.8	0.03	Dec 13, 2017	Freelance Website Script 2.0.6 has SQL Injection via the jobdetails.php pr_id parameter or the searchbycat_list.php catid parameter.
CVE-2017-17612	Cri	0.67	9.8	0.04	Dec 13, 2017	Hot Scripts Clone 3.1 has SQL Injection via the /categories subctid or mctid parameter.
CVE-2017-17611	Cri	0.67	9.8	0.03	Dec 13, 2017	Doctor Search Script 1.0 has SQL Injection via the /list city parameter.
CVE-2017-17610	Cri	0.67	9.8	0.03	Dec 13, 2017	E-commerce MLM Software 1.0 has SQL Injection via the service_detail.php pid parameter, event_detail.php eventid parameter, or news_detail.php newid parameter.
CVE-2017-17609	Cri	0.67	9.8	0.03	Dec 13, 2017	Chartered Accountant Booking Script 1.0 has SQL Injection via the /service-list city parameter.