VYPR

CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

BaseStableLikelihood: High

Description

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Hierarchy (View 1000)

Parents

Children

Related attack patterns (CAPEC)

CAPEC-108 · CAPEC-109 · CAPEC-110 · CAPEC-470 · CAPEC-66 · CAPEC-7

CVEs mapped to this weakness (10,236)

page 509 of 512
  • CVE-2006-4039Aug 9, 2006
    risk 0.00cvss epss 0.02

    Multiple SQL injection vulnerabilities in eintragen.php in GaesteChaos 0.2 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) gastname, (2) gastwohnort, or (3) gasteintrag parameters.

  • CVE-2006-3688Jul 21, 2006
    risk 0.00cvss epss 0.01

    SQL injection vulnerability in Room.php in Francisco Charrua Photo-Gallery 1.0 allows remote attackers to execute arbitrary SQL commands via the id parameter.

  • CVE-2006-3430Jul 7, 2006
    risk 0.00cvss epss 0.02

    SQL injection vulnerability in checkprofile.asp in (1) PatchLink Update Server (PLUS) before 6.1 P1 and 6.2.x before 6.2 SR1 P1 and (2) Novell ZENworks 6.2 SR1 and earlier, allows remote attackers to execute arbitrary SQL commands via the agentid parameter.

  • CVE-2006-3318Jun 29, 2006
    risk 0.00cvss epss 0.01

    SQL injection vulnerability in register.php for phpRaid 3.0.6 and possibly other versions, when the authorization type is phpraid, allows remote attackers to execute arbitrary SQL commands via the (1) username and (2) email parameters.

  • CVE-2006-3181Jun 23, 2006
    risk 0.00cvss epss 0.01

    SQL injection vulnerability in index.php in MobeScripts Mobile Space Community 2.0 allows remote attackers to execute arbitrary SQL commands via the browse parameter.

  • CVE-2006-3139Jun 22, 2006
    risk 0.00cvss epss 0.02

    Multiple SQL injection vulnerabilities in war.php in Virtual War (VWar) 1.5.0 R14 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) s, (2) showgame, (3) sortorder, and (4) sortby parameters.

  • CVE-2006-3064Jun 19, 2006
    risk 0.00cvss epss 0.01

    SQL injection vulnerability in the add_hit function in include/function.inc.php in Coppermine Photo Gallery (CPG) 1.4.8, when "Keep detailed hit statistics" is enabled, allows remote attackers to execute arbitrary SQL commands via the (1) referer and (2) user-agent HTTP headers.

  • CVE-2006-3048Jun 16, 2006
    risk 0.00cvss epss 0.01

    SQL injection vulnerability in TikiWiki 1.9.3.2 and possibly earlier versions allows remote attackers to execute arbitrary SQL commands via unknown attack vectors.

  • CVE-2006-2977Jun 12, 2006
    risk 0.00cvss epss 0.01

    SQL injection vulnerability in big.php in Mafia Moblog 0.6M1 and earlier allows remote attackers to execute arbitrary SQL commands via the img parameter.

  • CVE-2006-2760Jun 2, 2006
    risk 0.00cvss epss 0.01

    SQL injection vulnerability in modules.php in 4nNukeWare 4nForum 0.91 allows remote attackers to execute arbitrary SQL commands via the tid parameter.

  • CVE-2006-2416May 16, 2006
    risk 0.00cvss epss 0.01

    SQL injection vulnerability in class2.php in e107 0.7.2 and earlier allows remote attackers to execute arbitrary SQL commands via a cookie as defined in $pref['cookie_name'].

  • CVE-2006-2301May 11, 2006
    risk 0.00cvss epss 0.02

    SQL injection vulnerability in admin_default.asp in OzzyWork Galeri allows remote attackers to execute arbitrary SQL commands via the (1) Login or (2) password fields.

  • CVE-2006-2259May 9, 2006
    risk 0.00cvss epss 0.01

    SQL injection vulnerability in Logon.asp in MaxxSchedule 1.0 allows remote attackers to execute arbitrary SQL commands via the txtLogon parameter.

  • CVE-2006-2239May 9, 2006
    risk 0.00cvss epss 0.01

    SQL injection vulnerability in readarticle.php in Newsadmin 1.1 allows remote attackers to execute arbitrary SQL commands via the nid parameter.

  • CVE-2006-2268May 9, 2006
    risk 0.00cvss epss 0.02

    SQL injection vulnerability in FlexCustomer 0.0.4 and earlier allows remote attackers to bypass authentication and execute arbitrary SQL commands via the admin and ordinary user interface, probably involving the (1) checkuser and (2) checkpass parameters to (a) admin/index.php,…

  • CVE-2006-2157May 3, 2006
    risk 0.00cvss epss 0.01

    SQL injection vulnerability in gallery.php in Plogger Beta 2.1 and earlier allows remote attackers to execute arbitrary SQL commands via the id parameter, when the level is set to "slideshow". NOTE: This is a different vulnerability than CVE-2005-4246.

  • CVE-2006-2128May 1, 2006
    risk 0.00cvss epss 0.02

    Multiple SQL injection vulnerabilities in Pro Publish 2.0 allow remote attackers to execute arbitrary SQL commands via the (1) email and (2) password parameter to (a) admin/login.php, (3) find_str parameter to (b) search.php, or (4) artid parameter to (c) art.php, or (5) catid…

  • CVE-2006-2090Apr 29, 2006
    risk 0.00cvss epss 0.01

    Multiple SQL injection vulnerabilities in misc.php in MySmartBB 1.1.x allow remote attackers to execute arbitrary SQL commands via the (1) id and (2) username parameters.

  • CVE-2006-2103Apr 29, 2006
    risk 0.00cvss epss 0.01

    SQL injection vulnerability in MyBB (MyBulletinBoard) 1.1.1 allows remote authenticated administrators to execute arbitrary SQL commands via the (1) query string ($querystring variable) in (a) admin/adminlogs.php, which is not properly handled by adminfunctions.php; or (2)…

  • CVE-2006-1962Apr 21, 2006
    risk 0.00cvss epss 0.02

    SQL injection vulnerability in PCPIN Chat 5.0.4 and earlier allows remote attackers to execute arbitrary SQL commands via the username field (login parameter) to main.php.