VYPR

CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

BaseStableLikelihood: High

Description

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Hierarchy (View 1000)

Parents

Children

Related attack patterns (CAPEC)

CAPEC-108 · CAPEC-109 · CAPEC-110 · CAPEC-470 · CAPEC-66 · CAPEC-7

CVEs mapped to this weakness (12,807)

page 526 of 641
  • CVE-2008-4369Oct 1, 2008
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in pics.php in Availscript Photo Album allows remote attackers to execute arbitrary SQL commands via the sid parameter.

  • CVE-2008-4364Sep 30, 2008
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in default.aspx in ParsaGostar ParsaWeb CMS allows remote attackers to execute arbitrary SQL commands via the (1) id parameter in the "page" page and (2) txtSearch parameter in the "Search" page.

  • CVE-2008-4357Sep 30, 2008
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in linkto.php in Powie pLink 2.07 allows remote attackers to execute arbitrary SQL commands via the id parameter.

  • CVE-2008-4356Sep 30, 2008
    risk 0.03cvss epss 0.01

    Multiple SQL injection vulnerabilities in Kasseler CMS 1.1.0 and 1.2.0 allow remote attackers to execute arbitrary SQL commands via (1) the nid parameter to index.php in a View action to the News module; (2) the vid parameter to index.php in a Result action to the Voting module;…

  • CVE-2008-4355Sep 30, 2008
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in showprofil.php in Powie PSCRIPT Forum (aka PHP Forum or pForum) 1.30 and earlier allows remote attackers to execute arbitrary SQL commands via the id parameter.

  • CVE-2008-4354Sep 30, 2008
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in the products module in NetArt Media iBoutique 4.0 allows remote attackers to execute arbitrary SQL commands via the cat parameter to index.php.

  • CVE-2008-4353Sep 30, 2008
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in link.php in Linkarity allows remote attackers to execute arbitrary SQL commands via the cat_id parameter. NOTE: although one component of Linkarity is distributable PHP code, this issue might be site-specific. If so, it should not be included in…

  • CVE-2008-4352Sep 30, 2008
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in inc/pages/viewprofile.php in phpSmartCom 0.2 allows remote attackers to execute arbitrary SQL commands via the uid parameter in a viewprofile action to index.php.

  • CVE-2008-4350Sep 30, 2008
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in main.php in vbLOGIX Tutorial Script 1.0 and earlier allows remote attackers to execute arbitrary SQL commands via the cat_id parameter in a list action.

  • CVE-2008-4347Sep 30, 2008
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in newskom.php in Powie pNews 2.03 allows remote attackers to execute arbitrary SQL commands via the newsid parameter.

  • CVE-2008-4345Sep 30, 2008
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in download.php in WebPortal CMS 0.7.4 and earlier allows remote attackers to execute arbitrary SQL commands via the aid parameter.

  • CVE-2008-4344Sep 30, 2008
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in cat.php in 6rbScript allows remote attackers to execute arbitrary SQL commands via the CatID parameter.

  • CVE-2008-4335Sep 30, 2008
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in album.php in Atomic Photo Album (APA) 1.1.0pre4 allows remote attackers to execute arbitrary SQL commands via the apa_album_ID parameter.

  • CVE-2008-4332Sep 30, 2008
    risk 0.03cvss epss 0.02

    SQL injection vulnerability in the showjavatopic function in func.php in PHP infoBoard V.7 Plus allows remote attackers to execute arbitrary SQL commands via the idcat parameter to showtopic.php.

  • CVE-2008-4328Sep 30, 2008
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in site_search.php in EasyRealtorPRO 2008 allows remote attackers to execute arbitrary SQL commands via the (1) item, (2) search_ordermethod, and (3) search_order parameters.

  • CVE-2008-4241Sep 25, 2008
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in CJ Ultra Plus 1.0.4 and earlier allows remote attackers to execute arbitrary SQL commands via an SID cookie.

  • CVE-2008-4205Sep 24, 2008
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in search.php Attachmax Dolphin 2.1.0 and earlier allows remote attackers to execute arbitrary SQL commands via the category parameter in a Search action to index.php. NOTE: some of these details are obtained from third party information.

  • CVE-2008-4204Sep 24, 2008
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in city.asp in SoftAcid Hotel Reservation System (HRS) allows remote attackers to execute arbitrary SQL commands via the city parameter.

  • CVE-2008-4203Sep 24, 2008
    risk 0.03cvss epss 0.02

    SQL injection vulnerability in cn_users.php in CzarNews 1.20 and earlier allows remote attackers to execute arbitrary SQL commands via a recook cookie.

  • CVE-2008-4202Sep 24, 2008
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in index.php in Gonafish LinksCaffePRO 4.5 allows remote attackers to execute arbitrary SQL commands via the idd parameter in a deadlink action.