VYPR

CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

BaseStableLikelihood: High

Description

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Hierarchy (View 1000)

Parents

Children

Related attack patterns (CAPEC)

CAPEC-108 · CAPEC-109 · CAPEC-110 · CAPEC-470 · CAPEC-66 · CAPEC-7

CVEs mapped to this weakness (12,807)

page 529 of 641
  • CVE-2008-3951Sep 11, 2008
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in view_ann.php in Vastal I-Tech Agent Zone (aka The Real Estate Script) allows remote attackers to execute arbitrary SQL commands via the ann_id parameter.

  • CVE-2008-3942Sep 5, 2008
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in landsee.php in Full PHP Emlak Script allows remote attackers to execute arbitrary SQL commands via the id parameter.

  • CVE-2008-3943Sep 5, 2008
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in listtest.php in eZoneScripts Living Local 1.1 allows remote attackers to execute arbitrary SQL commands via the r parameter.

  • CVE-2008-3945Sep 5, 2008
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in index.php in Words tag 1.2 allows remote attackers to execute arbitrary SQL commands via the word parameter in a claim action.

  • CVE-2008-3944Sep 5, 2008
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in index.php in ACG-PTP 1.0.6 allows remote attackers to execute arbitrary SQL commands via the adid parameter in an adorder action.

  • CVE-2008-3918Sep 4, 2008
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in index.php in Ovidentia 6.6.5 allows remote attackers to execute arbitrary SQL commands via the field parameter in a search action. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.

  • CVE-2008-3888Sep 2, 2008
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in members.asp in Mini-NUKE Freehost 2.3 allows remote attackers to execute arbitrary SQL commands via the uid parameter in a member_details action.

  • CVE-2008-3861Aug 29, 2008
    risk 0.03cvss epss 0.01

    Multiple SQL injection vulnerabilities in phpMyRealty (PMR) 1.0.9 and earlier allow remote attackers to execute arbitrary SQL commands via (1) the id parameter in pages.php and (2) the price_max parameter in search.php.

  • CVE-2008-3848Aug 27, 2008
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in single.php in Z-Breaknews 2.0 allows remote attackers to execute arbitrary SQL commands via the id parameter.

  • CVE-2008-3845Aug 27, 2008
    risk 0.03cvss epss 0.02

    Multiple SQL injection vulnerabilities in Crafty Syntax Live Help (CSLH) 2.14.6 and earlier allow remote attackers to execute arbitrary SQL commands via the department parameter to (1) is_xmlhttp.php and (2) is_flush.php.

  • CVE-2008-3785Aug 26, 2008
    risk 0.03cvss epss 0.01

    Multiple SQL injection vulnerabilities in the com_content component in MiaCMS 4.6.5 allow remote attackers to execute arbitrary SQL commands via the id parameter in a (1) view, (2) category, or (3) blogsection action to index.php.

  • CVE-2008-3788Aug 26, 2008
    risk 0.03cvss epss 0.01

    Multiple SQL injection vulnerabilities in PICTURESPRO Photo Cart 3.9, when magic_quotes_gpc is disabled, allow remote attackers to execute arbitrary SQL commands via the (1) qtitle, (2) qid, and (3) qyear parameters to (a) search.php, and the (4) email and (5) password…

  • CVE-2008-3787Aug 26, 2008
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in listing_view.php in Web Directory Script 2.0 and earlier allows remote attackers to execute arbitrary SQL commands via the name parameter.

  • CVE-2008-3784Aug 26, 2008
    risk 0.03cvss epss 0.02

    SQL injection vulnerability in scrape.php in BtiTracker 1.4.7 and earlier and xBtiTracker 2.0.542 and earlier allows remote attackers to execute arbitrary SQL commands via the info_hash parameter.

  • CVE-2008-3783Aug 26, 2008
    risk 0.03cvss epss 0.01

    Multiple SQL injection vulnerabilities in index.php in Matterdaddy Market 1.1, when magic_quotes_gpc is disabled, allow remote attackers to execute arbitrary SQL commands via the (1) category and (2) type parameters.

  • CVE-2008-3780Aug 26, 2008
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in recommend.php in Five Star Review Script allows remote attackers to execute arbitrary SQL commands via the item_id parameter.

  • CVE-2008-3774Aug 22, 2008
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in index.php in Simasy CMS allows remote attackers to execute arbitrary SQL commands via the id parameter.

  • CVE-2008-3772Aug 22, 2008
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in categories_portal.php in Pars4u Videosharing 1 allows remote attackers to execute arbitrary SQL commands via the cat_id parameter.

  • CVE-2008-3767Aug 22, 2008
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in classified.php in phpBazar 2.0.2 allows remote attackers to execute arbitrary SQL commands via the adid parameter.

  • CVE-2008-3768Aug 22, 2008
    risk 0.03cvss epss 0.02

    Multiple SQL injection vulnerabilities in class.ajax.php in Turnkey Web Tools SunShop Shopping Cart before 4.1.5 allow remote attackers to execute arbitrary SQL commands via (1) the id parameter in an edit_registry action to index.php, (2) a vector involving the check_email…