CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Description
The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-108 · CAPEC-109 · CAPEC-110 · CAPEC-470 · CAPEC-66 · CAPEC-7
CVEs mapped to this weakness (12,807)
page 537 of 641| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2008-2983 | 0.03 | — | 0.01 | Jul 2, 2008 | SQL injection vulnerability in index.php in Demo4 CMS 01 Beta allows remote attackers to execute arbitrary SQL commands via the id parameter. | |||
| CVE-2008-2968 | 0.03 | — | 0.01 | Jul 2, 2008 | SQL injection vulnerability in rating.php in Academic Web Tools (AWT YEKTA) 1.4.3.1, and 1.4.2.8 and earlier, allows remote attackers to execute arbitrary SQL commands via the book_id parameter. | |||
| CVE-2008-2919 | 0.03 | — | 0.01 | Jun 30, 2008 | SQL injection vulnerability in listing.php in Gryphon gllcTS2 4.2.4 allows remote attackers to execute arbitrary SQL commands via the sort parameter. | |||
| CVE-2008-2921 | 0.03 | — | 0.01 | Jun 30, 2008 | SQL injection vulnerability in index.php in EZTechhelp EZCMS 1.2 and earlier allows remote attackers to execute arbitrary SQL commands via the page parameter. | |||
| CVE-2008-2918 | 0.03 | — | 0.01 | Jun 30, 2008 | SQL injection vulnerability in details.php in Application Dynamics Cartweaver 3.0 allows remote attackers to execute arbitrary SQL commands via the prodId parameter, possibly a related issue to CVE-2006-2046.3. | |||
| CVE-2008-2917 | 0.03 | — | 0.02 | Jun 30, 2008 | SQL injection vulnerability in productsofcat.asp in E-SMART CART allows remote attackers to execute arbitrary SQL commands via the category_id parameter. | |||
| CVE-2008-2916 | 0.03 | — | 0.01 | Jun 30, 2008 | Multiple SQL injection vulnerabilities in Pre ADS Portal 2.0 and earlier, when magic_quotes_gpc is disabled, allow remote attackers to execute arbitrary SQL commands via the (1) cid parameter to showcategory.php and the (2) id parameter to software-description.php. | |||
| CVE-2008-2915 | 0.03 | — | 0.01 | Jun 30, 2008 | Multiple SQL injection vulnerabilities in jobseekers/JobSearch.php (aka the search module) in Pre Job Board allow remote attackers to execute arbitrary SQL commands via the (1) position or (2) kw parameter. | |||
| CVE-2008-2914 | 0.03 | — | 0.01 | Jun 30, 2008 | SQL injection vulnerability in jobseekers/JobSearch3.php (aka the search module) in PHP JOBWEBSITE PRO allows remote attackers to execute arbitrary SQL commands via the (1) kw or (2) position parameter. NOTE: some of these details are obtained from third party information. | |||
| CVE-2008-2909 | 0.03 | — | 0.01 | Jun 30, 2008 | SQL injection vulnerability in results.php in Clever Copy 3.0 allows remote attackers to execute arbitrary SQL commands via the searchtype parameter. | |||
| CVE-2008-2907 | 0.03 | — | 0.01 | Jun 30, 2008 | SQL injection vulnerability in admin/index.php in WebChamado 1.1, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the eml parameter. | |||
| CVE-2008-2906 | 0.03 | — | 0.01 | Jun 30, 2008 | SQL injection vulnerability in lista_anexos.php in WebChamado 1.1 allows remote attackers to execute arbitrary SQL commands via the tsk_id parameter. | |||
| CVE-2008-2904 | 0.03 | — | 0.01 | Jun 30, 2008 | SQL injection vulnerability in shop.php in Conkurent PHPMyCart allows remote attackers to execute arbitrary SQL commands via the cat parameter. | |||
| CVE-2008-2903 | 0.03 | — | 0.01 | Jun 30, 2008 | SQL injection vulnerability in news.php in Advanced Webhost Billing System (AWBS) 2.3.3 through 2.7.1, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the viewnews parameter. | |||
| CVE-2008-2902 | 0.03 | — | 0.01 | Jun 30, 2008 | SQL injection vulnerability in profile.php in AlstraSoft AskMe Pro 2.1 and earlier allows remote attackers to execute arbitrary SQL commands via the id parameter. NOTE: The que_id parameter to forum_answer.php is already covered by CVE-2007-4085. | |||
| CVE-2008-2901 | 0.03 | — | 0.01 | Jun 30, 2008 | Multiple SQL injection vulnerabilities in Haudenschilt Family Connections CMS (FCMS) 1.4 allow remote authenticated users to execute arbitrary SQL commands via the (1) address parameter to addressbook.php, the (2) getnews parameter to familynews.php, and the (3) poll_id… | |||
| CVE-2008-2897 | 0.03 | — | 0.01 | Jun 27, 2008 | SQL injection vulnerability in index.php in PageSquid CMS 0.3 Beta allows remote attackers to execute arbitrary SQL commands via the page parameter. | |||
| CVE-2008-2900 | 0.03 | — | 0.01 | Jun 27, 2008 | SQL injection vulnerability in item.php in PHPAuction 3.2 allows remote attackers to execute arbitrary SQL commands via the id parameter. | |||
| CVE-2008-2893 | 0.03 | — | 0.01 | Jun 27, 2008 | SQL injection vulnerability in news.php in AJ Square aj-hyip (aka AJ HYIP Acme) allows remote attackers to execute arbitrary SQL commands via the id parameter, a different vector than CVE-2008-2532. | |||
| CVE-2008-2891 | 0.03 | — | 0.01 | Jun 27, 2008 | SQL injection vulnerability in index.php in eMuSOFT emuCMS 0.3 allows remote attackers to execute arbitrary SQL commands via the cat_id parameter in a category action. |
- CVE-2008-2983Jul 2, 2008risk 0.03cvss —epss 0.01
SQL injection vulnerability in index.php in Demo4 CMS 01 Beta allows remote attackers to execute arbitrary SQL commands via the id parameter.
- CVE-2008-2968Jul 2, 2008risk 0.03cvss —epss 0.01
SQL injection vulnerability in rating.php in Academic Web Tools (AWT YEKTA) 1.4.3.1, and 1.4.2.8 and earlier, allows remote attackers to execute arbitrary SQL commands via the book_id parameter.
- CVE-2008-2919Jun 30, 2008risk 0.03cvss —epss 0.01
SQL injection vulnerability in listing.php in Gryphon gllcTS2 4.2.4 allows remote attackers to execute arbitrary SQL commands via the sort parameter.
- CVE-2008-2921Jun 30, 2008risk 0.03cvss —epss 0.01
SQL injection vulnerability in index.php in EZTechhelp EZCMS 1.2 and earlier allows remote attackers to execute arbitrary SQL commands via the page parameter.
- CVE-2008-2918Jun 30, 2008risk 0.03cvss —epss 0.01
SQL injection vulnerability in details.php in Application Dynamics Cartweaver 3.0 allows remote attackers to execute arbitrary SQL commands via the prodId parameter, possibly a related issue to CVE-2006-2046.3.
- CVE-2008-2917Jun 30, 2008risk 0.03cvss —epss 0.02
SQL injection vulnerability in productsofcat.asp in E-SMART CART allows remote attackers to execute arbitrary SQL commands via the category_id parameter.
- CVE-2008-2916Jun 30, 2008risk 0.03cvss —epss 0.01
Multiple SQL injection vulnerabilities in Pre ADS Portal 2.0 and earlier, when magic_quotes_gpc is disabled, allow remote attackers to execute arbitrary SQL commands via the (1) cid parameter to showcategory.php and the (2) id parameter to software-description.php.
- CVE-2008-2915Jun 30, 2008risk 0.03cvss —epss 0.01
Multiple SQL injection vulnerabilities in jobseekers/JobSearch.php (aka the search module) in Pre Job Board allow remote attackers to execute arbitrary SQL commands via the (1) position or (2) kw parameter.
- CVE-2008-2914Jun 30, 2008risk 0.03cvss —epss 0.01
SQL injection vulnerability in jobseekers/JobSearch3.php (aka the search module) in PHP JOBWEBSITE PRO allows remote attackers to execute arbitrary SQL commands via the (1) kw or (2) position parameter. NOTE: some of these details are obtained from third party information.
- CVE-2008-2909Jun 30, 2008risk 0.03cvss —epss 0.01
SQL injection vulnerability in results.php in Clever Copy 3.0 allows remote attackers to execute arbitrary SQL commands via the searchtype parameter.
- CVE-2008-2907Jun 30, 2008risk 0.03cvss —epss 0.01
SQL injection vulnerability in admin/index.php in WebChamado 1.1, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the eml parameter.
- CVE-2008-2906Jun 30, 2008risk 0.03cvss —epss 0.01
SQL injection vulnerability in lista_anexos.php in WebChamado 1.1 allows remote attackers to execute arbitrary SQL commands via the tsk_id parameter.
- CVE-2008-2904Jun 30, 2008risk 0.03cvss —epss 0.01
SQL injection vulnerability in shop.php in Conkurent PHPMyCart allows remote attackers to execute arbitrary SQL commands via the cat parameter.
- CVE-2008-2903Jun 30, 2008risk 0.03cvss —epss 0.01
SQL injection vulnerability in news.php in Advanced Webhost Billing System (AWBS) 2.3.3 through 2.7.1, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the viewnews parameter.
- CVE-2008-2902Jun 30, 2008risk 0.03cvss —epss 0.01
SQL injection vulnerability in profile.php in AlstraSoft AskMe Pro 2.1 and earlier allows remote attackers to execute arbitrary SQL commands via the id parameter. NOTE: The que_id parameter to forum_answer.php is already covered by CVE-2007-4085.
- CVE-2008-2901Jun 30, 2008risk 0.03cvss —epss 0.01
Multiple SQL injection vulnerabilities in Haudenschilt Family Connections CMS (FCMS) 1.4 allow remote authenticated users to execute arbitrary SQL commands via the (1) address parameter to addressbook.php, the (2) getnews parameter to familynews.php, and the (3) poll_id…
- CVE-2008-2897Jun 27, 2008risk 0.03cvss —epss 0.01
SQL injection vulnerability in index.php in PageSquid CMS 0.3 Beta allows remote attackers to execute arbitrary SQL commands via the page parameter.
- CVE-2008-2900Jun 27, 2008risk 0.03cvss —epss 0.01
SQL injection vulnerability in item.php in PHPAuction 3.2 allows remote attackers to execute arbitrary SQL commands via the id parameter.
- CVE-2008-2893Jun 27, 2008risk 0.03cvss —epss 0.01
SQL injection vulnerability in news.php in AJ Square aj-hyip (aka AJ HYIP Acme) allows remote attackers to execute arbitrary SQL commands via the id parameter, a different vector than CVE-2008-2532.
- CVE-2008-2891Jun 27, 2008risk 0.03cvss —epss 0.01
SQL injection vulnerability in index.php in eMuSOFT emuCMS 0.3 allows remote attackers to execute arbitrary SQL commands via the cat_id parameter in a category action.