VYPR

CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

BaseStableLikelihood: High

Description

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Hierarchy (View 1000)

Parents

Children

Related attack patterns (CAPEC)

CAPEC-108 · CAPEC-109 · CAPEC-110 · CAPEC-470 · CAPEC-66 · CAPEC-7

CVEs mapped to this weakness (12,807)

page 539 of 641
  • CVE-2008-2853Jun 25, 2008
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in index.php in Easy Webstore 1.2 allows remote attackers to execute arbitrary SQL commands via the cat_path parameter.

  • CVE-2008-2837Jun 24, 2008
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in index.php in CMS-BRD allows remote attackers to execute arbitrary SQL commands via the menuclick parameter.

  • CVE-2008-2834Jun 24, 2008
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in projects.php in Scientific Image DataBase 0.41 allows remote attackers to execute arbitrary SQL commands via the id parameter.

  • CVE-2008-2835Jun 24, 2008
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in cgi-bin/igsuite in IGSuite 3.2.4 allows remote attackers to execute arbitrary SQL commands via the formid parameter.

  • CVE-2008-2816Jun 23, 2008
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in post.php in Oxygen (aka O2PHP Bulletin Board) 2.0 allows remote attackers to execute arbitrary SQL commands via the repquote parameter in a reply action, a different vector than CVE-2006-1572.

  • CVE-2008-2815Jun 23, 2008
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in shopping/index.php in MyMarket 1.72 allows remote attackers to execute arbitrary SQL commands via the id parameter.

  • CVE-2008-2817Jun 23, 2008
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in albums.php in NiTrO Web Gallery 1.4.3 and earlier allows remote attackers to execute arbitrary SQL commands via the CatId parameter in a show action.

  • CVE-2008-2823Jun 23, 2008
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in newsarchive.php in PHPeasyblog (formerly phpeasynews) 1.13 RC2 and earlier allows remote attackers to execute arbitrary SQL commands via the post parameter.

  • CVE-2008-2791Jun 20, 2008
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in product.detail.php in Kalptaru Infotech Comparison Engine Power Script 1.0 allows remote attackers to execute arbitrary SQL commands via the id parameter.

  • CVE-2008-2792Jun 20, 2008
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in index.php in eroCMS 1.4 and earlier allows remote attackers to execute arbitrary SQL commands via the site parameter.

  • CVE-2008-2793Jun 20, 2008
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in group_posts.php in ClipShare before 3.0.1 allows remote attackers to execute arbitrary SQL commands via the tid parameter.

  • CVE-2008-2790Jun 20, 2008
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in detail.php in MountainGrafix easyTrade 2.x allows remote attackers to execute arbitrary SQL commands via the id parameter.

  • CVE-2008-2796Jun 20, 2008
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in index.php in FreeCMS 0.2 allows remote attackers to execute arbitrary SQL commands via the page parameter.

  • CVE-2008-2774Jun 19, 2008
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in item.php in CartKeeper CKGold Shopping Cart 2.5 and 2.7 allows remote attackers to execute arbitrary SQL commands via the category_id parameter, a different vector than CVE-2007-4736.

  • CVE-2008-2778Jun 19, 2008
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in inc/class_search.php in the Search System in RevokeBB 1.0 RC11 allows remote attackers to execute arbitrary SQL commands via the search parameter.

  • CVE-2008-2781Jun 19, 2008
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in index.php in DZOIC Handshakes 3.5 allows remote attackers to execute arbitrary SQL commands via the fname parameter in a members search action.

  • CVE-2008-2755Jun 18, 2008
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in index.php in JAMM CMS allows remote attackers to execute arbitrary SQL commands via the id parameter.

  • CVE-2008-2770Jun 18, 2008
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in index.php in MycroCMS 0.5, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the entry_id parameter.

  • CVE-2008-2753Jun 18, 2008
    risk 0.03cvss epss 0.01

    Multiple SQL injection vulnerabilities in Pooya Site Builder (PSB) 6.0 allow remote attackers to execute arbitrary SQL commands via the (1) xslIdn parameter to (a) utils/getXsl.aspx, and the (2) part parameter to (b) getXml.aspx and (c) getXls.aspx in utils/.

  • CVE-2008-2754Jun 18, 2008
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in toplists.php in eFiction 3.0 and 3.4.3, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the list parameter.