CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Description
The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-108 · CAPEC-109 · CAPEC-110 · CAPEC-470 · CAPEC-66 · CAPEC-7
CVEs mapped to this weakness (12,807)
page 547 of 641| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2008-1909 | 0.03 | — | 0.01 | Apr 22, 2008 | SQL injection vulnerability in comment.php in PHP Knowledge Base (PHPKB) 1.5 and 2.0 allows remote attackers to execute arbitrary SQL commands via the ID parameter. | |||
| CVE-2008-1907 | 0.03 | — | 0.01 | Apr 22, 2008 | Multiple SQL injection vulnerabilities in functions/display_page.func.php in cpCommerce 1.1.0 allow remote attackers to execute arbitrary SQL commands via the (1) id_product, (2) id_manufacturer, and (3) id_category parameters to unspecified components. NOTE: this probably… | |||
| CVE-2008-1911 | 0.03 | — | 0.01 | Apr 22, 2008 | SQL injection vulnerability in includes/system.php in 1024 CMS 1.4.2 beta and earlier, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via a cookpass cookie. | |||
| CVE-2008-1913 | 0.03 | — | 0.01 | Apr 22, 2008 | SQL injection vulnerability in index.php in Lasernet CMS 1.5 and 1.11, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the new parameter in a new action. | |||
| CVE-2008-1895 | 0.03 | — | 0.01 | Apr 18, 2008 | Multiple SQL injection vulnerabilities in Carbon Communities 2.4 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) ID parameter to events.asp, the (2) UserName parameter to getpassword.asp, and possibly an unspecified parameter to (3)… | |||
| CVE-2008-1889 | 0.03 | — | 0.01 | Apr 18, 2008 | SQL injection vulnerability in viewcat.php in XplodPHP AutoTutorials 2.1 and earlier, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the id parameter. | |||
| CVE-2008-1869 | 0.03 | — | 0.01 | Apr 17, 2008 | SQL injection vulnerability in Site Sift Listings allows remote attackers to execute arbitrary SQL commands via the id parameter in a detail action to index.php. NOTE: this issue might be site-specific. | |||
| CVE-2008-1872 | 0.03 | — | 0.01 | Apr 17, 2008 | SQL injection vulnerability in home.news.php in Comdev News Publisher 4.1.2 allows remote attackers to execute arbitrary SQL commands via the arcmonth parameter. NOTE: some of these details are obtained from third party information. | |||
| CVE-2008-1874 | 0.03 | — | 0.01 | Apr 17, 2008 | SQL injection vulnerability in account/user/mail.html in Xpoze Pro 3.05 and earlier allows remote authenticated users to execute arbitrary SQL commands via the reed parameter. | |||
| CVE-2008-1864 | 0.03 | — | 0.01 | Apr 17, 2008 | SQL injection vulnerability in project.php in Prozilla Freelancers allows remote attackers to execute arbitrary SQL commands via the project parameter. | |||
| CVE-2008-1863 | 0.03 | — | 0.02 | Apr 17, 2008 | SQL injection vulnerability in view_reviews.php in Prozilla Cheat Script (aka Cheats) 2.0 allows remote attackers to execute arbitrary SQL commands via the id parameter. | |||
| CVE-2008-1875 | 0.03 | — | 0.01 | Apr 17, 2008 | SQL injection vulnerability in index.php in Terong PHP Photo Gallery (aka Advanced Web Photo Gallery) 1.0 allows remote attackers to execute arbitrary SQL commands via the photo_id parameter. | |||
| CVE-2008-1870 | 0.03 | — | 0.01 | Apr 17, 2008 | SQL injection vulnerability in getdata.php in PIGMy-SQL 1.4.1 and earlier allows remote attackers to execute arbitrary SQL commands via the id parameter. | |||
| CVE-2008-1867 | 0.03 | — | 0.01 | Apr 17, 2008 | SQL injection vulnerability in Blog Pixel Motion (aka Blog PixelMotion) allows remote attackers to execute arbitrary SQL commands via the categorie parameter to index.php, possibly related to include/requetesIndex.php. | |||
| CVE-2008-1871 | 0.03 | — | 0.01 | Apr 17, 2008 | SQL injection vulnerability in links.php in Scriptsagent.com Links Directory 1.1 allows remote authenticated users to execute arbitrary SQL commands via the cat_id parameter in a list action. | |||
| CVE-2008-1858 | 0.03 | — | 0.01 | Apr 16, 2008 | SQL injection vulnerability in index.php in 724Networks 724CMS 4.01 and earlier allows remote attackers to execute arbitrary SQL commands via the ID parameter. | |||
| CVE-2008-1859 | 0.03 | — | 0.01 | Apr 16, 2008 | SQL injection vulnerability in events.php in iScripts SocialWare allows remote attackers to execute arbitrary SQL commands via the id parameter in a show action. | |||
| CVE-2008-1838 | 0.03 | — | 0.01 | Apr 16, 2008 | SQL injection vulnerability in BosClassifieds Classified Ads System 3.0 allows remote attackers to execute arbitrary SQL commands via the cat parameter to index.php. | |||
| CVE-2008-1843 | — | 0.03 | — | 0.01 | Apr 16, 2008 | SQL injection vulnerability in browse.php in W2B DatingClub (aka Dating Club) allows remote attackers to execute arbitrary SQL commands via the age_to parameter in a browsebyCat action. | ||
| CVE-2008-1844 | — | 0.03 | — | 0.01 | Apr 16, 2008 | SQL injection vulnerability in cat.php in W2B phpHotResources allows remote attackers to execute arbitrary SQL commands via the kind parameter. |
- CVE-2008-1909Apr 22, 2008risk 0.03cvss —epss 0.01
SQL injection vulnerability in comment.php in PHP Knowledge Base (PHPKB) 1.5 and 2.0 allows remote attackers to execute arbitrary SQL commands via the ID parameter.
- CVE-2008-1907Apr 22, 2008risk 0.03cvss —epss 0.01
Multiple SQL injection vulnerabilities in functions/display_page.func.php in cpCommerce 1.1.0 allow remote attackers to execute arbitrary SQL commands via the (1) id_product, (2) id_manufacturer, and (3) id_category parameters to unspecified components. NOTE: this probably…
- CVE-2008-1911Apr 22, 2008risk 0.03cvss —epss 0.01
SQL injection vulnerability in includes/system.php in 1024 CMS 1.4.2 beta and earlier, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via a cookpass cookie.
- CVE-2008-1913Apr 22, 2008risk 0.03cvss —epss 0.01
SQL injection vulnerability in index.php in Lasernet CMS 1.5 and 1.11, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the new parameter in a new action.
- CVE-2008-1895Apr 18, 2008risk 0.03cvss —epss 0.01
Multiple SQL injection vulnerabilities in Carbon Communities 2.4 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) ID parameter to events.asp, the (2) UserName parameter to getpassword.asp, and possibly an unspecified parameter to (3)…
- CVE-2008-1889Apr 18, 2008risk 0.03cvss —epss 0.01
SQL injection vulnerability in viewcat.php in XplodPHP AutoTutorials 2.1 and earlier, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the id parameter.
- CVE-2008-1869Apr 17, 2008risk 0.03cvss —epss 0.01
SQL injection vulnerability in Site Sift Listings allows remote attackers to execute arbitrary SQL commands via the id parameter in a detail action to index.php. NOTE: this issue might be site-specific.
- CVE-2008-1872Apr 17, 2008risk 0.03cvss —epss 0.01
SQL injection vulnerability in home.news.php in Comdev News Publisher 4.1.2 allows remote attackers to execute arbitrary SQL commands via the arcmonth parameter. NOTE: some of these details are obtained from third party information.
- CVE-2008-1874Apr 17, 2008risk 0.03cvss —epss 0.01
SQL injection vulnerability in account/user/mail.html in Xpoze Pro 3.05 and earlier allows remote authenticated users to execute arbitrary SQL commands via the reed parameter.
- CVE-2008-1864Apr 17, 2008risk 0.03cvss —epss 0.01
SQL injection vulnerability in project.php in Prozilla Freelancers allows remote attackers to execute arbitrary SQL commands via the project parameter.
- CVE-2008-1863Apr 17, 2008risk 0.03cvss —epss 0.02
SQL injection vulnerability in view_reviews.php in Prozilla Cheat Script (aka Cheats) 2.0 allows remote attackers to execute arbitrary SQL commands via the id parameter.
- CVE-2008-1875Apr 17, 2008risk 0.03cvss —epss 0.01
SQL injection vulnerability in index.php in Terong PHP Photo Gallery (aka Advanced Web Photo Gallery) 1.0 allows remote attackers to execute arbitrary SQL commands via the photo_id parameter.
- CVE-2008-1870Apr 17, 2008risk 0.03cvss —epss 0.01
SQL injection vulnerability in getdata.php in PIGMy-SQL 1.4.1 and earlier allows remote attackers to execute arbitrary SQL commands via the id parameter.
- CVE-2008-1867Apr 17, 2008risk 0.03cvss —epss 0.01
SQL injection vulnerability in Blog Pixel Motion (aka Blog PixelMotion) allows remote attackers to execute arbitrary SQL commands via the categorie parameter to index.php, possibly related to include/requetesIndex.php.
- CVE-2008-1871Apr 17, 2008risk 0.03cvss —epss 0.01
SQL injection vulnerability in links.php in Scriptsagent.com Links Directory 1.1 allows remote authenticated users to execute arbitrary SQL commands via the cat_id parameter in a list action.
- CVE-2008-1858Apr 16, 2008risk 0.03cvss —epss 0.01
SQL injection vulnerability in index.php in 724Networks 724CMS 4.01 and earlier allows remote attackers to execute arbitrary SQL commands via the ID parameter.
- CVE-2008-1859Apr 16, 2008risk 0.03cvss —epss 0.01
SQL injection vulnerability in events.php in iScripts SocialWare allows remote attackers to execute arbitrary SQL commands via the id parameter in a show action.
- CVE-2008-1838Apr 16, 2008risk 0.03cvss —epss 0.01
SQL injection vulnerability in BosClassifieds Classified Ads System 3.0 allows remote attackers to execute arbitrary SQL commands via the cat parameter to index.php.
- CVE-2008-1843Apr 16, 2008risk 0.03cvss —epss 0.01
SQL injection vulnerability in browse.php in W2B DatingClub (aka Dating Club) allows remote attackers to execute arbitrary SQL commands via the age_to parameter in a browsebyCat action.
- CVE-2008-1844Apr 16, 2008risk 0.03cvss —epss 0.01
SQL injection vulnerability in cat.php in W2B phpHotResources allows remote attackers to execute arbitrary SQL commands via the kind parameter.