CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Description
The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-108 · CAPEC-109 · CAPEC-110 · CAPEC-470 · CAPEC-66 · CAPEC-7
CVEs mapped to this weakness (12,807)
page 548 of 641| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2008-1844 | — | 0.03 | — | 0.01 | Apr 16, 2008 | SQL injection vulnerability in cat.php in W2B phpHotResources allows remote attackers to execute arbitrary SQL commands via the kind parameter. | ||
| CVE-2008-1788 | 0.03 | — | 0.01 | Apr 15, 2008 | SQL injection vulnerability in directory.php in Prozilla Entertainers 1.1 and earlier allows remote attackers to execute arbitrary SQL commands via the cat parameter. NOTE: some of these details are obtained from third party information. | |||
| CVE-2008-1789 | 0.03 | — | 0.01 | Apr 15, 2008 | SQL injection vulnerability in forum.php in Prozilla Forum allows remote attackers to execute arbitrary SQL commands via the forum parameter. | |||
| CVE-2008-1791 | 0.03 | — | 0.01 | Apr 15, 2008 | SQL injection vulnerability in ladder.php in My Gaming Ladder 7.5 and earlier allows remote attackers to execute arbitrary SQL commands via the ladderid parameter. | |||
| CVE-2008-1774 | 0.03 | — | 0.01 | Apr 14, 2008 | SQL injection vulnerability in editlink.php in Pligg 9.9.0 allows remote attackers to execute arbitrary SQL commands via the id parameter. | |||
| CVE-2008-1758 | 0.03 | — | 0.01 | Apr 12, 2008 | SQL injection vulnerability in the ConcoursPhoto module for KwsPHP allows remote attackers to execute arbitrary SQL commands via the C_ID parameter to index.php. | |||
| CVE-2008-1763 | 0.03 | — | 0.01 | Apr 12, 2008 | SQL injection vulnerability in _blogadata/include/sond_result.php in Blogator-script 0.95 allows remote attackers to execute arbitrary SQL commands via the id_art parameter. | |||
| CVE-2008-1759 | 0.03 | — | 0.01 | Apr 12, 2008 | SQL injection vulnerability in the jeuxflash module for KwsPHP allows remote attackers to execute arbitrary SQL commands via the cat parameter to index.php, a different vector than CVE-2007-4922. | |||
| CVE-2008-1750 | 0.03 | — | 0.01 | Apr 11, 2008 | SQL injection vulnerability in Integry Systems LiveCart 1.1.1 and earlier allows remote attackers to execute arbitrary SQL commands via the id parameter to the /category URI. | |||
| CVE-2008-1726 | 0.03 | — | 0.02 | Apr 11, 2008 | Multiple SQL injection vulnerabilities in KnowledgeQuest 2.6, when magic_quotes_gpc is disabled, allow remote attackers to execute arbitrary SQL commands via the (1) kqid parameter to (a) articletext.php and (b) articletextonly.php and the (2) username parameter to (c)… | |||
| CVE-2008-1733 | 0.03 | — | 0.01 | Apr 11, 2008 | SQL injection vulnerability in puarcade.class.php 2.2 and earlier in the Pragmatic Utopia PU Arcade (com_puarcade) component for Joomla! allows remote attackers to execute arbitrary SQL commands via the gid parameter to index.php. | |||
| CVE-2008-1732 | 0.03 | — | 0.01 | Apr 11, 2008 | SQL injection vulnerability in showpredictionsformatch.php in Prediction Football 1.x allows remote attackers to execute arbitrary SQL commands via the matchid parameter in a dupa action. | |||
| CVE-2008-1714 | 0.03 | — | 0.01 | Apr 9, 2008 | SQL injection vulnerability in show.php in FaScript FaPhoto 1.0, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the id parameter. | |||
| CVE-2008-1715 | 0.03 | — | 0.01 | Apr 9, 2008 | SQL injection vulnerability in content/user.php in AuraCMS 2.2.1 and earlier, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the country parameter. | |||
| CVE-2008-1640 | 0.03 | — | 0.01 | Apr 2, 2008 | SQL injection vulnerability in jgs_treffen.php in the JGS-XA JGS-Treffen 2.0.2 and earlier addon for Woltlab Burning Board (wBB) allows remote attackers to execute arbitrary SQL commands via the view_id parameter in an ansicht action. | |||
| CVE-2008-1623 | 0.03 | — | 0.01 | Apr 2, 2008 | SQL injection vulnerability in admin_view_image.php in Smoothflash allows remote attackers to execute arbitrary SQL commands via the cid parameter. | |||
| CVE-2008-1639 | 0.03 | — | 0.01 | Apr 2, 2008 | SQL injection vulnerability in index.php in Neat weblog 0.2 allows remote attackers to execute arbitrary SQL commands via the articleId parameter in a show action, probably related to the showArticle function in lib/lib_article.include.php. | |||
| CVE-2008-1641 | 0.03 | — | 0.01 | Apr 2, 2008 | SQL injection vulnerability in default.asp in EfesTECH Video 5.0 allows remote attackers to execute arbitrary SQL commands via the catID parameter. | |||
| CVE-2008-1646 | 0.03 | — | 0.03 | Apr 2, 2008 | SQL injection vulnerability in wp-download.php in the WP-Download 1.2 plugin for WordPress allows remote attackers to execute arbitrary SQL commands via the dl_id parameter. | |||
| CVE-2008-1650 | 0.03 | — | 0.01 | Apr 2, 2008 | SQL injection vulnerability in dynamicpages/index.php in EasyNews 4.0 allows remote attackers to execute arbitrary SQL commands via the read parameter in an edp_Help_Internal_News action. |
- CVE-2008-1844Apr 16, 2008risk 0.03cvss —epss 0.01
SQL injection vulnerability in cat.php in W2B phpHotResources allows remote attackers to execute arbitrary SQL commands via the kind parameter.
- CVE-2008-1788Apr 15, 2008risk 0.03cvss —epss 0.01
SQL injection vulnerability in directory.php in Prozilla Entertainers 1.1 and earlier allows remote attackers to execute arbitrary SQL commands via the cat parameter. NOTE: some of these details are obtained from third party information.
- CVE-2008-1789Apr 15, 2008risk 0.03cvss —epss 0.01
SQL injection vulnerability in forum.php in Prozilla Forum allows remote attackers to execute arbitrary SQL commands via the forum parameter.
- CVE-2008-1791Apr 15, 2008risk 0.03cvss —epss 0.01
SQL injection vulnerability in ladder.php in My Gaming Ladder 7.5 and earlier allows remote attackers to execute arbitrary SQL commands via the ladderid parameter.
- CVE-2008-1774Apr 14, 2008risk 0.03cvss —epss 0.01
SQL injection vulnerability in editlink.php in Pligg 9.9.0 allows remote attackers to execute arbitrary SQL commands via the id parameter.
- CVE-2008-1758Apr 12, 2008risk 0.03cvss —epss 0.01
SQL injection vulnerability in the ConcoursPhoto module for KwsPHP allows remote attackers to execute arbitrary SQL commands via the C_ID parameter to index.php.
- CVE-2008-1763Apr 12, 2008risk 0.03cvss —epss 0.01
SQL injection vulnerability in _blogadata/include/sond_result.php in Blogator-script 0.95 allows remote attackers to execute arbitrary SQL commands via the id_art parameter.
- CVE-2008-1759Apr 12, 2008risk 0.03cvss —epss 0.01
SQL injection vulnerability in the jeuxflash module for KwsPHP allows remote attackers to execute arbitrary SQL commands via the cat parameter to index.php, a different vector than CVE-2007-4922.
- CVE-2008-1750Apr 11, 2008risk 0.03cvss —epss 0.01
SQL injection vulnerability in Integry Systems LiveCart 1.1.1 and earlier allows remote attackers to execute arbitrary SQL commands via the id parameter to the /category URI.
- CVE-2008-1726Apr 11, 2008risk 0.03cvss —epss 0.02
Multiple SQL injection vulnerabilities in KnowledgeQuest 2.6, when magic_quotes_gpc is disabled, allow remote attackers to execute arbitrary SQL commands via the (1) kqid parameter to (a) articletext.php and (b) articletextonly.php and the (2) username parameter to (c)…
- CVE-2008-1733Apr 11, 2008risk 0.03cvss —epss 0.01
SQL injection vulnerability in puarcade.class.php 2.2 and earlier in the Pragmatic Utopia PU Arcade (com_puarcade) component for Joomla! allows remote attackers to execute arbitrary SQL commands via the gid parameter to index.php.
- CVE-2008-1732Apr 11, 2008risk 0.03cvss —epss 0.01
SQL injection vulnerability in showpredictionsformatch.php in Prediction Football 1.x allows remote attackers to execute arbitrary SQL commands via the matchid parameter in a dupa action.
- CVE-2008-1714Apr 9, 2008risk 0.03cvss —epss 0.01
SQL injection vulnerability in show.php in FaScript FaPhoto 1.0, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the id parameter.
- CVE-2008-1715Apr 9, 2008risk 0.03cvss —epss 0.01
SQL injection vulnerability in content/user.php in AuraCMS 2.2.1 and earlier, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the country parameter.
- CVE-2008-1640Apr 2, 2008risk 0.03cvss —epss 0.01
SQL injection vulnerability in jgs_treffen.php in the JGS-XA JGS-Treffen 2.0.2 and earlier addon for Woltlab Burning Board (wBB) allows remote attackers to execute arbitrary SQL commands via the view_id parameter in an ansicht action.
- CVE-2008-1623Apr 2, 2008risk 0.03cvss —epss 0.01
SQL injection vulnerability in admin_view_image.php in Smoothflash allows remote attackers to execute arbitrary SQL commands via the cid parameter.
- CVE-2008-1639Apr 2, 2008risk 0.03cvss —epss 0.01
SQL injection vulnerability in index.php in Neat weblog 0.2 allows remote attackers to execute arbitrary SQL commands via the articleId parameter in a show action, probably related to the showArticle function in lib/lib_article.include.php.
- CVE-2008-1641Apr 2, 2008risk 0.03cvss —epss 0.01
SQL injection vulnerability in default.asp in EfesTECH Video 5.0 allows remote attackers to execute arbitrary SQL commands via the catID parameter.
- CVE-2008-1646Apr 2, 2008risk 0.03cvss —epss 0.03
SQL injection vulnerability in wp-download.php in the WP-Download 1.2 plugin for WordPress allows remote attackers to execute arbitrary SQL commands via the dl_id parameter.
- CVE-2008-1650Apr 2, 2008risk 0.03cvss —epss 0.01
SQL injection vulnerability in dynamicpages/index.php in EasyNews 4.0 allows remote attackers to execute arbitrary SQL commands via the read parameter in an edp_Help_Internal_News action.