VYPR

CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

BaseStableLikelihood: High

Description

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Hierarchy (View 1000)

Parents

Children

Related attack patterns (CAPEC)

CAPEC-108 · CAPEC-109 · CAPEC-110 · CAPEC-470 · CAPEC-66 · CAPEC-7

CVEs mapped to this weakness (12,807)

page 552 of 641
  • CVE-2008-0937Feb 25, 2008
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in index.php in the Tiny Event (tinyevent) 1.01 module for XOOPS allows remote attackers to execute arbitrary SQL commands via the id parameter in a print action, a different vector than CVE-2007-1811.

  • CVE-2008-0936Feb 25, 2008
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in index.php in the Prayer List (prayerlist) 1.04 module for XOOPS allows remote attackers to execute arbitrary SQL commands via the cid parameter in a view action.

  • CVE-2008-0921Feb 22, 2008
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in news.php in beContent 0.3.1 allows remote attackers to execute arbitrary SQL commands via the id parameter.

  • CVE-2008-0922Feb 22, 2008
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in the Manuales 0.1 module for PHP-Nuke allows remote attackers to execute arbitrary SQL commands via the cid parameter in a viewdownload action to modules.php.

  • CVE-2008-0920Feb 22, 2008
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in port/modifyportform.php in Open Source Security Information Management (OSSIM) 0.9.9 rc5 allows remote authenticated users to execute arbitrary SQL commands via the portname parameter, which is not properly handled by a validation regular…

  • CVE-2008-0918Feb 22, 2008
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in includes/count_dl_or_link.inc.php in the astatsPRO (com_astatspro) 1.0.1 component for Joomla! allows remote attackers to execute arbitrary SQL commands via the id parameter to getfile.php, a different vector than CVE-2008-0839. NOTE: the…

  • CVE-2008-0916Feb 22, 2008
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in the Highwood Design hwdVideoShare (com_hwdvideoshare) 1.1.3 Alpha component for Joomla! allows remote attackers to execute arbitrary SQL commands via the cat_id parameter in a viewcategory action to index.php.

  • CVE-2008-0911Feb 22, 2008
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in productdetails.php in iScripts MultiCart 2.0 allows remote authenticated users to execute arbitrary SQL commands via the productid parameter.

  • CVE-2008-0907Feb 22, 2008
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in the Inhalt module for PHP-Nuke allows remote attackers to execute arbitrary SQL commands via the cid parameter.

  • CVE-2008-0906Feb 22, 2008
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in the Docum module in PHP-Nuke allows remote attackers to execute arbitrary SQL commands via the artid parameter in a viewarticle operation.

  • CVE-2008-0878Feb 21, 2008
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in index.php in the MyAnnonces 1.7 and earlier module for RunCMS allows remote attackers to execute arbitrary SQL commands via the cid parameter in a view action.

  • CVE-2008-0881Feb 21, 2008
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in modules.php in the Okul 1.0 module for PHP-Nuke allows remote attackers to execute arbitrary SQL commands via the okulid parameter in an okullar action.

  • CVE-2008-0880Feb 21, 2008
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in modules.php in the EasyContent module for PHP-Nuke allows remote attackers to execute arbitrary SQL commands via the page_id parameter.

  • CVE-2008-0879Feb 21, 2008
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in modules.php in the Web_Links module for PHP-Nuke allows remote attackers to execute arbitrary SQL commands via the cid parameter in a viewlink action.

  • CVE-2008-0874Feb 21, 2008
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in index.php in the eEmpregos module for XOOPS allows remote attackers to execute arbitrary SQL commands via the cid parameter in a view action.

  • CVE-2008-0873Feb 21, 2008
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in index.php in the jlmZone Classifieds module for XOOPS allows remote attackers to execute arbitrary SQL commands via the cid parameter in an Adsview action.

  • CVE-2008-0857Feb 21, 2008
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in index.php in WoltLab Burning Board 3.0.3 PL 1 allows remote attackers to execute arbitrary SQL commands via the sortOrder parameter to the PMList page.

  • CVE-2008-0855Feb 21, 2008
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in the Facile Forms (com_facileforms) component for Joomla! and Mambo allows remote attackers to execute arbitrary SQL commands via the catid parameter to index.php.

  • CVE-2008-0856Feb 21, 2008
    risk 0.03cvss epss 0.01

    Multiple SQL injection vulnerabilities in e-Vision CMS 2.02 allow remote attackers to execute arbitrary SQL commands via the id parameter to (1) iframe.php and (2) print.php. NOTE: the provenance of this information is unknown; the details are obtained solely from third party…

  • CVE-2008-0854Feb 21, 2008
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in the com_salesrep component for Joomla! and Mambo allows remote attackers to execute arbitrary SQL commands via the rid parameter in a showrep action to index.php.