VYPR

CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

BaseStableLikelihood: High

Description

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Hierarchy (View 1000)

Parents

Children

Related attack patterns (CAPEC)

CAPEC-108 · CAPEC-109 · CAPEC-110 · CAPEC-470 · CAPEC-66 · CAPEC-7

CVEs mapped to this weakness (12,807)

page 553 of 641
  • CVE-2008-0853Feb 21, 2008
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in the com_detail component for Joomla! and Mambo allows remote attackers to execute arbitrary SQL commands via the id parameter to index.php. NOTE: this issue might be site-specific. If so, it should not be included in CVE.

  • CVE-2008-0847Feb 21, 2008
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in print.php in the myTopics module for XOOPS allows remote attackers to execute arbitrary SQL commands via the articleid parameter.

  • CVE-2008-0855Feb 21, 2008
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in the Facile Forms (com_facileforms) component for Joomla! and Mambo allows remote attackers to execute arbitrary SQL commands via the catid parameter to index.php.

  • CVE-2008-0841Feb 20, 2008
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in index.php in the Giorgio Nordo Ricette (com_ricette) 1.0 component for Joomla! and Mambo allows remote attackers to execute arbitrary SQL commands via the id parameter.

  • CVE-2008-0842Feb 20, 2008
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in index.php in the Classifier (com_clasifier) component for Joomla! allows remote attackers to execute arbitrary SQL commands via the cat_id parameter.

  • CVE-2008-0839Feb 20, 2008
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in refer.php in the astatsPRO (com_astatspro) 1.0 component for Joomla! allows remote attackers to execute arbitrary SQL commands via the id parameter.

  • CVE-2008-0835Feb 20, 2008
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in indexen.php in Simple CMS 1.0.3 and earlier allows remote attackers to execute arbitrary SQL commands via the area parameter.

  • CVE-2008-0844Feb 20, 2008
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in index.php in the PccookBook (com_pccookbook) component for Joomla! allows remote attackers to execute arbitrary SQL commands via the user_id parameter.

  • CVE-2008-0845Feb 20, 2008
    risk 0.03cvss epss 0.03

    SQL injection vulnerability in wp-people-popup.php in Dean Logan WP-People plugin 1.6.1 for WordPress allows remote attackers to execute arbitrary SQL commands via the person parameter.

  • CVE-2008-0846Feb 20, 2008
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in index.php in the com_profile component for Joomla! allows remote attackers to execute arbitrary SQL commands via the oid parameter.

  • CVE-2008-0831Feb 20, 2008
    risk 0.03cvss epss 0.01

    Multiple SQL injection vulnerabilities in the Rapid Recipe (com_rapidrecipe) 1.6.5 and earlier component for Joomla! allow remote attackers to execute arbitrary SQL commands via the (1) user_id or (2) category_id parameter. NOTE: this might overlap CVE-2008-0754.

  • CVE-2008-0833Feb 20, 2008
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in index.php in the com_galeria component for Joomla! allows remote attackers to execute arbitrary SQL commands via the id parameter in a detail action.

  • CVE-2008-0832Feb 20, 2008
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in index.php in the Kemas Antonius com_quran 1.1 and earlier component for Mambo and Joomla! allows remote attackers to execute arbitrary SQL commands via the surano parameter in a viewayat action.

  • CVE-2008-0827Feb 19, 2008
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in the Books module of PHP-Nuke allows remote attackers to execute arbitrary SQL commands via the cid parameter.

  • CVE-2008-0829Feb 19, 2008
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in jooget.php in the Joomlapixel Jooget! (com_jooget) 2.6.8 component for Joomla! and Mambo allows remote attackers to execute arbitrary SQL commands via the id parameter in a detail task.

  • CVE-2008-0821Feb 19, 2008
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in admin/traffic/knowledge_searchm.php in OSI Codes Inc. PHP Live! 3.2.2 allows remote attackers to execute arbitrary SQL commands via the questid parameter in an expand_question action.

  • CVE-2008-0811Feb 19, 2008
    risk 0.03cvss epss 0.01

    Multiple SQL injection vulnerabilities in AuraCMS 1.62 allow remote attackers to execute arbitrary SQL commands via (1) the kid parameter to (a) mod/dl.php or (b) mod/links.php, and (2) the query parameter to search.php.

  • CVE-2008-0810Feb 19, 2008
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in the com_scheduling module for Joomla! and Mambo allows remote attackers to execute arbitrary SQL commands via the id parameter.

  • CVE-2008-0815Feb 19, 2008
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in the com_mezun component for Joomla! allows remote attackers to execute arbitrary SQL commands via the id parameter in an edit task.

  • CVE-2008-0817Feb 19, 2008
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in the com_filebase component for Joomla! and Mambo allows remote attackers to execute arbitrary SQL commands via the filecatid parameter in a selectfolder action.