VYPR

CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

BaseStableLikelihood: High

Description

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Hierarchy (View 1000)

Parents

Children

Related attack patterns (CAPEC)

CAPEC-108 · CAPEC-109 · CAPEC-110 · CAPEC-470 · CAPEC-66 · CAPEC-7

CVEs mapped to this weakness (12,807)

page 555 of 641
  • CVE-2008-0738Feb 13, 2008
    risk 0.03cvss epss 0.01

    Multiple SQL injection vulnerabilities in CandyPress (CP) 4.1.1.26, and earlier 4.1.x versions, allow remote attackers to execute arbitrary SQL commands via the (1) idcust parameter to (a) ajax_getTiers.asp and (b) ajax_getCust.asp in ajax/, and the (2) tableName parameter to…

  • CVE-2008-0733Feb 13, 2008
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in index.php in CS Team Counter Strike Portals allows remote attackers to execute arbitrary SQL commands via the id parameter, as demonstrated using the downloads page.

  • CVE-2008-0737Feb 13, 2008
    risk 0.03cvss epss 0.02

    SQL injection vulnerability in admin/utilities_ConfigHelp.asp in CandyPress (CP) 4.1.1.26, and other 4.x and 3.x versions, allows remote attackers to execute arbitrary SQL commands via the helpfield parameter.

  • CVE-2008-0735Feb 13, 2008
    risk 0.03cvss epss 0.02

    SQL injection vulnerability in mod/gallery/ajax/gallery_data.php in AuraCMS 2.2 allows remote attackers to execute arbitrary SQL commands via the albums parameter.

  • CVE-2008-0734Feb 13, 2008
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in class_auth.php in Limbo CMS 1.0.4.2, and possibly earlier versions, allows remote attackers to execute arbitrary SQL commands via the cuid cookie parameter to admin.php.

  • CVE-2008-0739Feb 13, 2008
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in admin/SA_shipFedExMeter.asp in CandyPress (CP) 4.1.1.26, and earlier 4.x and 3.x versions, allows remote attackers to execute arbitrary SQL commands via the FedExAccount parameter.

  • CVE-2008-0719Feb 12, 2008
    risk 0.03cvss epss 0.03

    SQL injection vulnerability in customer_testimonials.php in the Customer Testimonials 3 and 3.1 Addon for osCommerce Online Merchant 2.2 allows remote attackers to execute arbitrary SQL commands via the testimonial_id parameter.

  • CVE-2008-0721Feb 12, 2008
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in index.php in the Sermon (com_sermon) 0.2 component for Mambo allows remote attackers to execute arbitrary SQL commands via the gid parameter.

  • CVE-2008-0714Feb 12, 2008
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in users.php in Mihalism Multi Host allows remote attackers to execute arbitrary SQL commands via the username parameter in a lost_password_go action.

  • CVE-2008-0695Feb 12, 2008
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in index.php in BookmarkX script 2007 allows remote attackers to execute arbitrary SQL commands via the topicid parameter in a showtopic action.

  • CVE-2008-0692Feb 12, 2008
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in bidhistory.php in iTechBids 3 Gold and 5.0 allows remote attackers to execute arbitrary SQL commands via the item_id parameter.

  • CVE-2008-0689Feb 12, 2008
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in index.php in the Marketplace (com_marketplace) 1.1.1 and 1.1.1-pl1 component for Joomla! allows remote attackers to execute arbitrary SQL commands via the catid parameter in a show_category action.

  • CVE-2008-0686Feb 12, 2008
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in index.php in the NeoReferences (com_neoreferences) 1.3.1 and 1.3.3 component for Joomla! allows remote attackers to execute arbitrary SQL commands via the catid parameter.

  • CVE-2008-0685Feb 12, 2008
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in ViewCat.php in iTechClassifieds 3.0 allows remote attackers to execute arbitrary SQL commands via the CatID parameter.

  • CVE-2008-0683Feb 12, 2008
    risk 0.03cvss epss 0.03

    SQL injection vulnerability in shiftthis-preview.php in the ShiftThis Newsletter (st_newsletter) plugin for WordPress allows remote attackers to execute arbitrary SQL commands via the newsletter parameter.

  • CVE-2008-0682Feb 12, 2008
    risk 0.03cvss epss 0.03

    SQL injection vulnerability in wordspew-rss.php in the Wordspew plugin before 3.72 for Wordpress allows remote attackers to execute arbitrary SQL commands via the id parameter.

  • CVE-2008-0681Feb 12, 2008
    risk 0.03cvss epss 0.02

    SQL injection vulnerability in index.php in PHPShop 0.8.1 allows remote attackers to execute arbitrary SQL commands via the product_id parameter, as demonstrated by a shop/flypage action.

  • CVE-2008-0678Feb 12, 2008
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in index.php in BlogPHP 2.0 allows remote attackers to execute arbitrary SQL commands via the id parameter in a page action.

  • CVE-2008-0677Feb 12, 2008
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in blog.php in A-Blog 2 allows remote attackers to execute arbitrary SQL commands via the id parameter in a news action.

  • CVE-2008-0675Feb 12, 2008
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in cms/index.pl in The Everything Development Engine in The Everything Development System Pre-1.0 and earlier allows remote attackers to execute arbitrary SQL commands via the node_id parameter.