VYPR

CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

BaseStableLikelihood: High

Description

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Hierarchy (View 1000)

Parents

Children

Related attack patterns (CAPEC)

CAPEC-108 · CAPEC-109 · CAPEC-110 · CAPEC-470 · CAPEC-66 · CAPEC-7

CVEs mapped to this weakness (12,807)

page 593 of 641
  • CVE-2012-6654Aug 14, 2014
    risk 0.00cvss epss 0.02

    Multiple SQL injection vulnerabilities in ZPanel 10.0.1 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) resetkey or (2) inConfEmail parameter to index.php, a different vulnerability than CVE-2012-5685.

  • CVE-2012-3820Aug 14, 2014
    risk 0.00cvss epss 0.02

    Multiple SQL injection vulnerabilities in Campaign11.exe in Arial Software Campaign Enterprise before 11.0.551 allow remote attackers to execute arbitrary SQL commands via the (1) SerialNumber field to activate.asp or (2) UID field to User-Edit.asp.

  • CVE-2012-0939Aug 14, 2014
    risk 0.00cvss epss 0.01

    Multiple SQL injection vulnerabilities in TestLink 1.8.5b and earlier allow remote authenticated users with the Requirement view permission to execute arbitrary SQL commands via the req_spec_id parameter to (1) reqSpecAnalyse.php, (2) reqSpecPrint.php, or (3) reqSpecView.php in…

  • CVE-2014-3339Aug 12, 2014
    risk 0.00cvss epss 0.02

    Multiple SQL injection vulnerabilities in the administrative web interface in Cisco Unified Communications Manager (CM) and Cisco Unified Presence Server (CUPS) allow remote authenticated users to execute arbitrary SQL commands via crafted input to unspecified pages, aka Bug ID…

  • CVE-2014-3336Aug 11, 2014
    risk 0.00cvss epss 0.02

    SQL injection vulnerability in the web framework in Cisco Unity Connection 9.1(2) and earlier allows remote authenticated users to execute arbitrary SQL commands via a crafted request, aka Bug ID CSCuq31016.

  • CVE-2014-3773Aug 7, 2014
    risk 0.00cvss epss 0.02

    Multiple SQL injection vulnerabilities in TeamPass before 2.1.20 allow remote attackers to execute arbitrary SQL commands via the login parameter in a (1) send_pw_by_email or (2) generate_new_password action in sources/main.queries.php; iDisplayStart parameter to (3)…

  • CVE-2014-5186Aug 6, 2014
    risk 0.00cvss epss 0.02

    SQL injection vulnerability in the All Video Gallery (all-video-gallery) plugin 1.2 for WordPress allows remote authenticated administrators to execute arbitrary SQL commands via the id parameter in an edit action in the allvideogallery_videos page to wp-admin/admin.php.

  • CVE-2014-5185Aug 6, 2014
    risk 0.00cvss epss 0.02

    SQL injection vulnerability in the Quartz plugin 1.01.1 for WordPress allows remote authenticated users with Contributor privileges to execute arbitrary SQL commands via the quote parameter in an edit action in the quartz/quote_form.php page to wp-admin/edit.php.

  • CVE-2014-5184Aug 6, 2014
    risk 0.00cvss epss 0.02

    SQL injection vulnerability in the stripshow-storylines page in the stripShow plugin 2.5.2 for WordPress allows remote authenticated administrators to execute arbitrary SQL commands via the story parameter in an edit action to wp-admin/admin.php.

  • CVE-2014-5183Aug 6, 2014
    risk 0.00cvss epss 0.02

    SQL injection vulnerability in includes/mode-edit.php in the Simple Retail Menus (simple-retail-menus) plugin before 4.1 for WordPress allows remote authenticated editors to execute arbitrary SQL commands via the targetmenu parameter in an edit action to wp-admin/admin.php.

  • CVE-2014-5182Aug 6, 2014
    risk 0.00cvss epss 0.02

    Multiple SQL injection vulnerabilities in the yawpp plugin 1.2 for WordPress allow remote authenticated users with Contributor privileges to execute arbitrary SQL commands via vectors related to (1) admin_functions.php or (2) admin_update.php, as demonstrated by the id parameter…

  • CVE-2014-3055Jul 29, 2014
    risk 0.00cvss epss 0.02

    SQL injection vulnerability in the Unified Task List (UTL) Portlet for IBM WebSphere Portal 7.x and 8.x through 8.0.0.1 CF12 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.

  • CVE-2014-4858Jul 26, 2014
    risk 0.00cvss epss 0.01

    Multiple SQL injection vulnerabilities in CWPLogin.aspx in Sabre AirCentre Crew products 2010.2.12.20008 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) username or (2) password field.

  • CVE-2014-3326Jul 26, 2014
    risk 0.00cvss epss 0.02

    SQL injection vulnerability in the web framework in Cisco Security Manager 4.5 and 4.6 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors, aka Bug ID CSCup26957.

  • CVE-2014-5102Jul 25, 2014
    risk 0.00cvss epss 0.01

    SQL injection vulnerability in vBulletin 5.0.4 through 5.1.3 Alpha 5 allows remote attackers to execute arbitrary SQL commands via the criteria[startswith] parameter to ajax/render/memberlist_items.

  • CVE-2014-5017Jul 21, 2014
    risk 0.00cvss epss 0.02

    SQL injection vulnerability in CPDB in application/controllers/admin/participantsaction.php in LimeSurvey 2.05+ Build 140618 allows remote attackers to execute arbitrary SQL commands via the sidx parameter in a JSON request to admin/participants/sa/getParticipants_json, related…

  • CVE-2014-4013Jul 14, 2014
    risk 0.00cvss epss 0.01

    SQL injection vulnerability in the Policy Manager in Aruba Networks ClearPass 5.x, 6.0.x, 6.1.x through 6.1.4.61696, 6.2.x through 6.2.6.62196, and 6.3.x before 6.3.4 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors.

  • CVE-2014-4850Jul 10, 2014
    risk 0.00cvss epss 0.01

    SQL injection vulnerability in index.php in FoeCMS allows remote attackers to execute arbitrary SQL commands via the i parameter.

  • CVE-2014-3483Jul 7, 2014
    risk 0.00cvss epss 0.04

    SQL injection vulnerability in activerecord/lib/active_record/connection_adapters/postgresql/quoting.rb in the PostgreSQL adapter for Active Record in Ruby on Rails 4.x before 4.0.7 and 4.1.x before 4.1.3 allows remote attackers to execute arbitrary SQL commands by leveraging…

  • CVE-2014-3482Jul 7, 2014
    risk 0.00cvss epss 0.04

    SQL injection vulnerability in activerecord/lib/active_record/connection_adapters/postgresql_adapter.rb in the PostgreSQL adapter for Active Record in Ruby on Rails 2.x and 3.x before 3.2.19 allows remote attackers to execute arbitrary SQL commands by leveraging improper…