CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
BaseStableLikelihood: High
Description
The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-108 · CAPEC-109 · CAPEC-110 · CAPEC-470 · CAPEC-66 · CAPEC-7
CVEs mapped to this weakness (8,798)
page 6 of 440| CVE | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2017-17608 | Cri | 0.67 | 9.8 | 0.03 | Dec 13, 2017 | Child Care Script 1.0 has SQL Injection via the /list city parameter. | |
| CVE-2017-17607 | Cri | 0.67 | 9.8 | 0.03 | Dec 13, 2017 | CMS Auditor Website 1.0 has SQL Injection via the PATH_INFO to /news-detail. | |
| CVE-2017-17606 | Cri | 0.67 | 9.8 | 0.03 | Dec 13, 2017 | Co-work Space Search Script 1.0 has SQL Injection via the /list city parameter. | |
| CVE-2017-17605 | Cri | 0.67 | 9.8 | 0.03 | Dec 13, 2017 | Consumer Complaints Clone Script 1.0 has SQL Injection via the other-user-profile.php id parameter. | |
| CVE-2017-17604 | Cri | 0.67 | 9.8 | 0.03 | Dec 13, 2017 | Entrepreneur Bus Booking Script 3.0.4 has SQL Injection via the booker_details.php sourcebus parameter. | |
| CVE-2017-17603 | Cri | 0.67 | 9.8 | 0.03 | Dec 13, 2017 | Advanced Real Estate Script 4.0.7 has SQL Injection via the search-results.php Projectmain, proj_type, searchtext, sell_price, or maxprice parameter. | |
| CVE-2017-17602 | Cri | 0.67 | 9.8 | 0.03 | Dec 13, 2017 | Advance B2B Script 2.1.3 has SQL Injection via the tradeshow-list-detail.php show_id or view-product.php pid parameter. | |
| CVE-2017-17601 | Cri | 0.67 | 9.8 | 0.03 | Dec 13, 2017 | Cab Booking Script 1.0 has SQL Injection via the /service-list city parameter. | |
| CVE-2017-17600 | Cri | 0.67 | 9.8 | 0.03 | Dec 13, 2017 | Basic B2B Script 2.0.8 has SQL Injection via the product_details.php id parameter. | |
| CVE-2017-17599 | Cri | 0.67 | 9.8 | 0.03 | Dec 13, 2017 | Advance Online Learning Management Script 3.1 has SQL Injection via the courselist.php subcatid or popcourseid parameter. | |
| CVE-2017-17598 | Cri | 0.67 | 9.8 | 0.03 | Dec 13, 2017 | Affiliate MLM Script 1.0 has SQL Injection via the product-category.php key parameter. | |
| CVE-2017-17597 | Cri | 0.67 | 9.8 | 0.03 | Dec 13, 2017 | Nearbuy Clone Script 3.2 has SQL Injection via the category_list.php search parameter. | |
| CVE-2017-17596 | Cri | 0.67 | 9.8 | 0.03 | Dec 13, 2017 | Entrepreneur Job Portal Script 2.0.6 has SQL Injection via the jobsearch_all.php rid1 parameter. | |
| CVE-2017-17595 | Cri | 0.67 | 9.8 | 0.03 | Dec 13, 2017 | Beauty Parlour Booking Script 1.0 has SQL Injection via the /list gender or city parameter. | |
| CVE-2017-17594 | Cri | 0.67 | 9.8 | 0.03 | Dec 13, 2017 | DomainSale PHP Script 1.0 has SQL Injection via the domain.php id parameter. | |
| CVE-2017-17592 | Cri | 0.67 | 9.8 | 0.03 | Dec 13, 2017 | Website Auction Marketplace 2.0.5 has SQL Injection via the search.php cat_id parameter. | |
| CVE-2017-17591 | Cri | 0.67 | 9.8 | 0.03 | Dec 13, 2017 | Realestate Crowdfunding Script 2.7.2 has SQL Injection via the single-cause.php pid parameter. | |
| CVE-2017-17590 | Cri | 0.67 | 9.8 | 0.01 | Dec 13, 2017 | FS Stackoverflow Clone 1.0 has SQL Injection via the /question keywords parameter. | |
| CVE-2017-17589 | Cri | 0.67 | 9.8 | 0.02 | Dec 13, 2017 | FS Thumbtack Clone 1.0 has SQL Injection via the browse-category.php cat parameter or the browse-scategory.php sc parameter. | |
| CVE-2017-17588 | Cri | 0.67 | 9.8 | 0.02 | Dec 13, 2017 | FS IMDB Clone 1.0 has SQL Injection via the movie.php f parameter, tvshow.php s parameter, or show_misc_video.php id parameter. |