VYPR

CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

BaseStableLikelihood: High

Description

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Hierarchy (View 1000)

Parents

Children

Related attack patterns (CAPEC)

CAPEC-108 · CAPEC-109 · CAPEC-110 · CAPEC-470 · CAPEC-66 · CAPEC-7

CVEs mapped to this weakness (12,807)

page 602 of 641
  • CVE-2012-6497Jan 4, 2013
    risk 0.00cvss epss 0.03

    The Authlogic gem for Ruby on Rails, when used with certain versions before 3.2.10, makes potentially unsafe find_by_id method calls, which might allow remote attackers to conduct CVE-2012-6496 SQL injection attacks via a crafted parameter in environments that have a known…

  • CVE-2012-6496Jan 4, 2013
    risk 0.00cvss epss 0.04

    SQL injection vulnerability in the Active Record component in Ruby on Rails before 3.0.18, 3.1.x before 3.1.9, and 3.2.x before 3.2.10 allows remote attackers to execute arbitrary SQL commands via a crafted request that leverages incorrect behavior of dynamic finders in…

  • CVE-2012-5590Dec 26, 2012
    risk 0.00cvss epss 0.01

    SQL injection vulnerability in the Webmail Plus module for Drupal allows remote attackers to execute arbitrary SQL commands via unspecified vectors.

  • CVE-2012-6427Dec 23, 2012
    risk 0.00cvss epss 0.01

    The Carlo Gavazzi EOS-Box does not check the validity of the data before executing queries. By accessing the SQL table of certain pages that do not require authentication, attackers can leak information from the device. This could allow the attacker to compromise…

  • CVE-2012-5967Dec 19, 2012
    risk 0.00cvss epss 0.03

    SQL injection vulnerability in menuXML.php in Centreon 2.3.3 through 2.3.9-4 (fixed in Centreon web 2.6.0) allows remote authenticated users to execute arbitrary SQL commands via the menu parameter.

  • CVE-2012-4971Dec 12, 2012
    risk 0.00cvss epss 0.01

    Multiple SQL injection vulnerabilities in Layton Helpbox 4.4.0 allow remote attackers to execute arbitrary SQL commands via the (1) reqclass parameter to editrequestenduser.asp; the (2) sys_request_id parameter to editrequestuser.asp; the (3) sys_request_id parameter to…

  • CVE-2012-5550Dec 3, 2012
    risk 0.00cvss epss 0.01

    SQL injection vulnerability in the Time Spent module 6.x and 7.x for Drupal allows remote attackers to execute arbitrary SQL commands via unspecified vectors.

  • CVE-2012-4479Nov 30, 2012
    risk 0.00cvss epss 0.01

    SQL injection vulnerability in the Drag & Drop Gallery module 6.x for Drupal allows remote attackers to execute arbitrary SQL commands via unspecified vectors.

  • CVE-2012-4601Nov 23, 2012
    risk 0.00cvss epss 0.02

    Multiple SQL injection vulnerabilities in Nicola Asuni TCExam before 11.3.009 allow remote authenticated users with level 5 or greater permissions to execute arbitrary SQL commands via the (1) user_groups[] parameter to admin/code/tce_edit_test.php or (2) subject_id parameter to…

  • CVE-2012-2086Nov 23, 2012
    risk 0.00cvss epss 0.02

    SQL injection vulnerability in the get_last_conversation_lines function in common/logger.py in Gajim before 0.15 allows remote attackers to execute arbitrary SQL commands via the jig parameter.

  • CVE-2012-4941Nov 18, 2012
    risk 0.00cvss epss 0.01

    Multiple SQL injection vulnerabilities in Agile FleetCommander and FleetCommander Kiosk before 4.08 allow remote attackers to execute arbitrary SQL commands via unspecified vectors.

  • CVE-2012-5910Nov 17, 2012
    risk 0.00cvss epss 0.01

    SQL injection vulnerability in blogs/htsrv/viewfile.php in b2evolution 4.1.3 allows remote authenticated users to execute arbitrary SQL commands via the root parameter.

  • CVE-2011-5235Oct 25, 2012
    risk 0.00cvss epss 0.02

    SQL injection vulnerability in mnoGoSearch before 3.3.12 allows remote attackers to execute arbitrary SQL commands via the hostname in a hypertext link.

  • CVE-2011-5234Oct 25, 2012
    risk 0.00cvss epss 0.02

    SQL injection vulnerability in user.php in Social Network Community 2 allows remote attackers to execute arbitrary SQL commands via the userId parameter.

  • CVE-2011-5224Oct 25, 2012
    risk 0.00cvss epss 0.03

    SQL injection vulnerability in the Sentinel plugin 1.0.0 for WordPress allows remote attackers to execute arbitrary SQL commands via unspecified vectors.

  • CVE-2011-5216Oct 25, 2012
    risk 0.00cvss epss 0.02

    SQL injection vulnerability in ajax.php in SCORM Cloud For WordPress plugin before 1.0.7 for WordPress allows remote attackers to execute arbitrary SQL commands via the active parameter. NOTE: some of these details are obtained from third party information.

  • CVE-2011-5215Oct 25, 2012
    risk 0.00cvss epss 0.02

    SQL injection vulnerability in index.php in Video Community Portal allows remote attackers to execute arbitrary SQL commands via the id parameter.

  • CVE-2012-4990Oct 22, 2012
    risk 0.00cvss epss 0.02

    SQL injection vulnerability in admin/campaign-zone-link.php in OpenX 2.8.10 before revision 81823 allows remote attackers to execute arbitrary SQL commands via the ids[] parameter in a link action.

  • CVE-2012-4232Oct 22, 2012
    risk 0.00cvss epss 0.02

    SQL injection vulnerability in admin/index.php in jCore before 1.0pre2 allows remote attackers to execute arbitrary SQL commands via the memberloginid cookie.

  • CVE-2012-5328Oct 8, 2012
    risk 0.00cvss epss 0.02

    Multiple SQL injection vulnerabilities in the Mingle Forum plugin 1.0.32.1 and other versions before 1.0.33 for WordPress might allow remote authenticated users to execute arbitrary SQL commands via the (1) memberid or (2) groupid parameters in a removemember action or (3) id…