CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Description
The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-108 · CAPEC-109 · CAPEC-110 · CAPEC-470 · CAPEC-66 · CAPEC-7
CVEs mapped to this weakness (12,807)
page 605 of 641| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2012-3470 | 0.00 | — | 0.01 | Aug 12, 2012 | Multiple SQL injection vulnerabilities in application/libraries/api/MY_Countries_Api_Object.php in the Ushahidi Platform before 2.5 allow remote attackers to execute arbitrary SQL commands via vectors related to _get_countries functions. | |||
| CVE-2012-3469 | 0.00 | — | 0.01 | Aug 12, 2012 | Multiple SQL injection vulnerabilities in the Ushahidi Platform before 2.5 allow remote attackers to execute arbitrary SQL commands via vectors related to (1) the messages admin functionality in application/controllers/admin/messages.php, (2)… | |||
| CVE-2012-3468 | 0.00 | — | 0.01 | Aug 12, 2012 | Multiple SQL injection vulnerabilities in the Ushahidi Platform before 2.5 allow remote attackers to execute arbitrary SQL commands via vectors related to (1) the verify function in application/controllers/alerts.php, (2) the save_all function in application/models/settings.php,… | |||
| CVE-2012-3132 | 0.00 | — | 0.02 | Aug 10, 2012 | SQL injection vulnerability in Oracle Database Server 10.2.0.3, 10.2.0.4, 10.2.0.5, 11.1.0.7, 11.2.0.2, and 11.2.0.3 allows remote authenticated users to execute arbitrary SQL commands via vectors involving CREATE INDEX with a CTXSYS.CONTEXT INDEXTYPE and… | |||
| CVE-2012-3554 | 0.00 | — | 0.01 | Aug 10, 2012 | SQL injection vulnerability in the RSGallery2 (com_rsgallery2) component before 2.3.0 for Joomla! 1.5.x, and before 3.2.0 for Joomla! 2.5.x, allows remote attackers to execute arbitrary SQL commands via unspecified vectors. | |||
| CVE-2012-4061 | 0.00 | — | 0.01 | Jul 25, 2012 | Multiple SQL injection vulnerabilities in ASP-DEv XM Diary allow remote attackers to execute arbitrary SQL commands via the (1) id parameter to diary_view.asp or (2) view_date parameter to default.asp. | |||
| CVE-2012-4056 | 0.00 | — | 0.01 | Jul 25, 2012 | SQL injection vulnerability in index2.php in Uiga Personal Portal allows remote attackers to execute arbitrary SQL commands via the p parameter. | |||
| CVE-2012-2306 | 0.00 | — | 0.01 | Jul 25, 2012 | SQL injection vulnerability in the Addressbook module for Drupal 6.x-4.2 and earlier allows remote attackers to execute arbitrary SQL commands via unspecified vectors. | |||
| CVE-2012-3395 | 0.00 | — | 0.02 | Jul 23, 2012 | SQL injection vulnerability in mod/feedback/complete.php in Moodle 2.0.x before 2.0.10, 2.1.x before 2.1.7, and 2.2.x before 2.2.4 allows remote authenticated users to execute arbitrary SQL commands via crafted form data. | |||
| CVE-2012-2363 | 0.00 | — | 0.01 | Jul 21, 2012 | SQL injection vulnerability in calendar/event.php in the calendar implementation in Moodle 1.9.x before 1.9.18 allows remote authenticated users to execute arbitrary SQL commands via a crafted calendar event. | |||
| CVE-2012-0868 | 0.00 | — | 0.03 | Jul 18, 2012 | CRLF injection vulnerability in pg_dump in PostgreSQL 8.3.x before 8.3.18, 8.4.x before 8.4.11, 9.0.x before 9.0.7, and 9.1.x before 9.1.3 allows user-assisted remote attackers to execute arbitrary SQL commands via a crafted file containing object names with newlines, which are… | |||
| CVE-2011-4292 | 0.00 | — | 0.02 | Jul 16, 2012 | Moodle 2.0.x before 2.0.3 allows remote authenticated users to cause a denial of service (invalid database records) via a series of crafted comments operations. | |||
| CVE-2012-3998 | 0.00 | — | 0.02 | Jul 12, 2012 | Multiple SQL injection vulnerabilities in Sticky Notes before 0.2.27052012.5 allow remote attackers to execute arbitrary SQL commands via the (1) paste id in admin/modules/mod_pastes.php or (2) show.php, (3) user id to admin/modules/mod_users.php, (4) project to list.php, or (5)… | |||
| CVE-2012-3881 | 0.00 | — | 0.01 | Jul 12, 2012 | Multiple SQL injection vulnerabilities in RTG 0.7.4 and RTG2 0.9.2 allow remote attackers to execute arbitrary SQL commands via unspecified parameters to (1) 95.php, (2) view.php, or (3) rtg.php. | |||
| CVE-2012-2695 | 0.00 | — | 0.03 | Jun 22, 2012 | The Active Record component in Ruby on Rails before 3.0.14, 3.1.x before 3.1.6, and 3.2.x before 3.2.6 does not properly implement the passing of request data to a where method in an ActiveRecord class, which allows remote attackers to conduct certain SQL injection attacks via… | |||
| CVE-2012-2661 | 0.00 | — | 0.04 | Jun 22, 2012 | The Active Record component in Ruby on Rails 3.0.x before 3.0.13, 3.1.x before 3.1.5, and 3.2.x before 3.2.4 does not properly implement the passing of request data to a where method in an ActiveRecord class, which allows remote attackers to conduct certain SQL injection attacks… | |||
| CVE-2012-2718 | 0.00 | — | 0.02 | Jun 21, 2012 | SQL injection vulnerability in the Counter module for Drupal allows remote attackers to execute arbitrary SQL commands via unspecified vectors related to "recording visits." | |||
| CVE-2012-1815 | 0.00 | — | 0.02 | Jun 8, 2012 | SQL injection vulnerability in Emerson DeltaV and DeltaV Workstations 9.3.1, 10.3.1, 11.3, and 11.3.1 and DeltaV ProEssentials Scientific Graph 5.0.0.6 allows remote attackers to execute arbitrary SQL commands via unspecified vectors. | |||
| CVE-2012-2762 | 0.00 | — | 0.02 | Jun 7, 2012 | SQL injection vulnerability in include/functions_trackbacks.inc.php in Serendipity 1.6.2 allows remote attackers to execute arbitrary SQL commands via the url parameter to comment.php. | |||
| CVE-2012-0805 | 0.00 | — | 0.03 | Jun 5, 2012 | Multiple SQL injection vulnerabilities in SQLAlchemy before 0.7.0b4, as used in Keystone, allow remote attackers to execute arbitrary SQL commands via the (1) limit or (2) offset keyword to the select function, or unspecified vectors to the (3) select.limit or (4) select.offset… |
- CVE-2012-3470Aug 12, 2012risk 0.00cvss —epss 0.01
Multiple SQL injection vulnerabilities in application/libraries/api/MY_Countries_Api_Object.php in the Ushahidi Platform before 2.5 allow remote attackers to execute arbitrary SQL commands via vectors related to _get_countries functions.
- CVE-2012-3469Aug 12, 2012risk 0.00cvss —epss 0.01
Multiple SQL injection vulnerabilities in the Ushahidi Platform before 2.5 allow remote attackers to execute arbitrary SQL commands via vectors related to (1) the messages admin functionality in application/controllers/admin/messages.php, (2)…
- CVE-2012-3468Aug 12, 2012risk 0.00cvss —epss 0.01
Multiple SQL injection vulnerabilities in the Ushahidi Platform before 2.5 allow remote attackers to execute arbitrary SQL commands via vectors related to (1) the verify function in application/controllers/alerts.php, (2) the save_all function in application/models/settings.php,…
- CVE-2012-3132Aug 10, 2012risk 0.00cvss —epss 0.02
SQL injection vulnerability in Oracle Database Server 10.2.0.3, 10.2.0.4, 10.2.0.5, 11.1.0.7, 11.2.0.2, and 11.2.0.3 allows remote authenticated users to execute arbitrary SQL commands via vectors involving CREATE INDEX with a CTXSYS.CONTEXT INDEXTYPE and…
- CVE-2012-3554Aug 10, 2012risk 0.00cvss —epss 0.01
SQL injection vulnerability in the RSGallery2 (com_rsgallery2) component before 2.3.0 for Joomla! 1.5.x, and before 3.2.0 for Joomla! 2.5.x, allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
- CVE-2012-4061Jul 25, 2012risk 0.00cvss —epss 0.01
Multiple SQL injection vulnerabilities in ASP-DEv XM Diary allow remote attackers to execute arbitrary SQL commands via the (1) id parameter to diary_view.asp or (2) view_date parameter to default.asp.
- CVE-2012-4056Jul 25, 2012risk 0.00cvss —epss 0.01
SQL injection vulnerability in index2.php in Uiga Personal Portal allows remote attackers to execute arbitrary SQL commands via the p parameter.
- CVE-2012-2306Jul 25, 2012risk 0.00cvss —epss 0.01
SQL injection vulnerability in the Addressbook module for Drupal 6.x-4.2 and earlier allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
- CVE-2012-3395Jul 23, 2012risk 0.00cvss —epss 0.02
SQL injection vulnerability in mod/feedback/complete.php in Moodle 2.0.x before 2.0.10, 2.1.x before 2.1.7, and 2.2.x before 2.2.4 allows remote authenticated users to execute arbitrary SQL commands via crafted form data.
- CVE-2012-2363Jul 21, 2012risk 0.00cvss —epss 0.01
SQL injection vulnerability in calendar/event.php in the calendar implementation in Moodle 1.9.x before 1.9.18 allows remote authenticated users to execute arbitrary SQL commands via a crafted calendar event.
- CVE-2012-0868Jul 18, 2012risk 0.00cvss —epss 0.03
CRLF injection vulnerability in pg_dump in PostgreSQL 8.3.x before 8.3.18, 8.4.x before 8.4.11, 9.0.x before 9.0.7, and 9.1.x before 9.1.3 allows user-assisted remote attackers to execute arbitrary SQL commands via a crafted file containing object names with newlines, which are…
- CVE-2011-4292Jul 16, 2012risk 0.00cvss —epss 0.02
Moodle 2.0.x before 2.0.3 allows remote authenticated users to cause a denial of service (invalid database records) via a series of crafted comments operations.
- CVE-2012-3998Jul 12, 2012risk 0.00cvss —epss 0.02
Multiple SQL injection vulnerabilities in Sticky Notes before 0.2.27052012.5 allow remote attackers to execute arbitrary SQL commands via the (1) paste id in admin/modules/mod_pastes.php or (2) show.php, (3) user id to admin/modules/mod_users.php, (4) project to list.php, or (5)…
- CVE-2012-3881Jul 12, 2012risk 0.00cvss —epss 0.01
Multiple SQL injection vulnerabilities in RTG 0.7.4 and RTG2 0.9.2 allow remote attackers to execute arbitrary SQL commands via unspecified parameters to (1) 95.php, (2) view.php, or (3) rtg.php.
- CVE-2012-2695Jun 22, 2012risk 0.00cvss —epss 0.03
The Active Record component in Ruby on Rails before 3.0.14, 3.1.x before 3.1.6, and 3.2.x before 3.2.6 does not properly implement the passing of request data to a where method in an ActiveRecord class, which allows remote attackers to conduct certain SQL injection attacks via…
- CVE-2012-2661Jun 22, 2012risk 0.00cvss —epss 0.04
The Active Record component in Ruby on Rails 3.0.x before 3.0.13, 3.1.x before 3.1.5, and 3.2.x before 3.2.4 does not properly implement the passing of request data to a where method in an ActiveRecord class, which allows remote attackers to conduct certain SQL injection attacks…
- CVE-2012-2718Jun 21, 2012risk 0.00cvss —epss 0.02
SQL injection vulnerability in the Counter module for Drupal allows remote attackers to execute arbitrary SQL commands via unspecified vectors related to "recording visits."
- CVE-2012-1815Jun 8, 2012risk 0.00cvss —epss 0.02
SQL injection vulnerability in Emerson DeltaV and DeltaV Workstations 9.3.1, 10.3.1, 11.3, and 11.3.1 and DeltaV ProEssentials Scientific Graph 5.0.0.6 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
- CVE-2012-2762Jun 7, 2012risk 0.00cvss —epss 0.02
SQL injection vulnerability in include/functions_trackbacks.inc.php in Serendipity 1.6.2 allows remote attackers to execute arbitrary SQL commands via the url parameter to comment.php.
- CVE-2012-0805Jun 5, 2012risk 0.00cvss —epss 0.03
Multiple SQL injection vulnerabilities in SQLAlchemy before 0.7.0b4, as used in Keystone, allow remote attackers to execute arbitrary SQL commands via the (1) limit or (2) offset keyword to the select function, or unspecified vectors to the (3) select.limit or (4) select.offset…