CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Description
The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-108 · CAPEC-109 · CAPEC-110 · CAPEC-470 · CAPEC-66 · CAPEC-7
CVEs mapped to this weakness (12,807)
page 612 of 641| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2010-4496 | 0.00 | — | 0.01 | Jan 7, 2011 | Multiple SQL injection vulnerabilities in Collaborative Information Manager server, as used in TIBCO Collaborative Information Manager before 8.1.0 and ActiveCatalog before 1.0.1, allow remote attackers to execute arbitrary SQL commands via unspecified vectors. | |||
| CVE-2010-4641 | 0.00 | — | 0.01 | Dec 30, 2010 | SQL injection vulnerability in XWiki Enterprise before 2.5 allows remote attackers to execute arbitrary SQL commands via unspecified vectors. | |||
| CVE-2010-4639 | 0.00 | — | 0.01 | Dec 30, 2010 | SQL injection vulnerability in index.php in MySource Matrix allows remote attackers to execute arbitrary SQL commands via the id parameter. | |||
| CVE-2010-3922 | 0.00 | — | 0.01 | Dec 9, 2010 | SQL injection vulnerability in Movable Type 4.x before 4.35 and 5.x before 5.04 allows remote attackers to execute arbitrary SQL commands via unspecified vectors. | |||
| CVE-2010-4505 | 0.00 | — | 0.01 | Dec 8, 2010 | Multiple SQL injection vulnerabilities in login.php in Injader 2.4.4, when magic_quotes_gpc is disabled, allow remote attackers to execute arbitrary SQL commands via the (1) un and (2) pw parameters. | |||
| CVE-2010-4500 | 0.00 | — | 0.01 | Dec 8, 2010 | Multiple SQL injection vulnerabilities in contact.php in MRCGIGUY (MCG) FreeTicket 1.0.0, when magic_quotes_gpc is disabled, allow remote attackers to execute arbitrary SQL commands via the (1) name, (2) email, (3) subject, and (4) message parameters in a sendmess action. NOTE:… | |||
| CVE-2010-4257 | 0.00 | — | 0.03 | Dec 7, 2010 | SQL injection vulnerability in the do_trackbacks function in wp-includes/comment.php in WordPress before 3.0.2 allows remote authenticated users to execute arbitrary SQL commands via the Send Trackbacks field. | |||
| CVE-2010-4404 | 0.00 | — | 0.01 | Dec 6, 2010 | SQL injection vulnerability in the Yannick Gaultier sh404SEF component before 2.1.8.777 for Joomla! allows remote attackers to execute arbitrary SQL commands via unspecified vectors. | |||
| CVE-2010-4363 | 0.00 | — | 0.01 | Dec 1, 2010 | Multiple SQL injection vulnerabilities in contact.php in MRCGIGUY (MCG) FreeTicket 1.0.0, when magic_quotes_gpc is disabled, allow remote attackers to execute arbitrary SQL commands via the (1) id and (2) email parameters in a showtickets action. | |||
| CVE-2010-4271 | 0.00 | — | 0.01 | Nov 17, 2010 | SQL injection vulnerability in ImpressCMS before 1.2.3 RC2 allows remote attackers to execute arbitrary SQL commands via unspecified vectors. | |||
| CVE-2010-2635 | 0.00 | — | 0.01 | Nov 9, 2010 | SQL injection vulnerability in IBM WebSphere Commerce 6.0 before 6.0.0.10 allows remote authenticated users to execute arbitrary SQL commands via unspecified parameters to "Commerce Organization Admin Console JavaServer pages." | |||
| CVE-2010-4147 | 0.00 | — | 0.01 | Nov 2, 2010 | Multiple SQL injection vulnerabilities in Pentasoft Avactis Shopping Cart 1.9.1 build 8356 free edition and earlier allow remote attackers to execute arbitrary SQL commands via the User-Agent header to (1) index.php and (2) product-list.php. | |||
| CVE-2010-0112 | 0.00 | — | 0.06 | Oct 28, 2010 | Multiple SQL injection vulnerabilities in the Administrative Interface in the IIS extension in Symantec IM Manager before 8.4.16 allow remote attackers to execute arbitrary SQL commands via (1) the rdReport parameter to rdpageimlogic.aspx, related to the sGetDefinition function… | |||
| CVE-2010-3076 | 0.00 | — | 0.02 | Oct 14, 2010 | The filter function in php/src/include.php in Simple Management for BIND (aka smbind) before 0.4.8 does not anchor a certain regular expression, which allows remote attackers to conduct SQL injection attacks and execute arbitrary SQL commands via the username parameter to the… | |||
| CVE-2010-3604 | 0.00 | — | 0.01 | Sep 24, 2010 | SQL injection vulnerability in the powermail extension 1.5.3 and earlier for TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors. | |||
| CVE-2010-3423 | 0.00 | — | 0.01 | Sep 16, 2010 | SQL injection vulnerability in the Yr Weatherdata module for Drupal 6.x before 6.x-1.6 allows remote attackers to execute arbitrary SQL commands via the sorting method. | |||
| CVE-2010-3188 | 0.00 | — | 0.01 | Aug 31, 2010 | SQL injection vulnerability in search.aspx in BugTracker.NET 3.4.3 and earlier allows remote attackers to execute arbitrary SQL commands via a custom field to the search page. | |||
| CVE-2009-4979 | 0.00 | — | 0.01 | Aug 25, 2010 | Multiple SQL injection vulnerabilities in search.php in Photokorn Gallery 1.81 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) where[], (2) sort, (3) order, and (4) Match parameters. | |||
| CVE-2010-2826 | 0.00 | — | 0.01 | Aug 17, 2010 | SQL injection vulnerability in Cisco Wireless Control System (WCS) 6.0.x before 6.0.196.0 allows remote authenticated users to execute arbitrary SQL commands via vectors related to the ORDER BY clause of the Client List screens, aka Bug ID CSCtf37019. | |||
| CVE-2010-3013 | 0.00 | — | 0.01 | Aug 16, 2010 | SQL injection vulnerability in groupadmin.php in Pligg before 1.1.1 allows remote attackers to execute arbitrary SQL commands via the role parameter, a different vulnerability than CVE-2010-2577. |
- CVE-2010-4496Jan 7, 2011risk 0.00cvss —epss 0.01
Multiple SQL injection vulnerabilities in Collaborative Information Manager server, as used in TIBCO Collaborative Information Manager before 8.1.0 and ActiveCatalog before 1.0.1, allow remote attackers to execute arbitrary SQL commands via unspecified vectors.
- CVE-2010-4641Dec 30, 2010risk 0.00cvss —epss 0.01
SQL injection vulnerability in XWiki Enterprise before 2.5 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
- CVE-2010-4639Dec 30, 2010risk 0.00cvss —epss 0.01
SQL injection vulnerability in index.php in MySource Matrix allows remote attackers to execute arbitrary SQL commands via the id parameter.
- CVE-2010-3922Dec 9, 2010risk 0.00cvss —epss 0.01
SQL injection vulnerability in Movable Type 4.x before 4.35 and 5.x before 5.04 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
- CVE-2010-4505Dec 8, 2010risk 0.00cvss —epss 0.01
Multiple SQL injection vulnerabilities in login.php in Injader 2.4.4, when magic_quotes_gpc is disabled, allow remote attackers to execute arbitrary SQL commands via the (1) un and (2) pw parameters.
- CVE-2010-4500Dec 8, 2010risk 0.00cvss —epss 0.01
Multiple SQL injection vulnerabilities in contact.php in MRCGIGUY (MCG) FreeTicket 1.0.0, when magic_quotes_gpc is disabled, allow remote attackers to execute arbitrary SQL commands via the (1) name, (2) email, (3) subject, and (4) message parameters in a sendmess action. NOTE:…
- CVE-2010-4257Dec 7, 2010risk 0.00cvss —epss 0.03
SQL injection vulnerability in the do_trackbacks function in wp-includes/comment.php in WordPress before 3.0.2 allows remote authenticated users to execute arbitrary SQL commands via the Send Trackbacks field.
- CVE-2010-4404Dec 6, 2010risk 0.00cvss —epss 0.01
SQL injection vulnerability in the Yannick Gaultier sh404SEF component before 2.1.8.777 for Joomla! allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
- CVE-2010-4363Dec 1, 2010risk 0.00cvss —epss 0.01
Multiple SQL injection vulnerabilities in contact.php in MRCGIGUY (MCG) FreeTicket 1.0.0, when magic_quotes_gpc is disabled, allow remote attackers to execute arbitrary SQL commands via the (1) id and (2) email parameters in a showtickets action.
- CVE-2010-4271Nov 17, 2010risk 0.00cvss —epss 0.01
SQL injection vulnerability in ImpressCMS before 1.2.3 RC2 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
- CVE-2010-2635Nov 9, 2010risk 0.00cvss —epss 0.01
SQL injection vulnerability in IBM WebSphere Commerce 6.0 before 6.0.0.10 allows remote authenticated users to execute arbitrary SQL commands via unspecified parameters to "Commerce Organization Admin Console JavaServer pages."
- CVE-2010-4147Nov 2, 2010risk 0.00cvss —epss 0.01
Multiple SQL injection vulnerabilities in Pentasoft Avactis Shopping Cart 1.9.1 build 8356 free edition and earlier allow remote attackers to execute arbitrary SQL commands via the User-Agent header to (1) index.php and (2) product-list.php.
- CVE-2010-0112Oct 28, 2010risk 0.00cvss —epss 0.06
Multiple SQL injection vulnerabilities in the Administrative Interface in the IIS extension in Symantec IM Manager before 8.4.16 allow remote attackers to execute arbitrary SQL commands via (1) the rdReport parameter to rdpageimlogic.aspx, related to the sGetDefinition function…
- CVE-2010-3076Oct 14, 2010risk 0.00cvss —epss 0.02
The filter function in php/src/include.php in Simple Management for BIND (aka smbind) before 0.4.8 does not anchor a certain regular expression, which allows remote attackers to conduct SQL injection attacks and execute arbitrary SQL commands via the username parameter to the…
- CVE-2010-3604Sep 24, 2010risk 0.00cvss —epss 0.01
SQL injection vulnerability in the powermail extension 1.5.3 and earlier for TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
- CVE-2010-3423Sep 16, 2010risk 0.00cvss —epss 0.01
SQL injection vulnerability in the Yr Weatherdata module for Drupal 6.x before 6.x-1.6 allows remote attackers to execute arbitrary SQL commands via the sorting method.
- CVE-2010-3188Aug 31, 2010risk 0.00cvss —epss 0.01
SQL injection vulnerability in search.aspx in BugTracker.NET 3.4.3 and earlier allows remote attackers to execute arbitrary SQL commands via a custom field to the search page.
- CVE-2009-4979Aug 25, 2010risk 0.00cvss —epss 0.01
Multiple SQL injection vulnerabilities in search.php in Photokorn Gallery 1.81 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) where[], (2) sort, (3) order, and (4) Match parameters.
- CVE-2010-2826Aug 17, 2010risk 0.00cvss —epss 0.01
SQL injection vulnerability in Cisco Wireless Control System (WCS) 6.0.x before 6.0.196.0 allows remote authenticated users to execute arbitrary SQL commands via vectors related to the ORDER BY clause of the Client List screens, aka Bug ID CSCtf37019.
- CVE-2010-3013Aug 16, 2010risk 0.00cvss —epss 0.01
SQL injection vulnerability in groupadmin.php in Pligg before 1.1.1 allows remote attackers to execute arbitrary SQL commands via the role parameter, a different vulnerability than CVE-2010-2577.