VYPR

CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

BaseStableLikelihood: High

Description

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Hierarchy (View 1000)

Parents

Children

Related attack patterns (CAPEC)

CAPEC-108 · CAPEC-109 · CAPEC-110 · CAPEC-470 · CAPEC-66 · CAPEC-7

CVEs mapped to this weakness (12,807)

page 621 of 641
  • CVE-2009-3533Oct 2, 2009
    risk 0.00cvss epss 0.02

    SQL injection vulnerability in report.php in Meeting Room Booking System (MRBS) before 1.4.2 allows remote attackers to execute arbitrary SQL commands via the typematch parameter. NOTE: some of these details are obtained from third party information.

  • CVE-2009-3532Oct 2, 2009
    risk 0.00cvss epss 0.02

    Multiple SQL injection vulnerabilities in login.asp (aka the login screen) in LogRover 2.3 and 2.3.3 on Windows allow remote attackers to execute arbitrary SQL commands via the (1) uname and (2) pword parameters. NOTE: some of these details are obtained from third party…

  • CVE-2009-3505Sep 30, 2009
    risk 0.00cvss epss 0.01

    SQL injection vulnerability in view_news.php in Vastal I-Tech MMORPG Zone allows remote attackers to execute arbitrary SQL commands via the news_id parameter. NOTE: the game_id vector is already covered by CVE-2008-4460.

  • CVE-2009-3501Sep 30, 2009
    risk 0.00cvss epss 0.01

    SQL injection vulnerability in students.php in BPowerHouse BPStudents 1.0 allows remote attackers to execute arbitrary SQL commands via the test parameter in a preview action.

  • CVE-2009-3498Sep 30, 2009
    risk 0.00cvss epss 0.01

    SQL injection vulnerability in php/update_article_hits.php in HBcms 1.7 allows remote attackers to execute arbitrary SQL commands via the article_id parameter.

  • CVE-2009-3497Sep 30, 2009
    risk 0.00cvss epss 0.01

    SQL injection vulnerability in view_listing.php in Vastal I-Tech Agent Zone (aka The Real Estate Script) allows remote attackers to execute arbitrary SQL commands via the id parameter.

  • CVE-2009-3480Sep 30, 2009
    risk 0.00cvss epss 0.01

    SQL injection vulnerability in the iCRM Basic (com_icrmbasic) component 1.4.2.31 for Joomla! allows remote attackers to execute arbitrary SQL commands via the p3 parameter to index.php. NOTE: the provenance of this information is unknown; the details are obtained solely from…

  • CVE-2009-3337Sep 24, 2009
    risk 0.00cvss epss 0.01

    SQL injection vulnerability in the Freetag (serendipity_event_freetag) plugin before 3.09 for Serendipity (S9Y) allows remote attackers to execute arbitrary SQL commands via an unspecified parameter associated with Meta keywords in a blog entry.

  • CVE-2009-3319Sep 23, 2009
    risk 0.00cvss epss 0.01

    SQL injection vulnerability in poems.php in DCI-Designs Dawaween 1.03 allows remote attackers to execute arbitrary SQL commands via the id parameter in a sec list action, a different vector than CVE-2006-1018.

  • CVE-2009-3259Sep 18, 2009
    risk 0.00cvss epss 0.01

    Multiple SQL injection vulnerabilities in RASH Quote Management System (RQMS) 1.2.2 allow remote attackers to execute arbitrary SQL commands via (1) the search parameter in a search action, (2) the quote parameter in a quote addition, or (3) a User_Name cookie in unspecified…

  • CVE-2009-3255Sep 18, 2009
    risk 0.00cvss epss 0.01

    SQL injection vulnerability in RASH Quote Management System (RQMS) 1.2.2 and earlier, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the user parameter in an admin action to the default URI.

  • CVE-2009-3212Sep 16, 2009
    risk 0.00cvss epss 0.01

    SQL injection vulnerability in VivaPrograms Infinity Script 2.x.x, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the username field.

  • CVE-2009-3165Sep 15, 2009
    risk 0.00cvss epss 0.01

    SQL injection vulnerability in the Bug.create WebService function in Bugzilla 2.23.4 through 3.0.8, 3.1.1 through 3.2.4, and 3.3.1 through 3.4.1 allows remote attackers to execute arbitrary SQL commands via unspecified parameters.

  • CVE-2009-3125Sep 15, 2009
    risk 0.00cvss epss 0.01

    SQL injection vulnerability in the Bug.search WebService function in Bugzilla 3.3.2 through 3.4.1, and 3.5, allows remote attackers to execute arbitrary SQL commands via unspecified parameters.

  • CVE-2009-3118Sep 9, 2009
    risk 0.00cvss epss 0.01

    SQL injection vulnerability in mod/poll/comment.php in the vote module in Danneo CMS 0.5.2 and earlier allows remote attackers to execute arbitrary SQL commands via the comtext parameter, in conjunction with crafted comname and comtitle parameters, in a poll action to index.php,…

  • CVE-2009-2978Aug 27, 2009
    risk 0.00cvss epss 0.01

    SQL injection vulnerability in SugarCRM 4.5.1o and earlier, 5.0.0k and earlier, and 5.2.0g and earlier, allows remote attackers to execute arbitrary SQL commands via unspecified vectors.

  • CVE-2009-2933Aug 21, 2009
    risk 0.00cvss epss 0.01

    SQL injection vulnerability in comments.php in Piwigo before 2.0.3 allows remote attackers to execute arbitrary SQL commands via the items_number parameter.

  • CVE-2009-2886Aug 20, 2009
    risk 0.00cvss epss 0.01

    SQL injection vulnerability in bios.php in PHP Scripts Now President Bios allows remote attackers to execute arbitrary SQL commands via the rank parameter.

  • CVE-2008-6986Aug 19, 2009
    risk 0.00cvss epss 0.03

    SQL injection vulnerability in the actionMultipleAddProduct function in includes/classes/shopping_cart.php in Zen Cart 1.3.0 through 1.3.8a, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the products_id array parameter in a…

  • CVE-2008-6980Aug 19, 2009
    risk 0.00cvss epss 0.01

    SQL injection vulnerability in as_archives.php in phpAdultSite CMS, possibly 2.3.2, allows remote attackers to execute arbitrary SQL commands via the results_per_page parameter to index.php. NOTE: some of these details are obtained from third party information.