CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Description
The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-108 · CAPEC-109 · CAPEC-110 · CAPEC-470 · CAPEC-66 · CAPEC-7
CVEs mapped to this weakness (12,807)
page 628 of 641| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2008-4655 | 0.00 | — | 0.01 | Oct 22, 2008 | SQL injection vulnerability in the Simple survey (simplesurvey) 1.7.0 and earlier extension for TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors. | |||
| CVE-2008-4647 | 0.00 | — | 0.01 | Oct 22, 2008 | SQL injection vulnerability in index.php in sweetCMS 1.5.2 allows remote attackers to execute arbitrary SQL commands via the page parameter. | |||
| CVE-2008-4633 | 0.00 | — | 0.01 | Oct 21, 2008 | SQL injection vulnerability in Node Vote 5.x before 5.x-1.1 and 6.x before 6.x-1.0, a module for Drupal, when "Allow user to vote again" is enabled, allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors related to a "previously cast vote." | |||
| CVE-2008-4534 | 0.00 | — | 0.01 | Oct 10, 2008 | SQL injection vulnerability in EC-CUBE Ver2 2.1.2a and earlier, and Ver2 RC 2.3.0-rc1 and earlier, allows remote attackers to execute arbitrary SQL commands via unspecified vectors. | |||
| CVE-2008-4531 | 0.00 | — | 0.01 | Oct 9, 2008 | SQL injection vulnerability in Brilliant Gallery 5.x before 5.x-4.2, a module for Drupal, allows remote attackers to execute arbitrary SQL commands via unspecified vectors, related to queries. NOTE: this might be the same issue as CVE-2008-4338. | |||
| CVE-2008-4487 | 0.00 | — | 0.01 | Oct 8, 2008 | SQL injection vulnerability in ap-save.php in Atarone CMS 1.2.0 allows remote attackers to execute arbitrary SQL commands via the (1) site_name, (2) email, (3) theme_chosen, (4) hp, (5) c_meta, (6) id, and (7) c_js parameters. NOTE: the provenance of this information is… | |||
| CVE-2008-3063 | 0.00 | — | 0.01 | Oct 8, 2008 | SQL injection vulnerability in login.php in V-webmail 1.5.0 might allow remote attackers to execute arbitrary SQL commands via the username parameter. | |||
| CVE-2008-4433 | 0.00 | — | 0.01 | Oct 3, 2008 | SQL injection vulnerability in search.php in the RMSOFT MiniShop module 1.0 for Xoops might allow remote attackers to execute arbitrary SQL commands via the itemsxpag parameter. | |||
| CVE-2008-4431 | 0.00 | — | 0.01 | Oct 3, 2008 | SQL injection vulnerability in index.php in IceBB 1.0-rc9.3 and earlier allows remote attackers to execute arbitrary SQL commands via the skin parameter, probably related to an incorrect protection mechanism in the clean_string function in includes/functions.php. | |||
| CVE-2008-4348 | 0.00 | — | 0.01 | Sep 30, 2008 | SQL injection vulnerability in photo.php in PHPortfolio, possibly 1.3, allows remote attackers to execute arbitrary SQL commands via the id parameter. | |||
| CVE-2008-4338 | 0.00 | — | 0.01 | Sep 30, 2008 | SQL injection vulnerability in the brilliant_gallery_checklist_save function in the bgchecklist/save script in Brilliant Gallery 5.x and 6.x, a module for Drupal, allows remote authenticated users with "access brilliant_gallery" permissions to execute arbitrary SQL commands via… | |||
| CVE-2008-4094 | 0.00 | — | 0.03 | Sep 30, 2008 | Multiple SQL injection vulnerabilities in Ruby on Rails before 2.1.1 allow remote attackers to execute arbitrary SQL commands via the (1) :limit and (2) :offset parameters, related to ActiveRecord, ActiveSupport, ActiveResource, ActionPack, and ActionMailer. | |||
| CVE-2008-4148 | 0.00 | — | 0.01 | Sep 24, 2008 | SQL injection vulnerability in the Mailhandler module 5.x before 5.x-1.4 and 6.x before 6.x-1.4, a module for Drupal, allows remote attackers to execute arbitrary SQL commands via unspecified vectors, related to composing queries without using the Drupal database API. | |||
| CVE-2008-4143 | 0.00 | — | 0.01 | Sep 24, 2008 | SQL injection vulnerability in category_search.php in RazorCommerce Shopping Cart allows remote attackers to execute arbitrary SQL commands via the id parameter. | |||
| CVE-2008-4171 | 0.00 | — | 0.01 | Sep 22, 2008 | SQL injection vulnerability in xmlout.php in Invision Power Board (IP.Board or IPB) 2.2.x and 2.3.x allows remote attackers to execute arbitrary SQL commands via the name parameter. | |||
| CVE-2008-4078 | 0.00 | — | 0.02 | Sep 15, 2008 | SQL injection vulnerability in the AR/AP transaction report in (1) LedgerSMB (LSMB) before 1.2.15 and (2) SQL-Ledger 2.8.17 and earlier allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors. | |||
| CVE-2008-3965 | 0.00 | — | 0.01 | Sep 11, 2008 | SQL injection vulnerability in misc.php in MyBB (aka MyBulletinBoard) before 1.4.1 allows remote attackers to execute arbitrary SQL commands via a certain editor field. | |||
| CVE-2008-3948 | 0.00 | — | 0.01 | Sep 5, 2008 | SQL injection vulnerability in admin/users/self-2.php in XRMS allows remote attackers to execute arbitrary SQL commands and modify name and email fields via unspecified vectors. | |||
| CVE-2008-3887 | 0.00 | — | 0.01 | Sep 2, 2008 | Multiple SQL injection vulnerabilities in index.php in dotProject 2.1.2 allow (1) remote authenticated users to execute arbitrary SQL commands via the tab parameter in a projects action, and (2) remote authenticated administrators to execute arbitrary SQL commands via the… | |||
| CVE-2008-3880 | 0.00 | — | 0.01 | Sep 2, 2008 | SQL injection vulnerability in zm_html_view_event.php in ZoneMinder 1.23.3 and earlier allows remote attackers to execute arbitrary SQL commands via the filter array parameter. |
- CVE-2008-4655Oct 22, 2008risk 0.00cvss —epss 0.01
SQL injection vulnerability in the Simple survey (simplesurvey) 1.7.0 and earlier extension for TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
- CVE-2008-4647Oct 22, 2008risk 0.00cvss —epss 0.01
SQL injection vulnerability in index.php in sweetCMS 1.5.2 allows remote attackers to execute arbitrary SQL commands via the page parameter.
- CVE-2008-4633Oct 21, 2008risk 0.00cvss —epss 0.01
SQL injection vulnerability in Node Vote 5.x before 5.x-1.1 and 6.x before 6.x-1.0, a module for Drupal, when "Allow user to vote again" is enabled, allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors related to a "previously cast vote."
- CVE-2008-4534Oct 10, 2008risk 0.00cvss —epss 0.01
SQL injection vulnerability in EC-CUBE Ver2 2.1.2a and earlier, and Ver2 RC 2.3.0-rc1 and earlier, allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
- CVE-2008-4531Oct 9, 2008risk 0.00cvss —epss 0.01
SQL injection vulnerability in Brilliant Gallery 5.x before 5.x-4.2, a module for Drupal, allows remote attackers to execute arbitrary SQL commands via unspecified vectors, related to queries. NOTE: this might be the same issue as CVE-2008-4338.
- CVE-2008-4487Oct 8, 2008risk 0.00cvss —epss 0.01
SQL injection vulnerability in ap-save.php in Atarone CMS 1.2.0 allows remote attackers to execute arbitrary SQL commands via the (1) site_name, (2) email, (3) theme_chosen, (4) hp, (5) c_meta, (6) id, and (7) c_js parameters. NOTE: the provenance of this information is…
- CVE-2008-3063Oct 8, 2008risk 0.00cvss —epss 0.01
SQL injection vulnerability in login.php in V-webmail 1.5.0 might allow remote attackers to execute arbitrary SQL commands via the username parameter.
- CVE-2008-4433Oct 3, 2008risk 0.00cvss —epss 0.01
SQL injection vulnerability in search.php in the RMSOFT MiniShop module 1.0 for Xoops might allow remote attackers to execute arbitrary SQL commands via the itemsxpag parameter.
- CVE-2008-4431Oct 3, 2008risk 0.00cvss —epss 0.01
SQL injection vulnerability in index.php in IceBB 1.0-rc9.3 and earlier allows remote attackers to execute arbitrary SQL commands via the skin parameter, probably related to an incorrect protection mechanism in the clean_string function in includes/functions.php.
- CVE-2008-4348Sep 30, 2008risk 0.00cvss —epss 0.01
SQL injection vulnerability in photo.php in PHPortfolio, possibly 1.3, allows remote attackers to execute arbitrary SQL commands via the id parameter.
- CVE-2008-4338Sep 30, 2008risk 0.00cvss —epss 0.01
SQL injection vulnerability in the brilliant_gallery_checklist_save function in the bgchecklist/save script in Brilliant Gallery 5.x and 6.x, a module for Drupal, allows remote authenticated users with "access brilliant_gallery" permissions to execute arbitrary SQL commands via…
- CVE-2008-4094Sep 30, 2008risk 0.00cvss —epss 0.03
Multiple SQL injection vulnerabilities in Ruby on Rails before 2.1.1 allow remote attackers to execute arbitrary SQL commands via the (1) :limit and (2) :offset parameters, related to ActiveRecord, ActiveSupport, ActiveResource, ActionPack, and ActionMailer.
- CVE-2008-4148Sep 24, 2008risk 0.00cvss —epss 0.01
SQL injection vulnerability in the Mailhandler module 5.x before 5.x-1.4 and 6.x before 6.x-1.4, a module for Drupal, allows remote attackers to execute arbitrary SQL commands via unspecified vectors, related to composing queries without using the Drupal database API.
- CVE-2008-4143Sep 24, 2008risk 0.00cvss —epss 0.01
SQL injection vulnerability in category_search.php in RazorCommerce Shopping Cart allows remote attackers to execute arbitrary SQL commands via the id parameter.
- CVE-2008-4171Sep 22, 2008risk 0.00cvss —epss 0.01
SQL injection vulnerability in xmlout.php in Invision Power Board (IP.Board or IPB) 2.2.x and 2.3.x allows remote attackers to execute arbitrary SQL commands via the name parameter.
- CVE-2008-4078Sep 15, 2008risk 0.00cvss —epss 0.02
SQL injection vulnerability in the AR/AP transaction report in (1) LedgerSMB (LSMB) before 1.2.15 and (2) SQL-Ledger 2.8.17 and earlier allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors.
- CVE-2008-3965Sep 11, 2008risk 0.00cvss —epss 0.01
SQL injection vulnerability in misc.php in MyBB (aka MyBulletinBoard) before 1.4.1 allows remote attackers to execute arbitrary SQL commands via a certain editor field.
- CVE-2008-3948Sep 5, 2008risk 0.00cvss —epss 0.01
SQL injection vulnerability in admin/users/self-2.php in XRMS allows remote attackers to execute arbitrary SQL commands and modify name and email fields via unspecified vectors.
- CVE-2008-3887Sep 2, 2008risk 0.00cvss —epss 0.01
Multiple SQL injection vulnerabilities in index.php in dotProject 2.1.2 allow (1) remote authenticated users to execute arbitrary SQL commands via the tab parameter in a projects action, and (2) remote authenticated administrators to execute arbitrary SQL commands via the…
- CVE-2008-3880Sep 2, 2008risk 0.00cvss —epss 0.01
SQL injection vulnerability in zm_html_view_event.php in ZoneMinder 1.23.3 and earlier allows remote attackers to execute arbitrary SQL commands via the filter array parameter.