CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Description
The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-108 · CAPEC-109 · CAPEC-110 · CAPEC-470 · CAPEC-66 · CAPEC-7
CVEs mapped to this weakness (12,807)
page 637 of 641| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2006-6073 | 0.00 | — | 0.01 | Nov 24, 2006 | Multiple SQL injection vulnerabilities in Enthrallweb eShopping Cart allow remote attackers to execute arbitrary SQL commands via the (1) ProductID parameter in productdetail.asp or the (2) categoryid parameter in products.asp. | |||
| CVE-2006-6048 | 0.00 | — | 0.01 | Nov 22, 2006 | SQL injection vulnerability in index.php in Etomite CMS 0.6.1.2, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the id parameter. | |||
| CVE-2006-5840 | 0.00 | — | 0.02 | Nov 10, 2006 | Multiple SQL injection vulnerabilities in Abarcar Realty Portal allow remote attackers to execute arbitrary SQL commands via the (1) neid parameter to newsdetails.php, or the (2) slid parameter to slistl.php. NOTE: the cat vector is already covered by CVE-2006-2853. NOTE: the… | |||
| CVE-2006-5606 | 0.00 | — | 0.01 | Oct 31, 2006 | Multiple SQL injection vulnerabilities in BytesFall Explorer (bfExplorer) 0.0.7.1 and earlier allow remote attackers to execute arbitrary SQL commands via the username ($User variable) to login/doLogin.php and other unspecified vectors. | |||
| CVE-2006-5242 | 0.00 | — | 0.01 | Oct 12, 2006 | SQL injection vulnerability in Etomite Content Management System (CMS) before 0.6.1.1 allows remote attackers to execute arbitrary SQL commands via unspecified vectors. | |||
| CVE-2006-4785 | 0.00 | — | 0.03 | Sep 14, 2006 | SQL injection vulnerability in blog/edit.php in Moodle 1.6.1 and earlier allows remote attackers to execute arbitrary SQL commands via the format parameter as stored in the $blogEntry variable, which is not properly handled by the insert_record function, which calls… | |||
| CVE-2006-4756 | 0.00 | — | 0.01 | Sep 13, 2006 | SQL injection vulnerability in alpha.php in phpMyDirectory 10.4.6 and earlier allows remote attackers to execute arbitrary SQL commands via the letter parameter. NOTE: the provenance of this information is unknown; the details are obtained from third party information. | |||
| CVE-2006-4736 | 0.00 | — | 0.01 | Sep 13, 2006 | Multiple SQL injection vulnerabilities in index.php in CMS.R. 5.5 allow remote attackers to execute arbitrary SQL commands via the (1) adminname and (2) adminpass parameters. NOTE: some of these details are obtained from third party information. | |||
| CVE-2006-4734 | 0.00 | — | 0.01 | Sep 13, 2006 | Multiple SQL injection vulnerabilities in tiki-g-admin_processes.php in Tikiwiki 1.9.4 allow remote attackers to execute arbitrary SQL commands via the (1) pid and (2) where parameters. | |||
| CVE-2006-4564 | 0.00 | — | 0.01 | Sep 6, 2006 | SQL injection vulnerability in Sources/ManageBoards.php in Simple Machines Forum 1.1 RC3 allows remote attackers to execute arbitrary SQL commands via the cur_cat parameter. | |||
| CVE-2006-4214 | 0.00 | — | 0.02 | Aug 17, 2006 | Multiple SQL injection vulnerabilities in Zen Cart 1.3.0.2 and earlier allow remote attackers to execute arbitrary SQL commands via (1) GPC data to the ipn_get_stored_session function in ipn_main_handler.php, which can be leveraged to modify elements of $_SESSION; and allow… | |||
| CVE-2006-4039 | 0.00 | — | 0.02 | Aug 9, 2006 | Multiple SQL injection vulnerabilities in eintragen.php in GaesteChaos 0.2 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) gastname, (2) gastwohnort, or (3) gasteintrag parameters. | |||
| CVE-2006-3688 | 0.00 | — | 0.01 | Jul 21, 2006 | SQL injection vulnerability in Room.php in Francisco Charrua Photo-Gallery 1.0 allows remote attackers to execute arbitrary SQL commands via the id parameter. | |||
| CVE-2006-3430 | 0.00 | — | 0.02 | Jul 7, 2006 | SQL injection vulnerability in checkprofile.asp in (1) PatchLink Update Server (PLUS) before 6.1 P1 and 6.2.x before 6.2 SR1 P1 and (2) Novell ZENworks 6.2 SR1 and earlier, allows remote attackers to execute arbitrary SQL commands via the agentid parameter. | |||
| CVE-2006-3318 | 0.00 | — | 0.01 | Jun 29, 2006 | SQL injection vulnerability in register.php for phpRaid 3.0.6 and possibly other versions, when the authorization type is phpraid, allows remote attackers to execute arbitrary SQL commands via the (1) username and (2) email parameters. | |||
| CVE-2006-3181 | 0.00 | — | 0.01 | Jun 23, 2006 | SQL injection vulnerability in index.php in MobeScripts Mobile Space Community 2.0 allows remote attackers to execute arbitrary SQL commands via the browse parameter. | |||
| CVE-2006-3139 | 0.00 | — | 0.02 | Jun 22, 2006 | Multiple SQL injection vulnerabilities in war.php in Virtual War (VWar) 1.5.0 R14 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) s, (2) showgame, (3) sortorder, and (4) sortby parameters. | |||
| CVE-2006-3064 | 0.00 | — | 0.01 | Jun 19, 2006 | SQL injection vulnerability in the add_hit function in include/function.inc.php in Coppermine Photo Gallery (CPG) 1.4.8, when "Keep detailed hit statistics" is enabled, allows remote attackers to execute arbitrary SQL commands via the (1) referer and (2) user-agent HTTP headers. | |||
| CVE-2006-3048 | 0.00 | — | 0.01 | Jun 16, 2006 | SQL injection vulnerability in TikiWiki 1.9.3.2 and possibly earlier versions allows remote attackers to execute arbitrary SQL commands via unknown attack vectors. | |||
| CVE-2006-2977 | 0.00 | — | 0.01 | Jun 12, 2006 | SQL injection vulnerability in big.php in Mafia Moblog 0.6M1 and earlier allows remote attackers to execute arbitrary SQL commands via the img parameter. |
- CVE-2006-6073Nov 24, 2006risk 0.00cvss —epss 0.01
Multiple SQL injection vulnerabilities in Enthrallweb eShopping Cart allow remote attackers to execute arbitrary SQL commands via the (1) ProductID parameter in productdetail.asp or the (2) categoryid parameter in products.asp.
- CVE-2006-6048Nov 22, 2006risk 0.00cvss —epss 0.01
SQL injection vulnerability in index.php in Etomite CMS 0.6.1.2, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the id parameter.
- CVE-2006-5840Nov 10, 2006risk 0.00cvss —epss 0.02
Multiple SQL injection vulnerabilities in Abarcar Realty Portal allow remote attackers to execute arbitrary SQL commands via the (1) neid parameter to newsdetails.php, or the (2) slid parameter to slistl.php. NOTE: the cat vector is already covered by CVE-2006-2853. NOTE: the…
- CVE-2006-5606Oct 31, 2006risk 0.00cvss —epss 0.01
Multiple SQL injection vulnerabilities in BytesFall Explorer (bfExplorer) 0.0.7.1 and earlier allow remote attackers to execute arbitrary SQL commands via the username ($User variable) to login/doLogin.php and other unspecified vectors.
- CVE-2006-5242Oct 12, 2006risk 0.00cvss —epss 0.01
SQL injection vulnerability in Etomite Content Management System (CMS) before 0.6.1.1 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
- CVE-2006-4785Sep 14, 2006risk 0.00cvss —epss 0.03
SQL injection vulnerability in blog/edit.php in Moodle 1.6.1 and earlier allows remote attackers to execute arbitrary SQL commands via the format parameter as stored in the $blogEntry variable, which is not properly handled by the insert_record function, which calls…
- CVE-2006-4756Sep 13, 2006risk 0.00cvss —epss 0.01
SQL injection vulnerability in alpha.php in phpMyDirectory 10.4.6 and earlier allows remote attackers to execute arbitrary SQL commands via the letter parameter. NOTE: the provenance of this information is unknown; the details are obtained from third party information.
- CVE-2006-4736Sep 13, 2006risk 0.00cvss —epss 0.01
Multiple SQL injection vulnerabilities in index.php in CMS.R. 5.5 allow remote attackers to execute arbitrary SQL commands via the (1) adminname and (2) adminpass parameters. NOTE: some of these details are obtained from third party information.
- CVE-2006-4734Sep 13, 2006risk 0.00cvss —epss 0.01
Multiple SQL injection vulnerabilities in tiki-g-admin_processes.php in Tikiwiki 1.9.4 allow remote attackers to execute arbitrary SQL commands via the (1) pid and (2) where parameters.
- CVE-2006-4564Sep 6, 2006risk 0.00cvss —epss 0.01
SQL injection vulnerability in Sources/ManageBoards.php in Simple Machines Forum 1.1 RC3 allows remote attackers to execute arbitrary SQL commands via the cur_cat parameter.
- CVE-2006-4214Aug 17, 2006risk 0.00cvss —epss 0.02
Multiple SQL injection vulnerabilities in Zen Cart 1.3.0.2 and earlier allow remote attackers to execute arbitrary SQL commands via (1) GPC data to the ipn_get_stored_session function in ipn_main_handler.php, which can be leveraged to modify elements of $_SESSION; and allow…
- CVE-2006-4039Aug 9, 2006risk 0.00cvss —epss 0.02
Multiple SQL injection vulnerabilities in eintragen.php in GaesteChaos 0.2 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) gastname, (2) gastwohnort, or (3) gasteintrag parameters.
- CVE-2006-3688Jul 21, 2006risk 0.00cvss —epss 0.01
SQL injection vulnerability in Room.php in Francisco Charrua Photo-Gallery 1.0 allows remote attackers to execute arbitrary SQL commands via the id parameter.
- CVE-2006-3430Jul 7, 2006risk 0.00cvss —epss 0.02
SQL injection vulnerability in checkprofile.asp in (1) PatchLink Update Server (PLUS) before 6.1 P1 and 6.2.x before 6.2 SR1 P1 and (2) Novell ZENworks 6.2 SR1 and earlier, allows remote attackers to execute arbitrary SQL commands via the agentid parameter.
- CVE-2006-3318Jun 29, 2006risk 0.00cvss —epss 0.01
SQL injection vulnerability in register.php for phpRaid 3.0.6 and possibly other versions, when the authorization type is phpraid, allows remote attackers to execute arbitrary SQL commands via the (1) username and (2) email parameters.
- CVE-2006-3181Jun 23, 2006risk 0.00cvss —epss 0.01
SQL injection vulnerability in index.php in MobeScripts Mobile Space Community 2.0 allows remote attackers to execute arbitrary SQL commands via the browse parameter.
- CVE-2006-3139Jun 22, 2006risk 0.00cvss —epss 0.02
Multiple SQL injection vulnerabilities in war.php in Virtual War (VWar) 1.5.0 R14 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) s, (2) showgame, (3) sortorder, and (4) sortby parameters.
- CVE-2006-3064Jun 19, 2006risk 0.00cvss —epss 0.01
SQL injection vulnerability in the add_hit function in include/function.inc.php in Coppermine Photo Gallery (CPG) 1.4.8, when "Keep detailed hit statistics" is enabled, allows remote attackers to execute arbitrary SQL commands via the (1) referer and (2) user-agent HTTP headers.
- CVE-2006-3048Jun 16, 2006risk 0.00cvss —epss 0.01
SQL injection vulnerability in TikiWiki 1.9.3.2 and possibly earlier versions allows remote attackers to execute arbitrary SQL commands via unknown attack vectors.
- CVE-2006-2977Jun 12, 2006risk 0.00cvss —epss 0.01
SQL injection vulnerability in big.php in Mafia Moblog 0.6M1 and earlier allows remote attackers to execute arbitrary SQL commands via the img parameter.