VYPR

CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

BaseStableLikelihood: High

Description

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Hierarchy (View 1000)

Parents

Children

Related attack patterns (CAPEC)

CAPEC-108 · CAPEC-109 · CAPEC-110 · CAPEC-470 · CAPEC-66 · CAPEC-7

CVEs mapped to this weakness (10,236)

page 66 of 512
  • CVE-2023-52215CriJan 8, 2024
    risk 0.60cvss 9.3epss 0.01

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in UkrSolution Simple Inventory Management – just scan barcode to manage products and orders. For WooCommerce.This issue affects Simple Inventory Management – just scan barcode…

  • CVE-2023-51469CriDec 31, 2023
    risk 0.60cvss 9.3epss 0.01

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Mestres do WP Checkout Mestres WP.This issue affects Checkout Mestres WP: from n/a through 7.1.9.6.

  • CVE-2023-51423CriDec 31, 2023
    risk 0.60cvss 9.3epss 0.01

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Saleswonder Team Webinar Plugin: Create live/evergreen/automated/instant webinars, stream & Zoom Meetings | WebinarIgnition.This issue affects Webinar Plugin: Create…

  • CVE-2023-49752CriDec 20, 2023
    risk 0.60cvss 9.3epss 0.01

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Spoon themes Adifier - Classified Ads WordPress Theme.This issue affects Adifier - Classified Ads WordPress Theme: from n/a before 3.1.4.

  • CVE-2023-40010CriDec 20, 2023
    risk 0.60cvss 9.3epss 0.01

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in realmag777 HUSKY – Products Filter for WooCommerce Professional.This issue affects HUSKY – Products Filter for WooCommerce Professional: from n/a through 1.3.4.2.

  • CVE-2023-41887CriSep 15, 2023
    risk 0.60cvss 9.8epss 0.45

    OpenRefine is a powerful free, open source tool for working with messy data. Prior to version 3.7.5, a remote code execution vulnerability allows any unauthenticated user to execute code on the server. Version 3.7.5 has a patch for this issue.

  • CVE-2023-24788HigMar 23, 2023
    risk 0.60cvss 8.8epss 0.03

    NotrinosERP v0.7 was discovered to contain a SQL injection vulnerability via the OrderNumber parameter at /NotrinosERP/sales/customer_delivery.php.

  • CVE-2021-35042CriJul 2, 2021
    risk 0.60cvss 9.8epss 0.44

    Django 3.1.x before 3.1.13 and 3.2.x before 3.2.5 allows QuerySet.order_by SQL injection if order_by is untrusted input from a client of a web application.

  • CVE-2018-12254HigJun 12, 2018
    risk 0.60cvss 8.8epss 0.03

    router.php in the Harmis Ek rishta (aka ek-rishta) 2.10 component for Joomla! allows SQL Injection via the PATH_INFO to a home/requested_user/Sent%20interest/ URI.

  • CVE-2018-10256HigMay 1, 2018
    risk 0.60cvss 8.8epss 0.03

    A SQL Injection vulnerability was discovered in HRSALE The Ultimate HRM v1.0.2 that allows a user with low level privileges to directly modify the SQL query.

  • CVE-2018-1282CriApr 5, 2018
    risk 0.60cvss 9.1epss 0.06

    This vulnerability in Apache Hive JDBC driver 0.7.1 to 2.3.2 allows carefully crafted arguments to be used to bypass the argument escaping/cleanup that JDBC driver does in PreparedStatement implementation.

  • CVE-2018-8045HigMar 15, 2018
    risk 0.60cvss 8.8epss 0.29

    In Joomla! 3.5.0 through 3.8.5, the lack of type casting of a variable in a SQL statement leads to a SQL injection vulnerability in the User Notes list view.

  • CVE-2017-17615HigDec 13, 2017
    risk 0.60cvss 8.8epss 0.02

    Facebook Clone Script 1.0 has SQL Injection via the friend-profile.php id parameter.

  • CVE-2017-15578HigOct 18, 2017
    risk 0.60cvss 8.8epss 0.01

    In PHPSUGAR PHP Melody before 2.7.3, SQL Injection exists via the image parameter to admin/edit_category.php.

  • CVE-2017-14848HigOct 3, 2017
    risk 0.60cvss 8.8epss 0.03

    WPHRM Human Resource Management System for WordPress 1.0 allows SQL Injection via the employee_id parameter.

  • CVE-2017-14758HigOct 3, 2017
    risk 0.60cvss 8.8epss 0.03

    OpenText Document Sciences xPression (formerly EMC Document Sciences xPression) v4.5SP1 Patch 13 (older versions might be affected as well) is prone to SQL Injection: /xAdmin/html/cm_doclist_view_uc.jsp, parameter: documentId. In order for this vulnerability to be exploited, an…

  • CVE-2017-14757HigOct 3, 2017
    risk 0.60cvss 8.8epss 0.02

    OpenText Document Sciences xPression (formerly EMC Document Sciences xPression) v4.5SP1 Patch 13 (older versions might be affected as well) is prone to SQL Injection: /xDashboard/html/jobhistory/downloadSupportFile.action, parameter: jobRunId. In order for this vulnerability to…

  • CVE-2017-14847HigSep 28, 2017
    risk 0.60cvss 8.8epss 0.03

    Mojoomla WPAMS Apartment Management System for WordPress allows SQL Injection via the id parameter.

  • CVE-2017-14846HigSep 28, 2017
    risk 0.60cvss 8.8epss 0.03

    Mojoomla Hospital Management System for WordPress allows SQL Injection via the id parameter.

  • CVE-2017-14845HigSep 28, 2017
    risk 0.60cvss 8.8epss 0.03

    Mojoomla WPCHURCH Church Management System for WordPress allows SQL Injection via the id parameter.