CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Description
The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-108 · CAPEC-109 · CAPEC-110 · CAPEC-470 · CAPEC-66 · CAPEC-7
CVEs mapped to this weakness (10,236)
page 66 of 512| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2023-52215 | Cri | 0.60 | 9.3 | 0.01 | Jan 8, 2024 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in UkrSolution Simple Inventory Management – just scan barcode to manage products and orders. For WooCommerce.This issue affects Simple Inventory Management – just scan barcode… | ||
| CVE-2023-51469 | Cri | 0.60 | 9.3 | 0.01 | Dec 31, 2023 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Mestres do WP Checkout Mestres WP.This issue affects Checkout Mestres WP: from n/a through 7.1.9.6. | ||
| CVE-2023-51423 | Cri | 0.60 | 9.3 | 0.01 | Dec 31, 2023 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Saleswonder Team Webinar Plugin: Create live/evergreen/automated/instant webinars, stream & Zoom Meetings | WebinarIgnition.This issue affects Webinar Plugin: Create… | ||
| CVE-2023-49752 | Cri | 0.60 | 9.3 | 0.01 | Dec 20, 2023 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Spoon themes Adifier - Classified Ads WordPress Theme.This issue affects Adifier - Classified Ads WordPress Theme: from n/a before 3.1.4. | ||
| CVE-2023-40010 | Cri | 0.60 | 9.3 | 0.01 | Dec 20, 2023 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in realmag777 HUSKY – Products Filter for WooCommerce Professional.This issue affects HUSKY – Products Filter for WooCommerce Professional: from n/a through 1.3.4.2. | ||
| CVE-2023-41887 | Cri | 0.60 | 9.8 | 0.45 | Sep 15, 2023 | OpenRefine is a powerful free, open source tool for working with messy data. Prior to version 3.7.5, a remote code execution vulnerability allows any unauthenticated user to execute code on the server. Version 3.7.5 has a patch for this issue. | ||
| CVE-2023-24788 | — | Hig | 0.60 | 8.8 | 0.03 | Mar 23, 2023 | NotrinosERP v0.7 was discovered to contain a SQL injection vulnerability via the OrderNumber parameter at /NotrinosERP/sales/customer_delivery.php. | |
| CVE-2021-35042 | — | Cri | 0.60 | 9.8 | 0.44 | Jul 2, 2021 | Django 3.1.x before 3.1.13 and 3.2.x before 3.2.5 allows QuerySet.order_by SQL injection if order_by is untrusted input from a client of a web application. | |
| CVE-2018-12254 | Hig | 0.60 | 8.8 | 0.03 | Jun 12, 2018 | router.php in the Harmis Ek rishta (aka ek-rishta) 2.10 component for Joomla! allows SQL Injection via the PATH_INFO to a home/requested_user/Sent%20interest/ URI. | ||
| CVE-2018-10256 | Hig | 0.60 | 8.8 | 0.03 | May 1, 2018 | A SQL Injection vulnerability was discovered in HRSALE The Ultimate HRM v1.0.2 that allows a user with low level privileges to directly modify the SQL query. | ||
| CVE-2018-1282 | Cri | 0.60 | 9.1 | 0.06 | Apr 5, 2018 | This vulnerability in Apache Hive JDBC driver 0.7.1 to 2.3.2 allows carefully crafted arguments to be used to bypass the argument escaping/cleanup that JDBC driver does in PreparedStatement implementation. | ||
| CVE-2018-8045 | Hig | 0.60 | 8.8 | 0.29 | Mar 15, 2018 | In Joomla! 3.5.0 through 3.8.5, the lack of type casting of a variable in a SQL statement leads to a SQL injection vulnerability in the User Notes list view. | ||
| CVE-2017-17615 | Hig | 0.60 | 8.8 | 0.02 | Dec 13, 2017 | Facebook Clone Script 1.0 has SQL Injection via the friend-profile.php id parameter. | ||
| CVE-2017-15578 | Hig | 0.60 | 8.8 | 0.01 | Oct 18, 2017 | In PHPSUGAR PHP Melody before 2.7.3, SQL Injection exists via the image parameter to admin/edit_category.php. | ||
| CVE-2017-14848 | Hig | 0.60 | 8.8 | 0.03 | Oct 3, 2017 | WPHRM Human Resource Management System for WordPress 1.0 allows SQL Injection via the employee_id parameter. | ||
| CVE-2017-14758 | Hig | 0.60 | 8.8 | 0.03 | Oct 3, 2017 | OpenText Document Sciences xPression (formerly EMC Document Sciences xPression) v4.5SP1 Patch 13 (older versions might be affected as well) is prone to SQL Injection: /xAdmin/html/cm_doclist_view_uc.jsp, parameter: documentId. In order for this vulnerability to be exploited, an… | ||
| CVE-2017-14757 | Hig | 0.60 | 8.8 | 0.02 | Oct 3, 2017 | OpenText Document Sciences xPression (formerly EMC Document Sciences xPression) v4.5SP1 Patch 13 (older versions might be affected as well) is prone to SQL Injection: /xDashboard/html/jobhistory/downloadSupportFile.action, parameter: jobRunId. In order for this vulnerability to… | ||
| CVE-2017-14847 | Hig | 0.60 | 8.8 | 0.03 | Sep 28, 2017 | Mojoomla WPAMS Apartment Management System for WordPress allows SQL Injection via the id parameter. | ||
| CVE-2017-14846 | Hig | 0.60 | 8.8 | 0.03 | Sep 28, 2017 | Mojoomla Hospital Management System for WordPress allows SQL Injection via the id parameter. | ||
| CVE-2017-14845 | Hig | 0.60 | 8.8 | 0.03 | Sep 28, 2017 | Mojoomla WPCHURCH Church Management System for WordPress allows SQL Injection via the id parameter. |
- risk 0.60cvss 9.3epss 0.01
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in UkrSolution Simple Inventory Management – just scan barcode to manage products and orders. For WooCommerce.This issue affects Simple Inventory Management – just scan barcode…
- risk 0.60cvss 9.3epss 0.01
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Mestres do WP Checkout Mestres WP.This issue affects Checkout Mestres WP: from n/a through 7.1.9.6.
- risk 0.60cvss 9.3epss 0.01
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Saleswonder Team Webinar Plugin: Create live/evergreen/automated/instant webinars, stream & Zoom Meetings | WebinarIgnition.This issue affects Webinar Plugin: Create…
- risk 0.60cvss 9.3epss 0.01
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Spoon themes Adifier - Classified Ads WordPress Theme.This issue affects Adifier - Classified Ads WordPress Theme: from n/a before 3.1.4.
- risk 0.60cvss 9.3epss 0.01
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in realmag777 HUSKY – Products Filter for WooCommerce Professional.This issue affects HUSKY – Products Filter for WooCommerce Professional: from n/a through 1.3.4.2.
- risk 0.60cvss 9.8epss 0.45
OpenRefine is a powerful free, open source tool for working with messy data. Prior to version 3.7.5, a remote code execution vulnerability allows any unauthenticated user to execute code on the server. Version 3.7.5 has a patch for this issue.
- risk 0.60cvss 8.8epss 0.03
NotrinosERP v0.7 was discovered to contain a SQL injection vulnerability via the OrderNumber parameter at /NotrinosERP/sales/customer_delivery.php.
- risk 0.60cvss 9.8epss 0.44
Django 3.1.x before 3.1.13 and 3.2.x before 3.2.5 allows QuerySet.order_by SQL injection if order_by is untrusted input from a client of a web application.
- risk 0.60cvss 8.8epss 0.03
router.php in the Harmis Ek rishta (aka ek-rishta) 2.10 component for Joomla! allows SQL Injection via the PATH_INFO to a home/requested_user/Sent%20interest/ URI.
- risk 0.60cvss 8.8epss 0.03
A SQL Injection vulnerability was discovered in HRSALE The Ultimate HRM v1.0.2 that allows a user with low level privileges to directly modify the SQL query.
- risk 0.60cvss 9.1epss 0.06
This vulnerability in Apache Hive JDBC driver 0.7.1 to 2.3.2 allows carefully crafted arguments to be used to bypass the argument escaping/cleanup that JDBC driver does in PreparedStatement implementation.
- risk 0.60cvss 8.8epss 0.29
In Joomla! 3.5.0 through 3.8.5, the lack of type casting of a variable in a SQL statement leads to a SQL injection vulnerability in the User Notes list view.
- risk 0.60cvss 8.8epss 0.02
Facebook Clone Script 1.0 has SQL Injection via the friend-profile.php id parameter.
- risk 0.60cvss 8.8epss 0.01
In PHPSUGAR PHP Melody before 2.7.3, SQL Injection exists via the image parameter to admin/edit_category.php.
- risk 0.60cvss 8.8epss 0.03
WPHRM Human Resource Management System for WordPress 1.0 allows SQL Injection via the employee_id parameter.
- risk 0.60cvss 8.8epss 0.03
OpenText Document Sciences xPression (formerly EMC Document Sciences xPression) v4.5SP1 Patch 13 (older versions might be affected as well) is prone to SQL Injection: /xAdmin/html/cm_doclist_view_uc.jsp, parameter: documentId. In order for this vulnerability to be exploited, an…
- risk 0.60cvss 8.8epss 0.02
OpenText Document Sciences xPression (formerly EMC Document Sciences xPression) v4.5SP1 Patch 13 (older versions might be affected as well) is prone to SQL Injection: /xDashboard/html/jobhistory/downloadSupportFile.action, parameter: jobRunId. In order for this vulnerability to…
- risk 0.60cvss 8.8epss 0.03
Mojoomla WPAMS Apartment Management System for WordPress allows SQL Injection via the id parameter.
- risk 0.60cvss 8.8epss 0.03
Mojoomla Hospital Management System for WordPress allows SQL Injection via the id parameter.
- risk 0.60cvss 8.8epss 0.03
Mojoomla WPCHURCH Church Management System for WordPress allows SQL Injection via the id parameter.