VYPR

CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

BaseStableLikelihood: High

Description

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Hierarchy (View 1000)

Parents

Children

Related attack patterns (CAPEC)

CAPEC-108 · CAPEC-109 · CAPEC-110 · CAPEC-470 · CAPEC-66 · CAPEC-7

CVEs mapped to this weakness (10,236)

page 7 of 512
  • CVE-2018-5991CriFeb 17, 2018
    risk 0.67cvss 9.8epss 0.03

    SQL Injection exists in the Form Maker 3.6.12 component for Joomla! via the id, from, or to parameter in a view=stats request, a different vulnerability than CVE-2015-2798.

  • CVE-2018-5990CriFeb 17, 2018
    risk 0.67cvss 9.8epss 0.03

    SQL Injection exists in the AllVideos Reloaded 1.2.x component for Joomla! via the divid parameter.

  • CVE-2018-5989CriFeb 17, 2018
    risk 0.67cvss 9.8epss 0.03

    SQL Injection exists in the ccNewsletter 2.x component for Joomla! via the id parameter in a task=removeSubscriber action, a related issue to CVE-2011-5099.

  • CVE-2018-5987CriFeb 17, 2018
    risk 0.67cvss 9.8epss 0.03

    SQL Injection exists in the Pinterest Clone Social Pinboard 2.0 component for Joomla! via the pin_id or user_id parameter in a task=getlikeinfo action, the ends parameter in a view=gift action, the category parameter in a view=home action, the uid parameter in a view=pindisplay…

  • CVE-2018-5983CriFeb 17, 2018
    risk 0.67cvss 9.8epss 0.03

    SQL Injection exists in the JquickContact 1.3.2.2.1 component for Joomla! via a task=refresh&sid= request.

  • CVE-2018-5982CriFeb 17, 2018
    risk 0.67cvss 9.8epss 0.03

    SQL Injection exists in the Advertisement Board 3.1.0 component for Joomla! via a task=show_rss_categories&catname= request.

  • CVE-2018-5981CriFeb 17, 2018
    risk 0.67cvss 9.8epss 0.03

    SQL Injection exists in the Gallery WD 1.3.6 component for Joomla! via the tag_id parameter or gallery_id parameter.

  • CVE-2018-5980CriFeb 17, 2018
    risk 0.67cvss 9.8epss 0.04

    SQL Injection exists in the Solidres 2.5.1 component for Joomla! via the direction parameter in a hub.search action.

  • CVE-2018-5975CriFeb 17, 2018
    risk 0.67cvss 9.8epss 0.03

    SQL Injection exists in the Smart Shoutbox 3.0.0 component for Joomla! via the shoutauthor parameter to the archive URI.

  • CVE-2018-5974CriFeb 17, 2018
    risk 0.67cvss 9.8epss 0.03

    SQL Injection exists in the SimpleCalendar 3.1.9 component for Joomla! via the catid array parameter.

  • CVE-2018-5971CriFeb 17, 2018
    risk 0.67cvss 9.8epss 0.03

    SQL Injection exists in the MediaLibrary Free 4.0.12 component for Joomla! via the id parameter or the mid array parameter.

  • CVE-2018-5970CriFeb 17, 2018
    risk 0.67cvss 9.8epss 0.03

    SQL Injection exists in the JGive 2.0.9 component for Joomla! via the filter_org_ind_type or campaign_countries parameter.

  • CVE-2018-6609CriFeb 5, 2018
    risk 0.67cvss 9.8epss 0.03

    SQL Injection exists in the JSP Tickets 1.1 component for Joomla! via the ticketcode parameter in a ticketlist edit action, or the id parameter in a statuslist (or prioritylist) edit action.

  • CVE-2018-6604CriFeb 5, 2018
    risk 0.67cvss 9.8epss 0.03

    SQL Injection exists in the Zh YandexMap 6.2.1.0 component for Joomla! via the id parameter in a task=getPlacemarkDetails request.

  • CVE-2018-6582CriFeb 5, 2018
    risk 0.67cvss 9.8epss 0.03

    SQL Injection exists in the Zh GoogleMap 8.4.0.0 component for Joomla! via the id parameter in a getPlacemarkDetails, getPlacemarkHoverText, getPathHoverText, or getPathDetails request.

  • CVE-2018-6581CriFeb 2, 2018
    risk 0.67cvss 9.8epss 0.03

    SQL Injection exists in the JMS Music 1.1.1 component for Joomla! via a search with the keyword, artist, or username parameter.

  • CVE-2018-6579CriFeb 2, 2018
    risk 0.67cvss 9.8epss 0.04

    SQL Injection exists in the JEXTN Reverse Auction 3.1.0 component for Joomla! via a view=products&uid= request.

  • CVE-2018-6578CriFeb 2, 2018
    risk 0.67cvss 9.8epss 0.04

    SQL Injection exists in the JE PayperVideo 3.0.0 component for Joomla! via the usr_plan parameter in a view=myplans&task=myplans.usersubscriptions request.

  • CVE-2018-6577CriFeb 2, 2018
    risk 0.67cvss 9.8epss 0.02

    SQL Injection exists in the JEXTN Membership 3.1.0 component for Joomla! via the usr_plan parameter in a view=myplans&task=myplans.usersubscriptions request.

  • CVE-2018-6576CriFeb 2, 2018
    risk 0.67cvss 9.8epss 0.03

    SQL Injection exists in Event Manager 1.0 via the event.php id parameter or the page.php slug parameter.