VYPR
Get started

CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

BaseStableLikelihood: High

Description

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Hierarchy (View 1000)

Parents

Children

Related attack patterns (CAPEC)

CAPEC-108 · CAPEC-109 · CAPEC-110 · CAPEC-470 · CAPEC-66 · CAPEC-7

CVEs mapped to this weakness (8,798)

page 7 of 440
CVESevRiskCVSSEPSSKEVPublishedDescription
CVE-2017-17587Cri0.679.80.02Dec 13, 2017FS Indiamart Clone 1.0 has SQL Injection via the catcompany.php token parameter, buyleads-details.php id parameter, or company/index.php c parameter.
CVE-2017-17586Cri0.679.80.02Dec 13, 2017FS Olx Clone 1.0 has SQL Injection via the subpage.php scat parameter or the message.php pid parameter.
CVE-2017-17585Cri0.679.80.02Dec 13, 2017FS Monster Clone 1.0 has SQL Injection via the Employer_Details.php id parameter.
CVE-2017-17584Cri0.679.80.02Dec 13, 2017FS Makemytrip Clone 1.0 has SQL Injection via the show-flight-result.php fl_orig or fl_dest parameter.
CVE-2017-17583Cri0.679.80.02Dec 13, 2017FS Shutterstock Clone 1.0 has SQL Injection via the /Category keywords parameter.
CVE-2017-17582Cri0.679.80.02Dec 13, 2017FS Grubhub Clone 1.0 has SQL Injection via the /food keywords parameter.
CVE-2017-17581Cri0.679.80.02Dec 13, 2017FS Quibids Clone 1.0 has SQL Injection via the itechd.php productid parameter.
CVE-2017-17580Cri0.679.80.02Dec 13, 2017FS Linkedin Clone 1.0 has SQL Injection via the group.php grid parameter, profile.php fid parameter, or company_details.php id parameter.
CVE-2017-17579Cri0.679.80.02Dec 13, 2017FS Freelancer Clone 1.0 has SQL Injection via the profile.php u parameter.
CVE-2017-17578Cri0.679.80.02Dec 13, 2017FS Crowdfunding Script 1.0 has SQL Injection via the latest_news_details.php id parameter.
CVE-2017-17577Cri0.679.80.02Dec 13, 2017FS Trademe Clone 1.0 has SQL Injection via the search_item.php search parameter or the general_item_details.php id parameter.
CVE-2017-17576Cri0.679.80.02Dec 13, 2017FS Gigs Script 1.0 has SQL Injection via the browse-category.php cat parameter, browse-scategory.php sc parameter, or service-provider.php ser parameter.
CVE-2017-17575Cri0.679.80.02Dec 13, 2017FS Groupon Clone 1.0 has SQL Injection via the item_details.php id parameter or the vendor_details.php id parameter.
CVE-2017-17574Cri0.679.80.02Dec 13, 2017FS Care Clone 1.0 has SQL Injection via the searchJob.php jobType or jobFrequency parameter.
CVE-2017-17573Cri0.679.80.03Dec 13, 2017FS Ebay Clone 1.0 has SQL Injection via the product.php id parameter, or the search.php category_id or sub_category_id parameter.
CVE-2017-17572Cri0.679.80.02Dec 13, 2017FS Amazon Clone 1.0 has SQL Injection via the PATH_INFO to /VerAyari.
CVE-2017-17571Cri0.679.80.02Dec 13, 2017FS Foodpanda Clone 1.0 has SQL Injection via the /food keywords parameter.
CVE-2017-17570Cri0.679.80.02Dec 13, 2017FS Expedia Clone 1.0 has SQL Injection via the pages.php or content.php id parameter, or the show-flight-result.php fl_orig or fl_dest parameter.
CVE-2015-3934Cri0.679.80.01Nov 21, 2017Multiple SQL injection vulnerabilities in Fiyo CMS 2.0_1.9.1 allow remote attackers to execute arbitrary SQL commands via the (1) id parameter to apps/app_article/controller/rating.php or (2) user parameter to user/login.
CVE-2015-3933Cri0.679.80.02Nov 8, 2017Multiple SQL injection vulnerabilities in inc/lib/User.class.php in MetalGenix GeniXCMS before 0.0.3-patch allow remote attackers to execute arbitrary SQL commands via the (1) email parameter or (2) userid parameter to register.php.