CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Description
The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-108 · CAPEC-109 · CAPEC-110 · CAPEC-470 · CAPEC-66 · CAPEC-7
CVEs mapped to this weakness (10,236)
page 8 of 512| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2018-6575 | Cri | 0.67 | 9.8 | 0.03 | Feb 2, 2018 | SQL Injection exists in the JEXTN Classified 1.0.0 component for Joomla! via a view=boutique&sid= request. | ||
| CVE-2018-6398 | Cri | 0.67 | 9.8 | 0.03 | Jan 30, 2018 | SQL Injection exists in the CP Event Calendar 3.0.1 component for Joomla! via the id parameter in a task=load action. | ||
| CVE-2018-6395 | Cri | 0.67 | 9.8 | 0.03 | Jan 30, 2018 | SQL Injection exists in the Visual Calendar 3.1.3 component for Joomla! via the id parameter in a view=load action. | ||
| CVE-2018-6367 | Cri | 0.67 | 9.8 | 0.03 | Jan 29, 2018 | SQL Injection exists in Vastal I-Tech Buddy Zone Facebook Clone 2.9.9 via the /chat_im/chat_window.php request_id parameter or the /search_events.php category parameter. | ||
| CVE-2018-6365 | — | Cri | 0.67 | 9.8 | 0.03 | Jan 29, 2018 | SQL Injection exists in TSiteBuilder 1.0 via the id parameter to /site.php, /pagelist.php, or /page_new.php. | |
| CVE-2018-6364 | — | Cri | 0.67 | 9.8 | 0.03 | Jan 29, 2018 | SQL Injection exists in Multilanguage Real Estate MLM Script through 3.0 via the /product-list.php srch parameter. | |
| CVE-2018-6363 | — | Cri | 0.67 | 9.8 | 0.03 | Jan 29, 2018 | SQL Injection exists in Task Rabbit Clone 1.0 via the single_blog.php id parameter. | |
| CVE-2017-1000474 | Cri | 0.67 | 9.8 | 0.02 | Jan 24, 2018 | Soyket Chowdhury Vehicle Sales Management System version 2017-07-30 is vulnerable to multiple SQL Injecting in login/vehicle.php, login/profile.php, login/Actions.php, login/manage_employee.php, and login/sell.php scripts resulting in the expose of user's login credentials, SQL… | ||
| CVE-2018-5986 | — | Cri | 0.67 | 9.8 | 0.03 | Jan 24, 2018 | SQL Injection exists in Easy Car Script 2014 via the s_order or s_row parameter to site_search.php. | |
| CVE-2018-5984 | Cri | 0.67 | 9.8 | 0.03 | Jan 24, 2018 | SQL Injection exists in the Tumder (An Arcade Games Platform) 2.1 component for Joomla! via the PATH_INFO to the category/ URI. | ||
| CVE-2018-5978 | — | Cri | 0.67 | 9.8 | 0.03 | Jan 24, 2018 | SQL Injection exists in Facebook Style Php Ajax Chat Zechat 1.5 via the login.php User field. | |
| CVE-2018-5977 | Cri | 0.67 | 9.8 | 0.02 | Jan 24, 2018 | SQL Injection exists in Affiligator Affiliate Webshop Management System 2.1.0 via a search/?q=&price_type=range&price= request. | ||
| CVE-2017-17999 | Cri | 0.67 | 9.8 | 0.03 | Jan 23, 2018 | SQL injection vulnerability in RISE Ultimate Project Manager 1.9 allows remote attackers to execute arbitrary SQL commands via the search parameter to index.php/knowledge_base/get_article_suggestion/. | ||
| CVE-2018-5315 | Cri | 0.67 | 9.8 | 0.05 | Jan 12, 2018 | The Wachipi WP Events Calendar plugin 1.0 for WordPress has SQL Injection via the event_id parameter to event.php. | ||
| CVE-2017-17970 | Cri | 0.67 | 9.8 | 0.05 | Jan 12, 2018 | Multiple SQL injection vulnerabilities in Muviko 1.1 allow remote attackers to execute arbitrary SQL commands via the (1) email parameter to login.php; the (2) season_id parameter to themes/flixer/ajax/load_season.php; the (3) movie_id parameter to… | ||
| CVE-2018-5211 | Cri | 0.67 | 9.8 | 0.02 | Jan 9, 2018 | PHP Melody version 2.7.1 suffer from SQL Injection Time-based attack on the page ajax.php with the parameter playlist. | ||
| CVE-2017-16716 | Cri | 0.67 | 9.8 | 0.06 | Jan 5, 2018 | A SQL Injection issue was discovered in WebAccess versions prior to 8.3. WebAccess does not properly sanitize its inputs for SQL commands. | ||
| CVE-2017-17875 | Cri | 0.67 | 9.8 | 0.03 | Dec 27, 2017 | The JEXTN FAQ Pro extension 4.0.0 for Joomla! has SQL Injection via the id parameter in a view=category action. | ||
| CVE-2017-17873 | Cri | 0.67 | 9.8 | 0.03 | Dec 27, 2017 | Vanguard Marketplace Digital Products PHP 1.4 has SQL Injection via the PATH_INFO to the /p URI. | ||
| CVE-2017-17872 | Cri | 0.67 | 9.8 | 0.03 | Dec 27, 2017 | The JEXTN Video Gallery extension 3.0.5 for Joomla! has SQL Injection via the id parameter in a view=category action. |
- risk 0.67cvss 9.8epss 0.03
SQL Injection exists in the JEXTN Classified 1.0.0 component for Joomla! via a view=boutique&sid= request.
- risk 0.67cvss 9.8epss 0.03
SQL Injection exists in the CP Event Calendar 3.0.1 component for Joomla! via the id parameter in a task=load action.
- risk 0.67cvss 9.8epss 0.03
SQL Injection exists in the Visual Calendar 3.1.3 component for Joomla! via the id parameter in a view=load action.
- risk 0.67cvss 9.8epss 0.03
SQL Injection exists in Vastal I-Tech Buddy Zone Facebook Clone 2.9.9 via the /chat_im/chat_window.php request_id parameter or the /search_events.php category parameter.
- risk 0.67cvss 9.8epss 0.03
SQL Injection exists in TSiteBuilder 1.0 via the id parameter to /site.php, /pagelist.php, or /page_new.php.
- risk 0.67cvss 9.8epss 0.03
SQL Injection exists in Multilanguage Real Estate MLM Script through 3.0 via the /product-list.php srch parameter.
- risk 0.67cvss 9.8epss 0.03
SQL Injection exists in Task Rabbit Clone 1.0 via the single_blog.php id parameter.
- risk 0.67cvss 9.8epss 0.02
Soyket Chowdhury Vehicle Sales Management System version 2017-07-30 is vulnerable to multiple SQL Injecting in login/vehicle.php, login/profile.php, login/Actions.php, login/manage_employee.php, and login/sell.php scripts resulting in the expose of user's login credentials, SQL…
- risk 0.67cvss 9.8epss 0.03
SQL Injection exists in Easy Car Script 2014 via the s_order or s_row parameter to site_search.php.
- risk 0.67cvss 9.8epss 0.03
SQL Injection exists in the Tumder (An Arcade Games Platform) 2.1 component for Joomla! via the PATH_INFO to the category/ URI.
- risk 0.67cvss 9.8epss 0.03
SQL Injection exists in Facebook Style Php Ajax Chat Zechat 1.5 via the login.php User field.
- risk 0.67cvss 9.8epss 0.02
SQL Injection exists in Affiligator Affiliate Webshop Management System 2.1.0 via a search/?q=&price_type=range&price= request.
- risk 0.67cvss 9.8epss 0.03
SQL injection vulnerability in RISE Ultimate Project Manager 1.9 allows remote attackers to execute arbitrary SQL commands via the search parameter to index.php/knowledge_base/get_article_suggestion/.
- risk 0.67cvss 9.8epss 0.05
The Wachipi WP Events Calendar plugin 1.0 for WordPress has SQL Injection via the event_id parameter to event.php.
- risk 0.67cvss 9.8epss 0.05
Multiple SQL injection vulnerabilities in Muviko 1.1 allow remote attackers to execute arbitrary SQL commands via the (1) email parameter to login.php; the (2) season_id parameter to themes/flixer/ajax/load_season.php; the (3) movie_id parameter to…
- risk 0.67cvss 9.8epss 0.02
PHP Melody version 2.7.1 suffer from SQL Injection Time-based attack on the page ajax.php with the parameter playlist.
- risk 0.67cvss 9.8epss 0.06
A SQL Injection issue was discovered in WebAccess versions prior to 8.3. WebAccess does not properly sanitize its inputs for SQL commands.
- risk 0.67cvss 9.8epss 0.03
The JEXTN FAQ Pro extension 4.0.0 for Joomla! has SQL Injection via the id parameter in a view=category action.
- risk 0.67cvss 9.8epss 0.03
Vanguard Marketplace Digital Products PHP 1.4 has SQL Injection via the PATH_INFO to the /p URI.
- risk 0.67cvss 9.8epss 0.03
The JEXTN Video Gallery extension 3.0.5 for Joomla! has SQL Injection via the id parameter in a view=category action.