VYPR

CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

BaseStableLikelihood: High

Description

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Hierarchy (View 1000)

Parents

Children

Related attack patterns (CAPEC)

CAPEC-108 · CAPEC-109 · CAPEC-110 · CAPEC-470 · CAPEC-66 · CAPEC-7

CVEs mapped to this weakness (10,236)

page 8 of 512
  • CVE-2018-6575CriFeb 2, 2018
    risk 0.67cvss 9.8epss 0.03

    SQL Injection exists in the JEXTN Classified 1.0.0 component for Joomla! via a view=boutique&sid= request.

  • CVE-2018-6398CriJan 30, 2018
    risk 0.67cvss 9.8epss 0.03

    SQL Injection exists in the CP Event Calendar 3.0.1 component for Joomla! via the id parameter in a task=load action.

  • CVE-2018-6395CriJan 30, 2018
    risk 0.67cvss 9.8epss 0.03

    SQL Injection exists in the Visual Calendar 3.1.3 component for Joomla! via the id parameter in a view=load action.

  • CVE-2018-6367CriJan 29, 2018
    risk 0.67cvss 9.8epss 0.03

    SQL Injection exists in Vastal I-Tech Buddy Zone Facebook Clone 2.9.9 via the /chat_im/chat_window.php request_id parameter or the /search_events.php category parameter.

  • CVE-2018-6365CriJan 29, 2018
    risk 0.67cvss 9.8epss 0.03

    SQL Injection exists in TSiteBuilder 1.0 via the id parameter to /site.php, /pagelist.php, or /page_new.php.

  • CVE-2018-6364CriJan 29, 2018
    risk 0.67cvss 9.8epss 0.03

    SQL Injection exists in Multilanguage Real Estate MLM Script through 3.0 via the /product-list.php srch parameter.

  • CVE-2018-6363CriJan 29, 2018
    risk 0.67cvss 9.8epss 0.03

    SQL Injection exists in Task Rabbit Clone 1.0 via the single_blog.php id parameter.

  • CVE-2017-1000474CriJan 24, 2018
    risk 0.67cvss 9.8epss 0.02

    Soyket Chowdhury Vehicle Sales Management System version 2017-07-30 is vulnerable to multiple SQL Injecting in login/vehicle.php, login/profile.php, login/Actions.php, login/manage_employee.php, and login/sell.php scripts resulting in the expose of user's login credentials, SQL…

  • CVE-2018-5986CriJan 24, 2018
    risk 0.67cvss 9.8epss 0.03

    SQL Injection exists in Easy Car Script 2014 via the s_order or s_row parameter to site_search.php.

  • CVE-2018-5984CriJan 24, 2018
    risk 0.67cvss 9.8epss 0.03

    SQL Injection exists in the Tumder (An Arcade Games Platform) 2.1 component for Joomla! via the PATH_INFO to the category/ URI.

  • CVE-2018-5978CriJan 24, 2018
    risk 0.67cvss 9.8epss 0.03

    SQL Injection exists in Facebook Style Php Ajax Chat Zechat 1.5 via the login.php User field.

  • CVE-2018-5977CriJan 24, 2018
    risk 0.67cvss 9.8epss 0.02

    SQL Injection exists in Affiligator Affiliate Webshop Management System 2.1.0 via a search/?q=&price_type=range&price= request.

  • CVE-2017-17999CriJan 23, 2018
    risk 0.67cvss 9.8epss 0.03

    SQL injection vulnerability in RISE Ultimate Project Manager 1.9 allows remote attackers to execute arbitrary SQL commands via the search parameter to index.php/knowledge_base/get_article_suggestion/.

  • CVE-2018-5315CriJan 12, 2018
    risk 0.67cvss 9.8epss 0.05

    The Wachipi WP Events Calendar plugin 1.0 for WordPress has SQL Injection via the event_id parameter to event.php.

  • CVE-2017-17970CriJan 12, 2018
    risk 0.67cvss 9.8epss 0.05

    Multiple SQL injection vulnerabilities in Muviko 1.1 allow remote attackers to execute arbitrary SQL commands via the (1) email parameter to login.php; the (2) season_id parameter to themes/flixer/ajax/load_season.php; the (3) movie_id parameter to…

  • CVE-2018-5211CriJan 9, 2018
    risk 0.67cvss 9.8epss 0.02

    PHP Melody version 2.7.1 suffer from SQL Injection Time-based attack on the page ajax.php with the parameter playlist.

  • CVE-2017-16716CriJan 5, 2018
    risk 0.67cvss 9.8epss 0.06

    A SQL Injection issue was discovered in WebAccess versions prior to 8.3. WebAccess does not properly sanitize its inputs for SQL commands.

  • CVE-2017-17875CriDec 27, 2017
    risk 0.67cvss 9.8epss 0.03

    The JEXTN FAQ Pro extension 4.0.0 for Joomla! has SQL Injection via the id parameter in a view=category action.

  • CVE-2017-17873CriDec 27, 2017
    risk 0.67cvss 9.8epss 0.03

    Vanguard Marketplace Digital Products PHP 1.4 has SQL Injection via the PATH_INFO to the /p URI.

  • CVE-2017-17872CriDec 27, 2017
    risk 0.67cvss 9.8epss 0.03

    The JEXTN Video Gallery extension 3.0.5 for Joomla! has SQL Injection via the id parameter in a view=category action.