VYPR
Get started

CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

BaseStableLikelihood: High

Description

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Hierarchy (View 1000)

Parents

Children

Related attack patterns (CAPEC)

CAPEC-108 · CAPEC-109 · CAPEC-110 · CAPEC-470 · CAPEC-66 · CAPEC-7

CVEs mapped to this weakness (8,798)

page 8 of 440
CVESevRiskCVSSEPSSKEVPublishedDescription
CVE-2017-16543Cri0.679.80.02Nov 5, 2017Zoho ManageEngine Applications Manager 13 before build 13500 allows SQL injection via GraphicalView.do, as demonstrated by a crafted viewProps yCanvas field or viewid parameter.
CVE-2017-15993Cri0.679.80.01Oct 31, 2017Zomato Clone Script allows SQL Injection via the restaurant-menu.php resid parameter.
CVE-2017-15992Cri0.679.80.01Oct 31, 2017Website Broker Script allows SQL Injection via the 'status_id' Parameter to status_list.php.
CVE-2017-15991Cri0.679.80.01Oct 31, 2017Vastal I-Tech Agent Zone (aka The Real Estate Script) allows SQL Injection in searchCommercial.php via the property_type, city, or posted_by parameter, or searchResidential.php via the property_type, city, or bedroom parameter, a different vulnerability than CVE-2008-3951, CVE-2009-3497, and CVE-2012-0982.
CVE-2017-15989Cri0.679.80.01Oct 31, 2017Online Exam Test Application allows SQL Injection via the resources.php sort parameter in a category action.
CVE-2017-15988Cri0.679.80.01Oct 31, 2017Nice PHP FAQ Script allows SQL Injection via the index.php nice_theme parameter, a different vulnerability than CVE-2008-6525.
CVE-2017-15987Cri0.679.80.01Oct 31, 2017Fake Magazine Cover Script allows SQL Injection via the rate.php value parameter or the content.php id parameter.
CVE-2017-15986Cri0.679.80.01Oct 31, 2017CPA Lead Reward Script allows SQL Injection via the username parameter.
CVE-2017-15985Cri0.679.80.01Oct 31, 2017Basic B2B Script allows SQL Injection via the product_view1.php pid or id parameter.
CVE-2017-15984Cri0.679.80.01Oct 31, 2017Creative Management System (CMS) Lite 1.4 allows SQL Injection via the S parameter to index.php.
CVE-2017-15983Cri0.679.80.01Oct 31, 2017MyMagazine Magazine & Blog CMS 1.0 allows SQL Injection via the id parameter to admin/admin_process.php for form editing.
CVE-2017-15982Cri0.679.80.01Oct 31, 2017Dynamic News Magazine & Blog CMS 1.0 allows SQL Injection via the id parameter to admin/admin_process.php for form editing.
CVE-2017-15981Cri0.679.80.01Oct 31, 2017Responsive Newspaper Magazine & Blog CMS 1.0 allows SQL Injection via the id parameter to admin/admin_process.php for form editing.
CVE-2017-15980Cri0.679.80.01Oct 31, 2017US Zip Codes Database Script 1.0 allows SQL Injection via the state parameter.
CVE-2017-15979Cri0.679.80.01Oct 31, 2017Shareet - Photo Sharing Social Network 1.0 allows SQL Injection via the photo parameter.
CVE-2017-15978Cri0.679.80.01Oct 31, 2017AROX School ERP PHP Script 1.0 allows SQL Injection via the office_admin/ id parameter.
CVE-2017-15977Cri0.679.80.01Oct 31, 2017Protected Links - Expiring Download Links 1.0 allows SQL Injection via the username parameter.
CVE-2017-15976Cri0.679.80.03Oct 29, 2017ZeeBuddy 2x allows SQL Injection via the admin/editadgroup.php groupid parameter, a different vulnerability than CVE-2008-3604.
CVE-2017-15975Cri0.679.80.03Oct 29, 2017Vastal I-Tech Dating Zone 0.9.9 allows SQL Injection via the 'product_id' to add_to_cart.php, a different vulnerability than CVE-2008-4461.
CVE-2017-15974Cri0.679.80.04Oct 29, 2017tPanel 2009 allows SQL injection for Authentication Bypass via 'or 1=1 or ''=' to login.php.