CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Description
The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-108 · CAPEC-109 · CAPEC-110 · CAPEC-470 · CAPEC-66 · CAPEC-7
CVEs mapped to this weakness (10,236)
page 84 of 512| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2018-5372 | Hig | 0.57 | 8.8 | 0.01 | Jan 12, 2018 | The Testimonial Slider plugin through 1.2.4 for WordPress has SQL Injection via settings\sliders.php (current_slider_id parameter). | ||
| CVE-2017-17983 | Hig | 0.57 | 8.8 | 0.01 | Dec 30, 2017 | PHP Scripts Mall Muslim Matrimonial Script has SQL injection via the view-profile.php mem_id parameter. | ||
| CVE-2017-17950 | Hig | 0.57 | 8.8 | 0.01 | Dec 28, 2017 | Cells Blog 3.5 has SQL Injection via the pub_readpost.php ptid parameter. | ||
| CVE-2017-17900 | Cri | 0.57 | 9.8 | 0.02 | Dec 27, 2017 | SQL injection vulnerability in fourn/index.php in Dolibarr ERP/CRM version 6.0.4 allows remote attackers to execute arbitrary SQL commands via the socid parameter. | ||
| CVE-2017-17899 | Cri | 0.57 | 9.8 | 0.02 | Dec 27, 2017 | SQL injection vulnerability in adherents/subscription/info.php in Dolibarr ERP/CRM version 6.0.4 allows remote attackers to execute arbitrary SQL commands via the rowid parameter. | ||
| CVE-2017-17897 | Cri | 0.57 | 9.8 | 0.02 | Dec 27, 2017 | SQL injection vulnerability in comm/multiprix.php in Dolibarr ERP/CRM version 6.0.4 allows remote attackers to execute arbitrary SQL commands via the id parameter. | ||
| CVE-2017-1757 | Hig | 0.57 | 8.8 | 0.02 | Dec 20, 2017 | IBM Security Guardium 10.0 is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements, which could allow the attacker to view, add, modify or delete information in the back-end database. IBM X-Force ID: 135858. | ||
| CVE-2017-17695 | Hig | 0.57 | 8.8 | 0.01 | Dec 15, 2017 | Techno - Portfolio Management Panel through 2017-11-16 allows SQL Injection via the panel/search.php s parameter. | ||
| CVE-2017-5663 | Hig | 0.57 | 8.8 | 0.02 | Dec 14, 2017 | In Apache Fineract 0.4.0-incubating, 0.5.0-incubating, and 0.6.0-incubating, an authenticated user with client/loan/center/staff/group read permissions is able to inject malicious SQL into SELECT queries. The 'sqlSearch' parameter on a number of endpoints is not sanitized and… | ||
| CVE-2017-1606 | Hig | 0.57 | 8.8 | 0.01 | Dec 11, 2017 | IBM Financial Transaction Manager (FTM) for Multi-Platform (MP) 3.0.0.0 through 3.0.0.7 is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements, which could allow the attacker to view, add, modify or delete information in the back-end… | ||
| CVE-2017-1356 | Hig | 0.57 | 8.8 | 0.01 | Dec 7, 2017 | IBM Atlas eDiscovery Process Management 6.0.3 is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements, which could allow the attacker to view, add, modify or delete information in the back-end database. IBM X-Force ID: 126683. | ||
| CVE-2017-17103 | Hig | 0.57 | 8.8 | 0.01 | Dec 4, 2017 | Fiyo CMS 2.0.7 has SQL injection in /apps/app_user/sys_user.php via $_POST[name] or $_POST[email]. This vulnerability can lead to escalation from normal user privileges to administrator privileges. | ||
| CVE-2017-16955 | Hig | 0.57 | 8.8 | 0.02 | Nov 27, 2017 | SQL injection vulnerability in the InLinks plugin through 1.1 for WordPress allows authenticated users to execute arbitrary SQL commands via the "keyword" parameter to /wp-admin/options-general.php?page=inlinks/inlinks.php. | ||
| CVE-2017-11508 | Hig | 0.57 | 8.8 | 0.01 | Nov 2, 2017 | SecurityCenter versions 5.5.0, 5.5.1 and 5.5.2 contain a SQL Injection vulnerability that could be exploited by an authenticated user with sufficient privileges to run diagnostic scans. An attacker could exploit this vulnerability by entering a crafted SQL query into the… | ||
| CVE-2017-16510 | Cri | 0.57 | 9.8 | 0.08 | Nov 2, 2017 | WordPress before 4.8.3 is affected by an issue where $wpdb->prepare() can create unexpected and unsafe queries leading to potential SQL injection (SQLi) in plugins and themes, as demonstrated by a "double prepare" approach, a different vulnerability than CVE-2017-14723. | ||
| CVE-2017-15378 | Hig | 0.57 | 8.8 | 0.01 | Oct 23, 2017 | SQL Injection exists in the E-Sic 1.0 password reset parameter (aka the cpfcnpj parameter to the /reset URI). | ||
| CVE-2017-2133 | Hig | 0.57 | 8.8 | 0.01 | Oct 20, 2017 | SQL injection vulnerability in Panasonic KX-HJB1000 Home unit devices with firmware GHX1YG 14.50 or HJB1000_4.47 allows authenticated attackers to execute arbitrary SQL commands via unspecified vectors. | ||
| CVE-2017-1000120 | Hig | 0.57 | 8.8 | 0.01 | Oct 5, 2017 | [ERPNext][Frappe Version <= 7.1.27] SQL injection vulnerability in frappe.share.get_users allows remote authenticated users to execute arbitrary SQL commands via the fields parameter. | ||
| CVE-2017-1311 | Hig | 0.57 | 8.8 | 0.02 | Oct 3, 2017 | IBM Insights Foundation for Energy 2.0 is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements, which could allow the attacker to view, add, modify or delete information in the back-end database. IBM X-Force ID: 125719. | ||
| CVE-2017-14508 | Hig | 0.57 | 8.8 | 0.03 | Sep 17, 2017 | An issue was discovered in SugarCRM before 7.7.2.3, 7.8.x before 7.8.2.2, and 7.9.x before 7.9.2.0 (and Sugar Community Edition 6.5.26). Several areas have been identified in the Documents and Emails module that could allow an authenticated user to perform SQL injection, as… |
- risk 0.57cvss 8.8epss 0.01
The Testimonial Slider plugin through 1.2.4 for WordPress has SQL Injection via settings\sliders.php (current_slider_id parameter).
- risk 0.57cvss 8.8epss 0.01
PHP Scripts Mall Muslim Matrimonial Script has SQL injection via the view-profile.php mem_id parameter.
- risk 0.57cvss 8.8epss 0.01
Cells Blog 3.5 has SQL Injection via the pub_readpost.php ptid parameter.
- risk 0.57cvss 9.8epss 0.02
SQL injection vulnerability in fourn/index.php in Dolibarr ERP/CRM version 6.0.4 allows remote attackers to execute arbitrary SQL commands via the socid parameter.
- risk 0.57cvss 9.8epss 0.02
SQL injection vulnerability in adherents/subscription/info.php in Dolibarr ERP/CRM version 6.0.4 allows remote attackers to execute arbitrary SQL commands via the rowid parameter.
- risk 0.57cvss 9.8epss 0.02
SQL injection vulnerability in comm/multiprix.php in Dolibarr ERP/CRM version 6.0.4 allows remote attackers to execute arbitrary SQL commands via the id parameter.
- risk 0.57cvss 8.8epss 0.02
IBM Security Guardium 10.0 is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements, which could allow the attacker to view, add, modify or delete information in the back-end database. IBM X-Force ID: 135858.
- risk 0.57cvss 8.8epss 0.01
Techno - Portfolio Management Panel through 2017-11-16 allows SQL Injection via the panel/search.php s parameter.
- risk 0.57cvss 8.8epss 0.02
In Apache Fineract 0.4.0-incubating, 0.5.0-incubating, and 0.6.0-incubating, an authenticated user with client/loan/center/staff/group read permissions is able to inject malicious SQL into SELECT queries. The 'sqlSearch' parameter on a number of endpoints is not sanitized and…
- risk 0.57cvss 8.8epss 0.01
IBM Financial Transaction Manager (FTM) for Multi-Platform (MP) 3.0.0.0 through 3.0.0.7 is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements, which could allow the attacker to view, add, modify or delete information in the back-end…
- risk 0.57cvss 8.8epss 0.01
IBM Atlas eDiscovery Process Management 6.0.3 is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements, which could allow the attacker to view, add, modify or delete information in the back-end database. IBM X-Force ID: 126683.
- risk 0.57cvss 8.8epss 0.01
Fiyo CMS 2.0.7 has SQL injection in /apps/app_user/sys_user.php via $_POST[name] or $_POST[email]. This vulnerability can lead to escalation from normal user privileges to administrator privileges.
- risk 0.57cvss 8.8epss 0.02
SQL injection vulnerability in the InLinks plugin through 1.1 for WordPress allows authenticated users to execute arbitrary SQL commands via the "keyword" parameter to /wp-admin/options-general.php?page=inlinks/inlinks.php.
- risk 0.57cvss 8.8epss 0.01
SecurityCenter versions 5.5.0, 5.5.1 and 5.5.2 contain a SQL Injection vulnerability that could be exploited by an authenticated user with sufficient privileges to run diagnostic scans. An attacker could exploit this vulnerability by entering a crafted SQL query into the…
- risk 0.57cvss 9.8epss 0.08
WordPress before 4.8.3 is affected by an issue where $wpdb->prepare() can create unexpected and unsafe queries leading to potential SQL injection (SQLi) in plugins and themes, as demonstrated by a "double prepare" approach, a different vulnerability than CVE-2017-14723.
- risk 0.57cvss 8.8epss 0.01
SQL Injection exists in the E-Sic 1.0 password reset parameter (aka the cpfcnpj parameter to the /reset URI).
- risk 0.57cvss 8.8epss 0.01
SQL injection vulnerability in Panasonic KX-HJB1000 Home unit devices with firmware GHX1YG 14.50 or HJB1000_4.47 allows authenticated attackers to execute arbitrary SQL commands via unspecified vectors.
- risk 0.57cvss 8.8epss 0.01
[ERPNext][Frappe Version <= 7.1.27] SQL injection vulnerability in frappe.share.get_users allows remote authenticated users to execute arbitrary SQL commands via the fields parameter.
- risk 0.57cvss 8.8epss 0.02
IBM Insights Foundation for Energy 2.0 is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements, which could allow the attacker to view, add, modify or delete information in the back-end database. IBM X-Force ID: 125719.
- risk 0.57cvss 8.8epss 0.03
An issue was discovered in SugarCRM before 7.7.2.3, 7.8.x before 7.8.2.2, and 7.9.x before 7.9.2.0 (and Sugar Community Edition 6.5.26). Several areas have been identified in the Documents and Emails module that could allow an authenticated user to perform SQL injection, as…