VYPR

CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

BaseStableLikelihood: High

Description

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Hierarchy (View 1000)

Parents

Children

Related attack patterns (CAPEC)

CAPEC-108 · CAPEC-109 · CAPEC-110 · CAPEC-470 · CAPEC-66 · CAPEC-7

CVEs mapped to this weakness (10,236)

page 86 of 512
  • CVE-2017-9759HigJun 19, 2017
    risk 0.57cvss 8.8epss 0.01

    SQL Injection exists in admin/index.php in Zenbership 1.0.8 via the filters array parameter, exploitable by a privileged account.

  • CVE-2017-2195HigJun 9, 2017
    risk 0.57cvss 8.8epss 0.02

    SQL injection vulnerability in the Multi Feed Reader prior to version 2.2.4 allows authenticated attackers to execute arbitrary SQL commands via unspecified vectors.

  • CVE-2016-7803HigJun 9, 2017
    risk 0.57cvss 8.8epss 0.02

    SQL injection vulnerability in the Cybozu Garoon 3.0.0 to 4.2.2 allows remote authenticated attackers to execute arbitrary SQL commands via "MultiReport" function.

  • CVE-2017-9449HigJun 6, 2017
    risk 0.57cvss 8.8epss 0.01

    SQL injection vulnerability in BigTree CMS through 4.2.18 allows remote authenticated users to execute arbitrary SQL commands via core/admin/modules/developer/modules/views/create.php. The attacker creates a crafted table name at admin/developer/modules/views/create/ and the…

  • CVE-2017-9443HigJun 5, 2017
    risk 0.57cvss 8.8epss 0.01

    BigTree CMS through 4.2.18 allows remote authenticated users to conduct SQL injection attacks via a crafted tables object in manifest.json in an uploaded package. This issue exists in core\admin\modules\developer\extensions\install\process.php and…

  • CVE-2017-9437HigJun 5, 2017
    risk 0.57cvss 8.8epss 0.01

    Openbravo Business Suite 3.0 is affected by SQL injection. This vulnerability could allow remote authenticated attackers to inject arbitrary SQL code.

  • CVE-2017-9435CriJun 5, 2017
    risk 0.57cvss 9.8epss 0.01

    Dolibarr ERP/CRM before 5.0.3 is vulnerable to a SQL injection in user/index.php (search_supervisor and search_statut parameters).

  • CVE-2017-9427HigJun 4, 2017
    risk 0.57cvss 8.8epss 0.02

    SQL injection vulnerability in BigTree CMS through 4.2.18 allows remote authenticated users to execute arbitrary SQL commands via core\admin\modules\developer\modules\designer\form-create.php. The attacker creates a crafted table name at admin/developer/modules/designer/ and the…

  • CVE-2017-6557HigMay 5, 2017
    risk 0.57cvss 8.8epss 0.01

    SQL injection vulnerability in ArrayOS before AG 9.4.0.135, when the portal bookmark function is enabled, allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors.

  • CVE-2016-1218HigApr 20, 2017
    risk 0.57cvss 8.8epss 0.02

    SQL injection vulnerability in Cybozu Garoon before 4.2.2.

  • CVE-2017-7717HigApr 14, 2017
    risk 0.57cvss 8.8epss 0.02

    SQL injection vulnerability in the getUserUddiElements method in the ES UDDI component in SAP NetWeaver AS Java 7.4 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors, aka SAP Security Note 2356504.

  • CVE-2016-4893HigApr 12, 2017
    risk 0.57cvss 8.8epss 0.02

    SQL injection vulnerability in the SetsucoCMS all versions allows remote authenticated attackers to execute arbitrary SQL commands via unspecified vectors.

  • CVE-2016-4468HigApr 11, 2017
    risk 0.57cvss 8.8epss 0.02

    SQL injection vulnerability in Pivotal Cloud Foundry (PCF) before 238; UAA 2.x before 2.7.4.4, 3.x before 3.3.0.2, and 3.4.x before 3.4.1; UAA BOSH before 11.2 and 12.x before 12.2; Elastic Runtime before 1.6.29 and 1.7.x before 1.7.7; and Ops Manager 1.7.x before 1.7.8 allows…

  • CVE-2015-6028HigApr 10, 2017
    risk 0.57cvss 8.8epss 0.01

    Castle Rock Computing SNMPc before 2015-12-17 has SQL injection via the sc parameter.

  • CVE-2017-3835HigFeb 22, 2017
    risk 0.57cvss 8.8epss 0.02

    A vulnerability in the sponsor portal of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to access notices owned by other users, because of SQL Injection. More Information: CSCvb15627. Known Affected Releases: 1.4(0.908).

  • CVE-2017-6065HigFeb 17, 2017
    risk 0.57cvss 8.8epss 0.01

    SQL injection vulnerability in inc/lib/Control/Backend/menus.control.php in GeniXCMS through 1.0.2 allows remote authenticated users to execute arbitrary SQL commands via the order parameter.

  • CVE-2017-5218HigFeb 2, 2017
    risk 0.57cvss 8.8epss 0.01

    A SQL Injection issue was discovered in SageCRM 7.x before 7.3 SP3. The AP_DocumentUI.asp web resource includes Utilityfuncs.js when the file is opened or viewed. This file crafts a SQL statement to identify the database that is to be in use with the current user's session. The…

  • CVE-2016-5952HigFeb 1, 2017
    risk 0.57cvss 8.8epss 0.01

    IBM Kenexa LCMS Premier on Cloud is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements, which could allow the attacker to view, add, modify or delete information in the back-end database.

  • CVE-2017-5611CriJan 30, 2017
    risk 0.57cvss 9.8epss 0.10

    SQL injection vulnerability in wp-includes/class-wp-query.php in WP_Query in WordPress before 4.7.2 allows remote attackers to execute arbitrary SQL commands by leveraging the presence of an affected plugin or theme that mishandles a crafted post type name.

  • CVE-2017-5609HigJan 28, 2017
    risk 0.57cvss 8.8epss 0.02

    SQL injection vulnerability in include/functions_entries.inc.php in Serendipity 2.0.5 allows remote authenticated users to execute arbitrary SQL commands via the cat parameter.