CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Description
The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-108 · CAPEC-109 · CAPEC-110 · CAPEC-470 · CAPEC-66 · CAPEC-7
CVEs mapped to this weakness (10,236)
page 86 of 512| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2017-9759 | Hig | 0.57 | 8.8 | 0.01 | Jun 19, 2017 | SQL Injection exists in admin/index.php in Zenbership 1.0.8 via the filters array parameter, exploitable by a privileged account. | ||
| CVE-2017-2195 | Hig | 0.57 | 8.8 | 0.02 | Jun 9, 2017 | SQL injection vulnerability in the Multi Feed Reader prior to version 2.2.4 allows authenticated attackers to execute arbitrary SQL commands via unspecified vectors. | ||
| CVE-2016-7803 | Hig | 0.57 | 8.8 | 0.02 | Jun 9, 2017 | SQL injection vulnerability in the Cybozu Garoon 3.0.0 to 4.2.2 allows remote authenticated attackers to execute arbitrary SQL commands via "MultiReport" function. | ||
| CVE-2017-9449 | Hig | 0.57 | 8.8 | 0.01 | Jun 6, 2017 | SQL injection vulnerability in BigTree CMS through 4.2.18 allows remote authenticated users to execute arbitrary SQL commands via core/admin/modules/developer/modules/views/create.php. The attacker creates a crafted table name at admin/developer/modules/views/create/ and the… | ||
| CVE-2017-9443 | Hig | 0.57 | 8.8 | 0.01 | Jun 5, 2017 | BigTree CMS through 4.2.18 allows remote authenticated users to conduct SQL injection attacks via a crafted tables object in manifest.json in an uploaded package. This issue exists in core\admin\modules\developer\extensions\install\process.php and… | ||
| CVE-2017-9437 | Hig | 0.57 | 8.8 | 0.01 | Jun 5, 2017 | Openbravo Business Suite 3.0 is affected by SQL injection. This vulnerability could allow remote authenticated attackers to inject arbitrary SQL code. | ||
| CVE-2017-9435 | Cri | 0.57 | 9.8 | 0.01 | Jun 5, 2017 | Dolibarr ERP/CRM before 5.0.3 is vulnerable to a SQL injection in user/index.php (search_supervisor and search_statut parameters). | ||
| CVE-2017-9427 | Hig | 0.57 | 8.8 | 0.02 | Jun 4, 2017 | SQL injection vulnerability in BigTree CMS through 4.2.18 allows remote authenticated users to execute arbitrary SQL commands via core\admin\modules\developer\modules\designer\form-create.php. The attacker creates a crafted table name at admin/developer/modules/designer/ and the… | ||
| CVE-2017-6557 | Hig | 0.57 | 8.8 | 0.01 | May 5, 2017 | SQL injection vulnerability in ArrayOS before AG 9.4.0.135, when the portal bookmark function is enabled, allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors. | ||
| CVE-2016-1218 | Hig | 0.57 | 8.8 | 0.02 | Apr 20, 2017 | SQL injection vulnerability in Cybozu Garoon before 4.2.2. | ||
| CVE-2017-7717 | Hig | 0.57 | 8.8 | 0.02 | Apr 14, 2017 | SQL injection vulnerability in the getUserUddiElements method in the ES UDDI component in SAP NetWeaver AS Java 7.4 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors, aka SAP Security Note 2356504. | ||
| CVE-2016-4893 | Hig | 0.57 | 8.8 | 0.02 | Apr 12, 2017 | SQL injection vulnerability in the SetsucoCMS all versions allows remote authenticated attackers to execute arbitrary SQL commands via unspecified vectors. | ||
| CVE-2016-4468 | Hig | 0.57 | 8.8 | 0.02 | Apr 11, 2017 | SQL injection vulnerability in Pivotal Cloud Foundry (PCF) before 238; UAA 2.x before 2.7.4.4, 3.x before 3.3.0.2, and 3.4.x before 3.4.1; UAA BOSH before 11.2 and 12.x before 12.2; Elastic Runtime before 1.6.29 and 1.7.x before 1.7.7; and Ops Manager 1.7.x before 1.7.8 allows… | ||
| CVE-2015-6028 | Hig | 0.57 | 8.8 | 0.01 | Apr 10, 2017 | Castle Rock Computing SNMPc before 2015-12-17 has SQL injection via the sc parameter. | ||
| CVE-2017-3835 | Hig | 0.57 | 8.8 | 0.02 | Feb 22, 2017 | A vulnerability in the sponsor portal of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to access notices owned by other users, because of SQL Injection. More Information: CSCvb15627. Known Affected Releases: 1.4(0.908). | ||
| CVE-2017-6065 | Hig | 0.57 | 8.8 | 0.01 | Feb 17, 2017 | SQL injection vulnerability in inc/lib/Control/Backend/menus.control.php in GeniXCMS through 1.0.2 allows remote authenticated users to execute arbitrary SQL commands via the order parameter. | ||
| CVE-2017-5218 | Hig | 0.57 | 8.8 | 0.01 | Feb 2, 2017 | A SQL Injection issue was discovered in SageCRM 7.x before 7.3 SP3. The AP_DocumentUI.asp web resource includes Utilityfuncs.js when the file is opened or viewed. This file crafts a SQL statement to identify the database that is to be in use with the current user's session. The… | ||
| CVE-2016-5952 | Hig | 0.57 | 8.8 | 0.01 | Feb 1, 2017 | IBM Kenexa LCMS Premier on Cloud is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements, which could allow the attacker to view, add, modify or delete information in the back-end database. | ||
| CVE-2017-5611 | Cri | 0.57 | 9.8 | 0.10 | Jan 30, 2017 | SQL injection vulnerability in wp-includes/class-wp-query.php in WP_Query in WordPress before 4.7.2 allows remote attackers to execute arbitrary SQL commands by leveraging the presence of an affected plugin or theme that mishandles a crafted post type name. | ||
| CVE-2017-5609 | Hig | 0.57 | 8.8 | 0.02 | Jan 28, 2017 | SQL injection vulnerability in include/functions_entries.inc.php in Serendipity 2.0.5 allows remote authenticated users to execute arbitrary SQL commands via the cat parameter. |
- risk 0.57cvss 8.8epss 0.01
SQL Injection exists in admin/index.php in Zenbership 1.0.8 via the filters array parameter, exploitable by a privileged account.
- risk 0.57cvss 8.8epss 0.02
SQL injection vulnerability in the Multi Feed Reader prior to version 2.2.4 allows authenticated attackers to execute arbitrary SQL commands via unspecified vectors.
- risk 0.57cvss 8.8epss 0.02
SQL injection vulnerability in the Cybozu Garoon 3.0.0 to 4.2.2 allows remote authenticated attackers to execute arbitrary SQL commands via "MultiReport" function.
- risk 0.57cvss 8.8epss 0.01
SQL injection vulnerability in BigTree CMS through 4.2.18 allows remote authenticated users to execute arbitrary SQL commands via core/admin/modules/developer/modules/views/create.php. The attacker creates a crafted table name at admin/developer/modules/views/create/ and the…
- risk 0.57cvss 8.8epss 0.01
BigTree CMS through 4.2.18 allows remote authenticated users to conduct SQL injection attacks via a crafted tables object in manifest.json in an uploaded package. This issue exists in core\admin\modules\developer\extensions\install\process.php and…
- risk 0.57cvss 8.8epss 0.01
Openbravo Business Suite 3.0 is affected by SQL injection. This vulnerability could allow remote authenticated attackers to inject arbitrary SQL code.
- risk 0.57cvss 9.8epss 0.01
Dolibarr ERP/CRM before 5.0.3 is vulnerable to a SQL injection in user/index.php (search_supervisor and search_statut parameters).
- risk 0.57cvss 8.8epss 0.02
SQL injection vulnerability in BigTree CMS through 4.2.18 allows remote authenticated users to execute arbitrary SQL commands via core\admin\modules\developer\modules\designer\form-create.php. The attacker creates a crafted table name at admin/developer/modules/designer/ and the…
- risk 0.57cvss 8.8epss 0.01
SQL injection vulnerability in ArrayOS before AG 9.4.0.135, when the portal bookmark function is enabled, allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors.
- risk 0.57cvss 8.8epss 0.02
SQL injection vulnerability in Cybozu Garoon before 4.2.2.
- risk 0.57cvss 8.8epss 0.02
SQL injection vulnerability in the getUserUddiElements method in the ES UDDI component in SAP NetWeaver AS Java 7.4 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors, aka SAP Security Note 2356504.
- risk 0.57cvss 8.8epss 0.02
SQL injection vulnerability in the SetsucoCMS all versions allows remote authenticated attackers to execute arbitrary SQL commands via unspecified vectors.
- risk 0.57cvss 8.8epss 0.02
SQL injection vulnerability in Pivotal Cloud Foundry (PCF) before 238; UAA 2.x before 2.7.4.4, 3.x before 3.3.0.2, and 3.4.x before 3.4.1; UAA BOSH before 11.2 and 12.x before 12.2; Elastic Runtime before 1.6.29 and 1.7.x before 1.7.7; and Ops Manager 1.7.x before 1.7.8 allows…
- risk 0.57cvss 8.8epss 0.01
Castle Rock Computing SNMPc before 2015-12-17 has SQL injection via the sc parameter.
- risk 0.57cvss 8.8epss 0.02
A vulnerability in the sponsor portal of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to access notices owned by other users, because of SQL Injection. More Information: CSCvb15627. Known Affected Releases: 1.4(0.908).
- risk 0.57cvss 8.8epss 0.01
SQL injection vulnerability in inc/lib/Control/Backend/menus.control.php in GeniXCMS through 1.0.2 allows remote authenticated users to execute arbitrary SQL commands via the order parameter.
- risk 0.57cvss 8.8epss 0.01
A SQL Injection issue was discovered in SageCRM 7.x before 7.3 SP3. The AP_DocumentUI.asp web resource includes Utilityfuncs.js when the file is opened or viewed. This file crafts a SQL statement to identify the database that is to be in use with the current user's session. The…
- risk 0.57cvss 8.8epss 0.01
IBM Kenexa LCMS Premier on Cloud is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements, which could allow the attacker to view, add, modify or delete information in the back-end database.
- risk 0.57cvss 9.8epss 0.10
SQL injection vulnerability in wp-includes/class-wp-query.php in WP_Query in WordPress before 4.7.2 allows remote attackers to execute arbitrary SQL commands by leveraging the presence of an affected plugin or theme that mishandles a crafted post type name.
- risk 0.57cvss 8.8epss 0.02
SQL injection vulnerability in include/functions_entries.inc.php in Serendipity 2.0.5 allows remote authenticated users to execute arbitrary SQL commands via the cat parameter.