VYPR

CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

BaseStableLikelihood: High

Description

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Hierarchy (View 1000)

Parents

Children

Related attack patterns (CAPEC)

CAPEC-108 · CAPEC-109 · CAPEC-110 · CAPEC-470 · CAPEC-66 · CAPEC-7

CVEs mapped to this weakness (10,236)

page 87 of 512
  • CVE-2016-4338HigJan 23, 2017
    risk 0.57cvss 8.1epss 0.21

    The mysql user parameter configuration script (userparameter_mysql.conf) in the agent in Zabbix before 2.0.18, 2.2.x before 2.2.13, and 3.0.x before 3.0.3, when used with a shell other than bash, allows context-dependent attackers to execute arbitrary code or SQL commands via…

  • CVE-2016-0769HigJan 23, 2017
    risk 0.57cvss 8.8epss 0.03

    Multiple SQL injection vulnerabilities in eshop-orders.php in the eShop plugin 6.3.14 for WordPress allow (1) remote administrators to execute arbitrary SQL commands via the delid parameter or remote authenticated users to execute arbitrary SQL commands via the (2) view, (3)…

  • CVE-2017-5570HigJan 23, 2017
    risk 0.57cvss 8.8epss 0.01

    An issue was discovered in eClinicalWorks Patient Portal 7.0 build 13. This is a blind SQL injection within the messageJson.jsp, which can only be exploited by authenticated users via an HTTP POST request and which can be used to dump database data out to a malicious server,…

  • CVE-2017-5345HigJan 12, 2017
    risk 0.57cvss 8.8epss 0.02

    SQL injection vulnerability in inc/lib/Control/Ajax/tags-ajax.control.php in GeniXCMS 0.0.8 allows remote authenticated editors to execute arbitrary SQL commands via the term parameter to the default URI.

  • CVE-2016-6619HigDec 11, 2016
    risk 0.57cvss 8.8epss 0.01

    An issue was discovered in phpMyAdmin. In the user interface preference feature, a user can execute an SQL injection attack against the account of the control user. All 4.6.x versions (prior to 4.6.4), 4.4.x versions (prior to 4.4.15.8), and 4.0.x versions (prior to 4.0.10.17)…

  • CVE-2016-2873HigNov 30, 2016
    risk 0.57cvss 8.8epss 0.01

    SQL injection vulnerability in IBM QRadar SIEM 7.1 before MR2 Patch 13 and 7.2 before 7.2.7 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors.

  • CVE-2016-8908HigNov 14, 2016
    risk 0.57cvss 8.8epss 0.02

    SQL injection vulnerability in the "Site Browser > HTML pages" screen in dotCMS before 3.3.1 allows remote authenticated attackers to execute arbitrary SQL commands via the orderby parameter.

  • CVE-2016-8907HigNov 14, 2016
    risk 0.57cvss 8.8epss 0.02

    SQL injection vulnerability in the "Content Types > Content Types" screen in dotCMS before 3.3.1 allows remote authenticated attackers to execute arbitrary SQL commands via the orderby parameter.

  • CVE-2016-8906HigNov 14, 2016
    risk 0.57cvss 8.8epss 0.02

    SQL injection vulnerability in the "Site Browser > Links pages" screen in dotCMS before 3.3.1 allows remote authenticated attackers to execute arbitrary SQL commands via the orderby parameter.

  • CVE-2016-8905HigNov 14, 2016
    risk 0.57cvss 8.8epss 0.02

    SQL injection vulnerability in the JSONTags servlet in dotCMS before 3.3.1 allows remote authenticated attackers to execute arbitrary SQL commands via the sort parameter.

  • CVE-2016-8904HigNov 14, 2016
    risk 0.57cvss 8.8epss 0.02

    SQL injection vulnerability in the "Site Browser > Containers pages" screen in dotCMS before 3.3.1 allows remote authenticated attackers to execute arbitrary SQL commands via the orderby parameter.

  • CVE-2016-8903HigNov 14, 2016
    risk 0.57cvss 8.8epss 0.02

    SQL injection vulnerability in the "Site Browser > Templates pages" screen in dotCMS before 3.3.1 allows remote authenticated attackers to execute arbitrary SQL commands via the orderby parameter.

  • CVE-2016-9242HigNov 7, 2016
    risk 0.57cvss 8.8epss 0.01

    Multiple SQL injection vulnerabilities in the update method in framework/modules/core/controllers/expRatingController.php in Exponent CMS 2.4.0 allow remote authenticated users to execute arbitrary SQL commands via the (1) content_type or (2) subtype parameter.

  • CVE-2016-6443HigOct 27, 2016
    risk 0.57cvss 8.8epss 0.03

    A vulnerability in the Cisco Prime Infrastructure and Evolved Programmable Network Manager SQL database interface could allow an authenticated, remote attacker to impact system confidentiality by executing a subset of arbitrary SQL queries that can cause product instability.…

  • CVE-2016-1000000HigOct 6, 2016
    risk 0.57cvss 8.8epss 0.01

    Ipswitch WhatsUp Gold 16.4.1 WrFreeFormText.asp sUniqueID Parameter Blind SQL Injection

  • CVE-2016-7405CriOct 3, 2016
    risk 0.57cvss 9.8epss 0.03

    The qstr method in the PDO driver in the ADOdb Library for PHP before 5.x before 5.20.7 might allow remote attackers to conduct SQL injection attacks via vectors related to incorrect quoting.

  • CVE-2016-1446HigJul 15, 2016
    risk 0.57cvss 8.8epss 0.02

    SQL injection vulnerability in Cisco WebEx Meetings Server 2.6 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors, aka Bug ID CSCuy83200.

  • CVE-2016-0233HigJun 28, 2016
    risk 0.57cvss 8.8epss 0.01

    SQL injection vulnerability in IBM Marketing Platform 8.5.x, 8.6.x, and 9.x before 9.1.2.2 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors.

  • CVE-2015-8157HigJun 8, 2016
    risk 0.57cvss 8.8epss 0.02

    SQL injection vulnerability in the Management Server in Symantec Embedded Security: Critical System Protection (SES:CSP) 1.0.x before 1.0 MP5, Embedded Security: Critical System Protection for Controllers and Devices (SES:CSP) 6.5.0 before MP1, Critical System Protection (SCSP)…

  • CVE-2016-3172HigApr 12, 2016
    risk 0.57cvss 8.8epss 0.03

    SQL injection vulnerability in tree.php in Cacti 0.8.8g and earlier allows remote authenticated users to execute arbitrary SQL commands via the parent_id parameter in an item_edit action.