CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Description
The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-108 · CAPEC-109 · CAPEC-110 · CAPEC-470 · CAPEC-66 · CAPEC-7
CVEs mapped to this weakness (10,236)
page 87 of 512| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2016-4338 | Hig | 0.57 | 8.1 | 0.21 | Jan 23, 2017 | The mysql user parameter configuration script (userparameter_mysql.conf) in the agent in Zabbix before 2.0.18, 2.2.x before 2.2.13, and 3.0.x before 3.0.3, when used with a shell other than bash, allows context-dependent attackers to execute arbitrary code or SQL commands via… | ||
| CVE-2016-0769 | Hig | 0.57 | 8.8 | 0.03 | Jan 23, 2017 | Multiple SQL injection vulnerabilities in eshop-orders.php in the eShop plugin 6.3.14 for WordPress allow (1) remote administrators to execute arbitrary SQL commands via the delid parameter or remote authenticated users to execute arbitrary SQL commands via the (2) view, (3)… | ||
| CVE-2017-5570 | Hig | 0.57 | 8.8 | 0.01 | Jan 23, 2017 | An issue was discovered in eClinicalWorks Patient Portal 7.0 build 13. This is a blind SQL injection within the messageJson.jsp, which can only be exploited by authenticated users via an HTTP POST request and which can be used to dump database data out to a malicious server,… | ||
| CVE-2017-5345 | Hig | 0.57 | 8.8 | 0.02 | Jan 12, 2017 | SQL injection vulnerability in inc/lib/Control/Ajax/tags-ajax.control.php in GeniXCMS 0.0.8 allows remote authenticated editors to execute arbitrary SQL commands via the term parameter to the default URI. | ||
| CVE-2016-6619 | Hig | 0.57 | 8.8 | 0.01 | Dec 11, 2016 | An issue was discovered in phpMyAdmin. In the user interface preference feature, a user can execute an SQL injection attack against the account of the control user. All 4.6.x versions (prior to 4.6.4), 4.4.x versions (prior to 4.4.15.8), and 4.0.x versions (prior to 4.0.10.17)… | ||
| CVE-2016-2873 | Hig | 0.57 | 8.8 | 0.01 | Nov 30, 2016 | SQL injection vulnerability in IBM QRadar SIEM 7.1 before MR2 Patch 13 and 7.2 before 7.2.7 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors. | ||
| CVE-2016-8908 | Hig | 0.57 | 8.8 | 0.02 | Nov 14, 2016 | SQL injection vulnerability in the "Site Browser > HTML pages" screen in dotCMS before 3.3.1 allows remote authenticated attackers to execute arbitrary SQL commands via the orderby parameter. | ||
| CVE-2016-8907 | Hig | 0.57 | 8.8 | 0.02 | Nov 14, 2016 | SQL injection vulnerability in the "Content Types > Content Types" screen in dotCMS before 3.3.1 allows remote authenticated attackers to execute arbitrary SQL commands via the orderby parameter. | ||
| CVE-2016-8906 | Hig | 0.57 | 8.8 | 0.02 | Nov 14, 2016 | SQL injection vulnerability in the "Site Browser > Links pages" screen in dotCMS before 3.3.1 allows remote authenticated attackers to execute arbitrary SQL commands via the orderby parameter. | ||
| CVE-2016-8905 | Hig | 0.57 | 8.8 | 0.02 | Nov 14, 2016 | SQL injection vulnerability in the JSONTags servlet in dotCMS before 3.3.1 allows remote authenticated attackers to execute arbitrary SQL commands via the sort parameter. | ||
| CVE-2016-8904 | Hig | 0.57 | 8.8 | 0.02 | Nov 14, 2016 | SQL injection vulnerability in the "Site Browser > Containers pages" screen in dotCMS before 3.3.1 allows remote authenticated attackers to execute arbitrary SQL commands via the orderby parameter. | ||
| CVE-2016-8903 | Hig | 0.57 | 8.8 | 0.02 | Nov 14, 2016 | SQL injection vulnerability in the "Site Browser > Templates pages" screen in dotCMS before 3.3.1 allows remote authenticated attackers to execute arbitrary SQL commands via the orderby parameter. | ||
| CVE-2016-9242 | Hig | 0.57 | 8.8 | 0.01 | Nov 7, 2016 | Multiple SQL injection vulnerabilities in the update method in framework/modules/core/controllers/expRatingController.php in Exponent CMS 2.4.0 allow remote authenticated users to execute arbitrary SQL commands via the (1) content_type or (2) subtype parameter. | ||
| CVE-2016-6443 | Hig | 0.57 | 8.8 | 0.03 | Oct 27, 2016 | A vulnerability in the Cisco Prime Infrastructure and Evolved Programmable Network Manager SQL database interface could allow an authenticated, remote attacker to impact system confidentiality by executing a subset of arbitrary SQL queries that can cause product instability.… | ||
| CVE-2016-1000000 | Hig | 0.57 | 8.8 | 0.01 | Oct 6, 2016 | Ipswitch WhatsUp Gold 16.4.1 WrFreeFormText.asp sUniqueID Parameter Blind SQL Injection | ||
| CVE-2016-7405 | — | Cri | 0.57 | 9.8 | 0.03 | Oct 3, 2016 | The qstr method in the PDO driver in the ADOdb Library for PHP before 5.x before 5.20.7 might allow remote attackers to conduct SQL injection attacks via vectors related to incorrect quoting. | |
| CVE-2016-1446 | Hig | 0.57 | 8.8 | 0.02 | Jul 15, 2016 | SQL injection vulnerability in Cisco WebEx Meetings Server 2.6 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors, aka Bug ID CSCuy83200. | ||
| CVE-2016-0233 | Hig | 0.57 | 8.8 | 0.01 | Jun 28, 2016 | SQL injection vulnerability in IBM Marketing Platform 8.5.x, 8.6.x, and 9.x before 9.1.2.2 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors. | ||
| CVE-2015-8157 | Hig | 0.57 | 8.8 | 0.02 | Jun 8, 2016 | SQL injection vulnerability in the Management Server in Symantec Embedded Security: Critical System Protection (SES:CSP) 1.0.x before 1.0 MP5, Embedded Security: Critical System Protection for Controllers and Devices (SES:CSP) 6.5.0 before MP1, Critical System Protection (SCSP)… | ||
| CVE-2016-3172 | Hig | 0.57 | 8.8 | 0.03 | Apr 12, 2016 | SQL injection vulnerability in tree.php in Cacti 0.8.8g and earlier allows remote authenticated users to execute arbitrary SQL commands via the parent_id parameter in an item_edit action. |
- risk 0.57cvss 8.1epss 0.21
The mysql user parameter configuration script (userparameter_mysql.conf) in the agent in Zabbix before 2.0.18, 2.2.x before 2.2.13, and 3.0.x before 3.0.3, when used with a shell other than bash, allows context-dependent attackers to execute arbitrary code or SQL commands via…
- risk 0.57cvss 8.8epss 0.03
Multiple SQL injection vulnerabilities in eshop-orders.php in the eShop plugin 6.3.14 for WordPress allow (1) remote administrators to execute arbitrary SQL commands via the delid parameter or remote authenticated users to execute arbitrary SQL commands via the (2) view, (3)…
- risk 0.57cvss 8.8epss 0.01
An issue was discovered in eClinicalWorks Patient Portal 7.0 build 13. This is a blind SQL injection within the messageJson.jsp, which can only be exploited by authenticated users via an HTTP POST request and which can be used to dump database data out to a malicious server,…
- risk 0.57cvss 8.8epss 0.02
SQL injection vulnerability in inc/lib/Control/Ajax/tags-ajax.control.php in GeniXCMS 0.0.8 allows remote authenticated editors to execute arbitrary SQL commands via the term parameter to the default URI.
- risk 0.57cvss 8.8epss 0.01
An issue was discovered in phpMyAdmin. In the user interface preference feature, a user can execute an SQL injection attack against the account of the control user. All 4.6.x versions (prior to 4.6.4), 4.4.x versions (prior to 4.4.15.8), and 4.0.x versions (prior to 4.0.10.17)…
- risk 0.57cvss 8.8epss 0.01
SQL injection vulnerability in IBM QRadar SIEM 7.1 before MR2 Patch 13 and 7.2 before 7.2.7 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors.
- risk 0.57cvss 8.8epss 0.02
SQL injection vulnerability in the "Site Browser > HTML pages" screen in dotCMS before 3.3.1 allows remote authenticated attackers to execute arbitrary SQL commands via the orderby parameter.
- risk 0.57cvss 8.8epss 0.02
SQL injection vulnerability in the "Content Types > Content Types" screen in dotCMS before 3.3.1 allows remote authenticated attackers to execute arbitrary SQL commands via the orderby parameter.
- risk 0.57cvss 8.8epss 0.02
SQL injection vulnerability in the "Site Browser > Links pages" screen in dotCMS before 3.3.1 allows remote authenticated attackers to execute arbitrary SQL commands via the orderby parameter.
- risk 0.57cvss 8.8epss 0.02
SQL injection vulnerability in the JSONTags servlet in dotCMS before 3.3.1 allows remote authenticated attackers to execute arbitrary SQL commands via the sort parameter.
- risk 0.57cvss 8.8epss 0.02
SQL injection vulnerability in the "Site Browser > Containers pages" screen in dotCMS before 3.3.1 allows remote authenticated attackers to execute arbitrary SQL commands via the orderby parameter.
- risk 0.57cvss 8.8epss 0.02
SQL injection vulnerability in the "Site Browser > Templates pages" screen in dotCMS before 3.3.1 allows remote authenticated attackers to execute arbitrary SQL commands via the orderby parameter.
- risk 0.57cvss 8.8epss 0.01
Multiple SQL injection vulnerabilities in the update method in framework/modules/core/controllers/expRatingController.php in Exponent CMS 2.4.0 allow remote authenticated users to execute arbitrary SQL commands via the (1) content_type or (2) subtype parameter.
- risk 0.57cvss 8.8epss 0.03
A vulnerability in the Cisco Prime Infrastructure and Evolved Programmable Network Manager SQL database interface could allow an authenticated, remote attacker to impact system confidentiality by executing a subset of arbitrary SQL queries that can cause product instability.…
- risk 0.57cvss 8.8epss 0.01
Ipswitch WhatsUp Gold 16.4.1 WrFreeFormText.asp sUniqueID Parameter Blind SQL Injection
- risk 0.57cvss 9.8epss 0.03
The qstr method in the PDO driver in the ADOdb Library for PHP before 5.x before 5.20.7 might allow remote attackers to conduct SQL injection attacks via vectors related to incorrect quoting.
- risk 0.57cvss 8.8epss 0.02
SQL injection vulnerability in Cisco WebEx Meetings Server 2.6 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors, aka Bug ID CSCuy83200.
- risk 0.57cvss 8.8epss 0.01
SQL injection vulnerability in IBM Marketing Platform 8.5.x, 8.6.x, and 9.x before 9.1.2.2 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors.
- risk 0.57cvss 8.8epss 0.02
SQL injection vulnerability in the Management Server in Symantec Embedded Security: Critical System Protection (SES:CSP) 1.0.x before 1.0 MP5, Embedded Security: Critical System Protection for Controllers and Devices (SES:CSP) 6.5.0 before MP1, Critical System Protection (SCSP)…
- risk 0.57cvss 8.8epss 0.03
SQL injection vulnerability in tree.php in Cacti 0.8.8g and earlier allows remote authenticated users to execute arbitrary SQL commands via the parent_id parameter in an item_edit action.