CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
BaseStableLikelihood: High
Description
The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-108 · CAPEC-109 · CAPEC-110 · CAPEC-470 · CAPEC-66 · CAPEC-7
CVEs mapped to this weakness (8,799)
page 9 of 440| CVE | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2017-15973 | Cri | 0.67 | 9.8 | 0.02 | Oct 29, 2017 | Sokial Social Network Script 1.0 allows SQL Injection via the id parameter to admin/members_view.php. | |
| CVE-2017-15972 | Cri | 0.67 | 9.8 | 0.02 | Oct 29, 2017 | SoftDatepro Dating Social Network 1.3 allows SQL Injection via the viewprofile.php profid parameter, the viewmessage.php sender_id parameter, or the /admin Email field, a related issue to CVE-2017-15971. | |
| CVE-2017-15971 | Cri | 0.67 | 9.8 | 0.02 | Oct 29, 2017 | Same Sex Dating Software Pro 1.0 allows SQL Injection via the viewprofile.php profid parameter, the viewmessage.php sender_id parameter, or the /admin Email field, a related issue to CVE-2017-15972. | |
| CVE-2017-15970 | Cri | 0.67 | 9.8 | 0.03 | Oct 29, 2017 | PHP CityPortal 2.0 allows SQL Injection via the nid parameter to index.php in a page=news action, or the cat parameter. | |
| CVE-2017-15969 | Cri | 0.67 | 9.8 | 0.02 | Oct 29, 2017 | PG All Share Video 1.0 allows SQL Injection via the PATH_INFO to search/tag, friends/index, users/profile, or video_catalog/category. | |
| CVE-2017-15968 | Cri | 0.67 | 9.8 | 0.02 | Oct 29, 2017 | MyBuilder Clone 1.0 allows SQL Injection via the phpsqlsearch_genxml.php subcategory parameter. | |
| CVE-2017-15967 | Cri | 0.67 | 9.8 | 0.02 | Oct 29, 2017 | Mailing List Manager Pro 3.0 allows SQL Injection via the edit parameter to admin/users in a sort=login action, or the edit parameter to admin/template. | |
| CVE-2017-15966 | Cri | 0.67 | 9.8 | 0.04 | Oct 29, 2017 | The Zh YandexMap (aka com_zhyandexmap) component 6.1.1.0 for Joomla! allows SQL Injection via the placemarklistid parameter to index.php. | |
| CVE-2017-15965 | Cri | 0.67 | 9.8 | 0.04 | Oct 29, 2017 | The NS Download Shop (aka com_ns_downloadshop) component 2.2.6 for Joomla! allows SQL Injection via the id parameter in an invoice.create action. | |
| CVE-2017-15964 | Cri | 0.67 | 9.8 | 0.03 | Oct 29, 2017 | Job Board Script Software allows SQL Injection via the PATH_INFO to a /job-details URI. | |
| CVE-2017-15963 | Cri | 0.67 | 9.8 | 0.02 | Oct 29, 2017 | iTech Gigs Script 1.21 allows SQL Injection via the browse-scategory.php sc parameter or the service-provider.php ser parameter. | |
| CVE-2017-15961 | Cri | 0.67 | 9.8 | 0.03 | Oct 29, 2017 | iProject Management System 1.0 allows SQL Injection via the ID parameter to index.php. | |
| CVE-2017-15960 | Cri | 0.67 | 9.8 | 0.03 | Oct 29, 2017 | Article Directory Script 3.0 allows SQL Injection via the id parameter to author.php or category.php. | |
| CVE-2017-15959 | Cri | 0.67 | 9.8 | 0.02 | Oct 29, 2017 | Adult Script Pro 2.2.4 allows SQL Injection via the PATH_INFO to a /download URI, a different vulnerability than CVE-2007-6576. | |
| CVE-2017-15958 | Cri | 0.67 | 9.8 | 0.03 | Oct 29, 2017 | D-Park Pro Domain Parking Script 1.0 allows SQL Injection via the username to admin/loginform.php. | |
| CVE-2014-2023 | Cri | 0.67 | 9.8 | 0.09 | Oct 26, 2017 | Multiple SQL injection vulnerabilities in the Tapatalk plugin 4.9.0 and earlier and 5.x through 5.2.1 for vBulletin allow remote attackers to execute arbitrary SQL commands via a crafted xmlrpc API request to (1) unsubscribe_forum.php or (2) unsubscribe_topic.php in mobiquo/functions/. | |
| CVE-2017-15081 | Cri | 0.67 | 9.8 | 0.07 | Oct 24, 2017 | In PHPSUGAR PHP Melody CMS 2.6.1, SQL Injection exists via the playlist parameter to playlists.php. | |
| CVE-2017-15579 | Cri | 0.67 | 9.8 | 0.00 | Oct 18, 2017 | In PHPSUGAR PHP Melody before 2.7.3, SQL Injection exists via an aa_pages_per_page cookie in a playlist action to watch.php. | |
| CVE-2015-2147 | Cri | 0.67 | 9.8 | 0.00 | Oct 6, 2017 | Multiple SQL injection vulnerabilities in Issuetracker phpBugTracker before 1.7.0 allow remote attackers to execute arbitrary SQL commands via unspecified parameters. | |
| CVE-2017-6089 | Cri | 0.67 | 9.8 | 0.03 | Oct 3, 2017 | SQL injection vulnerability in PhpCollab 2.5.1 and earlier allows remote attackers to execute arbitrary SQL commands via the (1) project or id parameters to topics/deletetopics.php; the (2) id parameter to bookmarks/deletebookmarks.php; or the (3) id parameter to calendar/deletecalendar.php. |