CWE-943
Improper Neutralization of Special Elements in Data Query Logic
Description
The product generates a query intended to access or manipulate data in a data store such as a database, but it does not neutralize or incorrectly neutralizes special elements that can modify the intended logic of the query.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-676
CVEs mapped to this weakness (42)
page 3 of 3| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2025-24787 | 0.00 | — | 0.01 | Feb 6, 2025 | WhoDB is an open source database management tool. In affected versions the application is vulnerable to parameter injection in database connection strings, which allows an attacker to read local files on the machine the application is running on. The application uses string… | |||
| CVE-2020-5257 | 0.00 | — | 0.01 | Mar 13, 2020 | In Administrate (rubygem) before version 0.13.0, when sorting by attributes on a dashboard, the direction parameter was not validated before being interpolated into the SQL query. This could present a SQL injection if the attacker were able to modify the `direction` parameter… |
- CVE-2025-24787Feb 6, 2025risk 0.00cvss —epss 0.01
WhoDB is an open source database management tool. In affected versions the application is vulnerable to parameter injection in database connection strings, which allows an attacker to read local files on the machine the application is running on. The application uses string…
- CVE-2020-5257Mar 13, 2020risk 0.00cvss —epss 0.01
In Administrate (rubygem) before version 0.13.0, when sorting by attributes on a dashboard, the direction parameter was not validated before being interpolated into the SQL query. This could present a SQL injection if the attacker were able to modify the `direction` parameter…