CWE-89

High likelihood

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Parent: CWE-943 - Improper Neutralization of Special Elements in Data Query Logic

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

19,692 vulnerabilities with CWE-89
CVE-2024-39653 CRITICAL
VikRentCar <= 1.4.0 - SQL Injection
CVSS 9.3
CVE-2024-39638 HIGH
Roundup WP Registrations for the Events Calendar < 2.12.2 - SQL Injection
CVSS 8.5
CVE-2024-39622 CRITICAL
CridioStudio ListingPro <= 2.9.4 - Unauthenticated SQL Injection
CVSS 9.3
CVE-2024-39620 HIGH
Cridio ListingPro < 2.9.4 - SQL Injection
CVSS 8.5
CVE-2024-38795 CRITICAL
Cridio ListingPro < 2.9.4 - Unauthenticated SQL Injection
CVSS 9.3
CVE-2024-38793 HIGH
Best Restaurant Menu by PriceListo <= 1.4.1 - SQL Injection
CVSS 8.5
CVE-2024-8302 MEDIUM
dingfanzu CMS < 2024-01-31 - SQL Injection via username Parameter in chpwd.php
CVSS 6.3
CVE-2024-5057 CRITICAL
Easy Digital Downloads < 3.2.12 - SQL Injection
CVSS 9.3
CVE-2024-38693 HIGH
weDevs WP User Frontend <4.0.7 - SQL Injection
CVSS 7.6
CVE-2024-8301 HIGH
dingfanzu CMS < 2024-01-31 - SQL Injection via Username Parameter in checkin.php
CVSS 7.3
CVE-2024-7607 HIGH
Front End Users <= 3.2.28 - Authenticated Time-Based SQL Injection via Order Parameter
CVSS 8.8
CVE-2024-29731 CRITICAL
SportsNET 4.0.1 - SQL Injection via idChallenge and idEmpresa Parameters
CVSS 9.8
CVE-2024-29730 CRITICAL
SportsNET 4.0.1 - SQL Injection via idCat Parameter
CVSS 9.8
CVE-2024-29729 CRITICAL
SportsNET 4.0.1 - SQL Injection via generateShortURL url Parameter
CVSS 9.8
CVE-2024-29728 CRITICAL
SportsNET 4.0.1 - SQL Injection via idDesafio Parameter
CVSS 9.8
CVE-2024-29727 CRITICAL
SportsNET 4.0.1 - SQL Injection via send Parameter
CVSS 9.8
CVE-2024-29726 CRITICAL
SportsNET 4.0.1 - SQL Injection via setAsRead id Parameter
CVSS 9.8
CVE-2024-29725 CRITICAL
SportsNET 4.0.1 - SQL Injection via sort_bloques list Parameter
CVSS 9.8
CVE-2024-29724 CRITICAL
SportsNET 4.0.1 - SQL Injection via idDesafio Parameter
CVSS 9.8
CVE-2024-29723 CRITICAL
SportsNET 4.0.1 - SQL Injection via categoria Parameter
CVSS 9.8
CVE-2024-7857 MEDIUM
Media Library Folders <= 8.2.2 - Authenticated SQL Injection via 'sort_type' Parameter
CVSS 6.5
CVE-2024-45059 HIGH
i-educar < 2.9 - SQL Injection via cod_func GET Parameter
CVSS 8.8
CVE-2024-44761 CRITICAL
EQ Enterprise Management System <2.0.0 - Path Traversal
CVSS 9.8
CVE-2024-41236 HIGH
Kashipara Responsive School Management System v3.2.0 - SQL Injection via Admin Login Username Parameter
CVSS 7.2
CVE-2024-5546 HIGH
ManageEngine PAM360 < 7001 - Authenticated SQL Injection via Global Search Option
CVSS 8.3
Details
Vulnerabilities 19,692
Exploit Likelihood High