CWE-89

High likelihood

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Parent: CWE-943 - Improper Neutralization of Special Elements in Data Query Logic

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

19,817 vulnerabilities with CWE-89
CVE-2021-47811 CRITICAL
grocery_crud < 2.0.1 - SQL Injection via order_by Parameter
CVSS 9.1
CVE-2021-47801 HIGH
Vianeos OctoPUS 5 - Time-Based Blind SQL Injection via Login User Parameter
CVSS 8.2
CVE-2021-47782 HIGH
Odine Solutions GateKeeper 1.0 - SQL Injection
CVSS 8.2
CVE-2021-47777 HIGH
Build Smart ERP 21.0817 - SQL Injection
CVSS 8.2
CVE-2021-47766 HIGH
Kmaleon 1.1.0.205 - Authenticated SQL Injection via tipocomb Parameter
CVSS 7.1
CVE-2021-47763 HIGH
Aimeos 2021.10 LTS - SQL Injection via JSON API Sort Parameter
CVSS 8.2
CVE-2021-47720 HIGH
Orangescrum 1.8.0 - Authenticated SQL Injection via Multiple Parameters
CVSS 7.1
CVE-2021-47714 MEDIUM
Hasura GraphQL 1.3.3 - Local File Read via SQL Injection in Query Endpoint
CVSS 5.5
CVE-2021-47711 HIGH
Kentico Xperience < 13.0.52 - Authenticated SQL Injection via Online Marketing Macro Method Parameters
CVSS 8.8
CVE-2021-47708 CRITICAL
COMMAX Smart Home System CDP-1020n - SQL Injection
CVE-2021-47704 MEDIUM
OpenBMCS 2.4 - Authenticated SQL Injection via obix_test.php id Parameter
CVSS 6.5
CVE-2021-47693 HIGH
Nagios XI < 5.8.5 - Authenticated SQL Injection via Core Config Manager Search Text
CVSS 8.8
CVE-2021-4458 MEDIUM
Modern Events Calendar Lite <= 6.3.0 - Unauthenticated SQL Injection via 'id' Parameter
CVSS 5.9
CVE-2021-41691 CRITICAL
OS4Ed OpenSIS Community 8.0 - SQL Injection via Student ID and TRANSFER{SCHOOL} Parameters
CVSS 9.8
CVE-2021-37787 MEDIUM
abo.cms 5.8-5.9.3 - SQL Injection via TinyMCE Module POST Request
CVSS 6.5
CVE-2021-1470 MEDIUM
Cisco Catalyst SD-WAN Manager - Authenticated SQL Injection via Web Interface
CVSS 4.9
CVE-2021-4450 HIGH
Post Grid <= 2.1.12 - Authenticated Blind SQL Injection via Post Metadata
CVSS 8.8
CVE-2021-20451 MEDIUM
IBM Cognos Controller <11.0.0 - SQL Injection
CVSS 6.0
CVE-2021-24869 HIGH
WP Fastest Cache <0.9.5 - SQL Injection
CVSS 8.8
CVE-2021-24151 HIGH
WP Editor < 1.2.7 - Authenticated Blind SQL Injection via Settings Save Request
CVSS 7.2
CVE-2021-35437 CRITICAL
lmxcms 1.4 - SQL Injection via TagsAction.class
CVSS 9.8
CVE-2021-43609 CRITICAL
Spiceworks Help Desk Server <1.3.3 - Blind Boolean SQL Injection
CVSS 9.9
CVE-2021-26837 CRITICAL
Fortra DeliverNow < 1.2.18 - SQL Injection via SearchTextBox Parameter
CVSS 9.8
CVE-2021-45811 MEDIUM
osTicket 1.15-1.15.8 - Authenticated SQL Injection via Search Keywords and Topic ID Parameters
CVSS 6.5
CVE-2021-3262 CRITICAL
TripSpark VEO Transportation <2.2.x - SQL Injection
CVSS 9.8
Details
Vulnerabilities 19,817
Exploit Likelihood High