CWE-89

High likelihood

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Parent: CWE-943 - Improper Neutralization of Special Elements in Data Query Logic

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

19,824 vulnerabilities with CWE-89
CVE-2021-24626 HIGH
Chameleon CSS < 1.2 - Authenticated Cross-Site Request Forgery and SQL Injection via AJAX Calls
CVSS 8.8
CVE-2021-24625 HIGH
SpiderCatalog < 1.7.3 - Authenticated SQL Injection via Parent and Ordering Parameters
CVSS 7.2
CVE-2021-24575 HIGH
WPSchoolPress < 2.1.10 - Authenticated SQL Injection via POST Variable
CVSS 8.8
CVE-2021-28022 HIGH
ServiceTonic Helpdesk < 9.0.35937 - SQL Injection
CVSS 7.5
CVE-2021-42077 CRITICAL
PHP Event Calendar < 2021-09-03 - SQL Injection via User Manager Username Parameter
CVSS 9.8
CVE-2021-34684 CRITICAL
Hitachi Vantara Pentaho < 9.1.0.0 - Unauthenticated SQL Injection via Dashboard Editor API
CVSS 9.8
CVE-2021-42670 CRITICAL
Engineers Online Portal - SQL Injection via Announcements Student ID Parameter
CVSS 9.8
CVE-2021-42668 CRITICAL
Engineers Online Portal - SQL Injection via id Parameter in my_classmates.php
CVSS 9.8
CVE-2021-42667 CRITICAL
Sourcecodester Online Event Booking and Reservation System - SQL Injection in Event Management Views
CVSS 9.8
CVE-2021-42666 HIGH
Sourcecodester Engineers Online Portal - SQL Injection via Quiz Question ID Parameter
CVSS 8.8
CVE-2021-42665 CRITICAL
Engineers Online Portal - SQL Injection via Login Form
CVSS 9.8
CVE-2021-41492 CRITICAL
Simple Cashiering System 1.0 - SQL Injection via Product Code, id Parameter, or t Parameter
CVSS 9.8
CVE-2021-43140 CRITICAL
Simple Subscription Website 1.0 - SQL Injection via Login
CVSS 9.8
CVE-2021-43130 CRITICAL
Sourcecodester CRM 1.0 - SQL Injection
CVSS 9.8
CVE-2021-36184 HIGH
Fortinet FortiWLM <8.6.1 - SQL Injection
CVSS 8.8
CVE-2021-41187 HIGH
DHIS 2 2.32.0-2.32.6 - Authenticated SQL Injection via Tracked Entity and Events API Endpoints
CVSS 8.1
CVE-2021-31849 HIGH
McAfee Data Loss Prevention Endpoint 11.6.0-11.6.400 - Authenticated SQL Injection via User Management Section
CVSS 8.4
CVE-2021-26739 CRITICAL
doyocms 2.3 - SQL Injection via pay.php Attribute Parameter
CVSS 9.8
CVE-2021-25874 HIGH
youphptube < 10.0 - Unauthenticated SQL Injection via catName Parameter
CVSS 7.5
CVE-2021-27644 HIGH
Apache DolphinScheduler <1.3.6 - SQL Injection
CVSS 8.8
CVE-2021-41746 HIGH
Yonyou TurboCRM - SQL Injection via orgcode Parameter
CVSS 7.5
CVE-2021-41676 CRITICAL
Pharmacy Point of Sale System 1.0 - SQL Injection in Login Function
CVSS 9.8
CVE-2021-41674 CRITICAL
e-negosyo_system - SQL Injection via user_email Parameter
CVSS 9.8
CVE-2021-39179 HIGH
DHIS2 2.32.0-2.32.6 - Authenticated SQL Injection via Tracker API Endpoints
CVSS 8.8
CVE-2021-37808 MEDIUM
News Portal Project 3.1 - SQL Injection via Category Subcategory Sucatdescription Username Parameters
CVSS 5.9
Details
Vulnerabilities 19,824
Exploit Likelihood High