CWE-89

High likelihood

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Parent: CWE-943 - Improper Neutralization of Special Elements in Data Query Logic

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

19,842 vulnerabilities with CWE-89
CVE-2020-5428 MEDIUM
Spring Cloud Task <2.2.4.RELEASE - SQL Injection
CVSS 6.0
CVE-2020-5427 HIGH
Spring Cloud Data Flow <2.6.5-2.5.4 - SQL Injection
CVSS 7.2
CVE-2020-35270 CRITICAL
Student Result Management System - SQL Injection
CVSS 9.1
CVE-2020-35263 CRITICAL
EgavilanMedia User Registration & Login System 1.0 - SQL Injection in Admin Panel
CVSS 9.8
CVE-2020-23262 CRITICAL
Ming-Soft MCMS <5.0 - SQL Injection
CVSS 9.8
CVE-2020-4921 HIGH
IBM Security Guardium 10.6 and 11.2 - SQL Injection
CVSS 8.8
CVE-2020-27733 HIGH
Zoho ManageEngine Applications Manager < 14 build 14880 - Authenticated SQL Injection via Alarmview Request
CVSS 8.8
CVE-2020-29493 CRITICAL
DELL EMC Avamar Server <19.3 - SQL Injection
CVSS 10.0
CVE-2020-29015 CRITICAL
FortiWeb < 6.2.4 and 6.3.0-6.3.7 - Unauthenticated Blind SQL Injection via Authorization Header
CVSS 9.8
CVE-2020-26712 CRITICAL
REDCap 10.3.4 - SQL Injection via ToDoList Sort Parameter
CVSS 9.8
CVE-2020-35701 HIGH
Cacti 1.2.0-1.2.16 - Authenticated SQL Injection via data_debug.php site_id Parameter
CVSS 8.8
CVE-2020-23630 HIGH
zzcms 201910 - Blind SQL Injection via Cookie
CVSS 8.8
CVE-2020-26773 HIGH
Restaurant Reservation System 1.0 - Authenticated SQL Injection
CVSS 8.8
CVE-2020-29437 HIGH
OrangeHRM < 4.6.0.1 - Authenticated SQL Injection via Buzz Module Profile User ID Parameter
CVSS 8.1
CVE-2020-26045 CRITICAL
FUEL CMS 1.4.11 - SQL Injection via Name Parameter in Permissions Create Endpoint
CVSS 9.8
CVE-2020-36112 CRITICAL
CSE Bookstore 1.0 - SQL Injection via pubid Parameter
CVSS 9.8
CVE-2020-35743 HIGH
HGiga MailSherlock < 4.5-133 - SQL Injection via URL Parameter
CVSS 7.0
CVE-2020-35742 HIGH
HGiga MailSherlock < 4.5-133 - SQL Injection via URL Parameter
CVSS 7.0
CVE-2020-28413 MEDIUM
MantisBT < 2.24.4 - SQL Injection via API SOAP mc_project_get_users Parameter
CVSS 5.3
CVE-2020-29228 HIGH
EGavilanMedia User Registration and Login System With Admin Panel 1.0 - SQL Injection in User Login Page
CVSS 7.5
CVE-2020-27848 HIGH
dotcms < 20.10.1 - Authenticated SQL Injection via orderby Parameter
CVSS 8.8
CVE-2020-35848 CRITICAL
Agentejo Cockpit < 0.11.2 - NoSQL Injection via Auth Controller New Password Function
CVSS 9.8
CVE-2020-35847 CRITICAL
Cockpit CMS NoSQLi to RCE
CVSS 9.8
CVE-2020-35846 CRITICAL
Agentejo Cockpit < 0.11.2 - NoSQL Injection via Auth Controller Check Function
CVSS 9.8
CVE-2020-35613 CRITICAL
Joomla! 3.0.0-3.9.22 - SQL Injection in Backend User List
CVSS 9.8
Details
Vulnerabilities 19,842
Exploit Likelihood High