CWE-89

High likelihood

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Parent: CWE-943 - Improper Neutralization of Special Elements in Data Query Logic

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

19,842 vulnerabilities with CWE-89
CVE-2020-35245 CRITICAL
Flamingo < 2020-09-29 - SQL Injection in UserManager::addUser
CVSS 9.8
CVE-2020-35244 CRITICAL
Flamingo < 2020-09-29 - SQL Injection via UserManager::addGroup
CVSS 9.8
CVE-2020-35243 CRITICAL
Flamingo < 2020-09-29 - SQL Injection via UserManager::updateUserInfoInDb
CVSS 9.8
CVE-2020-35242 CRITICAL
Flamingo < 2020-09-29 - SQL Injection via UserManager::updateUserTeamInfoInDbAndMemory
CVSS 9.8
CVE-2020-35708 HIGH
phplist 3.5.9 - Authenticated SQL Injection via Config Import Administrators
CVSS 7.2
CVE-2020-29474 CRITICAL
EGavilan Media EGM Address Book 1.0 - SQL Injection
CVSS 9.8
CVE-2020-29472 CRITICAL
EGavilan Media Under Construction page with cPanel 1.0 - SQL Injection
CVSS 9.8
CVE-2020-35666 HIGH
Steedos Platform < 1.21.24 - NoSQL Injection via X-User-Id Parameter
CVSS 8.8
CVE-2020-28074 CRITICAL
SourceCodester Online Health Care System 1.0 - SQL Injection
CVSS 9.8
CVE-2020-28073 CRITICAL
Library Management System 1.0 - SQL Injection
CVSS 9.8
CVE-2020-28070 CRITICAL
SourceCodester Alumni Management System 1.0 - SQL Injection via view_event.php id Parameter
CVSS 9.8
CVE-2020-13968 CRITICAL
CRK Business Platform <= 2019.1 - SQL Injection via strSessao Parameter
CVSS 9.8
CVE-2020-24673 CRITICAL
S+ Operations/S+ Historian - SQL Injection
CVSS 9.8
CVE-2020-35151 HIGH
Online Marriage Registration System 1.0 - SQL Injection
CVSS 8.8
CVE-2020-11717 CRITICAL
bilanc < 014_31.01.2020 - SQL Injection
CVSS 9.8
CVE-2020-21378 CRITICAL
SeaCMS 10.1 - SQL Injection via admin_members_group.php id Parameter
CVSS 9.8
CVE-2020-21377 CRITICAL
yunyecms V2.0.1 - SQL Injection via selcart Parameter
CVSS 9.8
CVE-2020-35276 CRITICAL
EgavilanMedia ECM Address Book 1.0 - SQL Injection via Admin Login Panel Bypass
CVSS 9.8
CVE-2020-20300 CRITICAL
WeiPHP 5.0 - SQL Injection via wp_where Function
CVSS 9.8
CVE-2020-25608 HIGH
Mitel MiCollab < 9.2 - SQL Injection via SAS Portal
CVSS 7.2
CVE-2020-35545 CRITICAL
Spotweb 1.4.9 - Time-based SQL Injection via Query String
CVSS 9.8
CVE-2020-35122 HIGH
Keysight Database Connector <1.5.0 - Privilege Escalation
CVSS 7.5
CVE-2020-20189 CRITICAL
newpk 1.1 - SQL Injection via Title Parameter
CVSS 9.8
CVE-2020-28860 HIGH
OpenAsset Digital Asset Management <= 12.0.19 - Authenticated Blind SQL Injection
CVSS 8.8
CVE-2020-16104 HIGH
Gallagher Command Centre < 7.90.0 - Authenticated SQL Injection via Enterprise Data Interface
CVSS 8.2
Details
Vulnerabilities 19,842
Exploit Likelihood High