CWE-89

High likelihood

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Parent: CWE-943 - Improper Neutralization of Special Elements in Data Query Logic

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

19,843 vulnerabilities with CWE-89
CVE-2020-25700 MEDIUM
moodle 3.5.0-3.5.14, 3.7.0-3.7.8, 3.8.0-3.8.5, 3.9.0-3.9.2 - SQL Injection via Database Module Web Services
CVSS 6.5
CVE-2020-26075 HIGH
Cisco IoT Field Network Director < 4.6.1 - Authenticated SQL Injection via REST API
CVSS 8.8
CVE-2020-28091 HIGH
cxuucms v3 - SQL Injection via search.php Keywords Parameter
CVSS 7.5
CVE-2020-28183 CRITICAL
SourceCodester Water Billing System 1.0 - SQL Injection via Username and Password Parameters
CVSS 9.8
CVE-2020-28133 CRITICAL
Simple Grocery Store Sales and Inventory System - Authentication Bypass and SQL Injection via Login
CVSS 9.8
CVE-2020-28138 CRITICAL
SourceCodester Online Clothing Store 1.0 - SQL Injection via txtUserName Parameter
CVSS 9.8
CVE-2020-21665 HIGH
fastadmin V1.0.0.20191212_beta - Authenticated SQL Injection via /admin/ajax/weigh
CVSS 7.2
CVE-2020-4655 HIGH
IBM Sterling B2B Integrator 5.2.0.0-5.2.6.5 and 6.0.0.0-6.0.3.2 - SQL Injection
CVSS 8.8
CVE-2020-4647 HIGH
IBM Sterling File Gateway 2.2.0.0-2.2.6.5 and 6.0.0.0-6.0.3.2 - SQL Injection
CVSS 8.8
CVE-2020-25952 CRITICAL
PHPGurukul User Registration & Login and User Management System 2.1 - SQL Injection
CVSS 9.8
CVE-2020-13769 HIGH
Ivanti Endpoint Manager < 2020.1 - SQL Injection via /remotecontrolauth/api/device Request
CVSS 8.8
CVE-2020-5659 HIGH
XooNIps < 3.49 - Authenticated SQL Injection
CVSS 8.8
CVE-2020-25695 HIGH
PostgreSQL < 13.1, < 12.5, < 11.10, < 10.15, < 9.6.20, < 9.5.24 - SQL Injection via Object Creation
CVSS 8.8
CVE-2020-21667 HIGH
fastadmin-tp6 v1.0 - SQL Injection via 'table' Parameter
CVSS 7.2
CVE-2020-13877 CRITICAL
ResourceXpress Meeting Monitor 4.9 - SQL Injection
CVSS 9.8
CVE-2020-26805 HIGH
Sentrifugo 3.2 - Authenticated SQL Injection via employeeNumId Parameter
CVSS 7.2
CVE-2020-27481 CRITICAL
Good Layers LMS Plugin <= 2.1.4 - SQL Injection
CVSS 9.8
CVE-2020-24400 HIGH
Magento <2.4.0-2.3.5 - SQL Injection
CVSS 7.1
CVE-2020-28115 HIGH
audimexee < 14.1.1 - SQL Injection via Documents Component object_path Parameter
CVSS 8.8
CVE-2020-7759 MEDIUM
pimcore/pimcore <6.8.3 - SQL Injection
CVSS 6.5
CVE-2020-27886 CRITICAL
eyesofnetwork 5.3-7-5.3-8 - Unauthenticated SQL Injection via username_available Function
CVSS 9.8
CVE-2020-27995 CRITICAL
Zoho ManageEngine Applications Manager < 14560 - SQL Injection via MyPage.do template_resid Parameter
CVSS 9.8
CVE-2020-23945 HIGH
Victor CMS V1.0 - SQL Injection via cat_id Parameter
CVSS 7.5
CVE-2020-25034 MEDIUM
FireEye Email Malware Protection System < 9.0.1 - Authenticated SQL Injection via Email Search Parameters
CVSS 6.5
CVE-2020-27615 CRITICAL
WordPress <1.6.4 - SQL Injection/XSS
CVSS 9.8
Details
Vulnerabilities 19,843
Exploit Likelihood High