CWE-89

High likelihood

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Parent: CWE-943 - Improper Neutralization of Special Elements in Data Query Logic

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

19,844 vulnerabilities with CWE-89
CVE-2020-15504 CRITICAL
Sophos XG Firewall 17.0-18.0 MR1 - Remote Code Execution via SQL Injection
CVSS 9.8
CVE-2020-13993 HIGH
Mods for HESK 3.1.0-2019.1.0 - Unauthenticated Blind Time-Based SQL Injection via Ticket
CVSS 7.5
CVE-2020-15072 HIGH
phplist < 3.5.4 - SQL Injection via Import Administrators Section
CVSS 8.8
CVE-2020-3973 HIGH
VMware VeloCloud Orchestrator 3.1.1-3.3.1 - Authenticated Blind SQL Injection
CVSS 8.8
CVE-2020-8521 CRITICAL
phpzag - SQL Injection via Records.php Parameters
CVSS 9.8
CVE-2020-8520 CRITICAL
phpzag - SQL Injection via Records.php Order and Column Parameters
CVSS 9.8
CVE-2020-8519 CRITICAL
phpzag - SQL Injection via Records.php Search Parameter
CVSS 9.8
CVE-2020-15008 HIGH
Connectwise Automate <2020.7 or 2019.12 - SQL Injection
CVSS 7.5
CVE-2020-15540 CRITICAL
We-com OpenData CMS 2.0 - SQL Injection via Administrator Login Username Field
CVSS 9.8
CVE-2020-15539 CRITICAL
We-com Municipality Portal CMS 2.1.x - SQL Injection via Cerca Keywords Field
CVSS 9.8
CVE-2020-14092 CRITICAL
CodePeople Payment Form for PayPal Pro < 1.1.65 - SQL Injection
CVSS 9.8
CVE-2020-13381 CRITICAL
openSIS <= 7.4 - SQL Injection
CVSS 9.8
CVE-2020-13380 CRITICAL
openSIS < 7.4 - SQL Injection
CVSS 9.8
CVE-2020-15468 CRITICAL
Persian VIP Download Script 1.0 - SQL Injection via cart_edit.php active parameter
CVSS 9.8
CVE-2020-9483 HIGH
Apache SkyWalking 6.0.0-6.6.0 - SQL Injection via GraphQL Metadata Query
CVSS 7.5
CVE-2020-14069 MEDIUM
MK-AUTH 19.01 - SQL Injection via mkt/ Script Parameters
CVSS 6.8
CVE-2020-14068 CRITICAL
MK-AUTH 19.01 - Unauthenticated SQL Injection via central/executar_login.php
CVSS 9.8
CVE-2020-15363 CRITICAL
nexos < 1.7 - SQL Injection via search_order Parameter
CVSS 9.8
CVE-2020-15308 HIGH
Support Incident Tracker <3.67 p2 - SQL Injection
CVSS 7.2
CVE-2020-14972 CRITICAL
Sourcecodester Pisay Online E-Learning System 1.0 - SQL Injection
CVSS 9.8
CVE-2020-14960 HIGH
php-fusion 9.03.50 - SQL Injection via Comments Administration Endpoint ctype Parameter
CVSS 7.2
CVE-2020-14443 HIGH
Dolibarr < 11.0.3 and >=0 < 11.0.5 - Authenticated SQL Injection via id Parameter
CVSS 8.8
CVE-2020-13640 CRITICAL
wpDiscuz < 5.3.5 - SQL Injection via wpdLoadMoreComments Order Parameter
CVSS 9.8
CVE-2020-14295 HIGH
Cacti 1.2.12 - Authenticated SQL Injection via color.php filter Parameter
CVSS 7.2
CVE-2020-7500 CRITICAL
Schneider Electric U.motion Servers and Touch Panels < 1.4.2 - SQL Injection
CVSS 9.8
Details
Vulnerabilities 19,844
Exploit Likelihood High