CWE-89

High likelihood

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Parent: CWE-943 - Improper Neutralization of Special Elements in Data Query Logic

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

19,844 vulnerabilities with CWE-89
CVE-2020-7493 HIGH
EcoStruxure Operator Terminal Expert <= 3.1 Service Pack 1 - SQL Injection via Project File
CVSS 7.8
CVE-2020-14159 HIGH
ConnectWise Automate API < 2019.12.337 - Authenticated SQL Injection via /LabTech/agent.aspx
CVSS 8.8
CVE-2020-14054 CRITICAL
SOKKIA GNR5 Vanguard Firmware 1.2 - SQL Injection via Login Page User Name or Password Field
CVSS 9.8
CVE-2020-13996 HIGH
J2Store < 3.3.13 - Authenticated SQL Injection
CVSS 8.8
CVE-2020-10549 CRITICAL
rconfig < 3.9.4 - Unauthenticated SQL Injection via snippets.inc.php
CVSS 9.8
CVE-2020-10548 CRITICAL
rconfig < 3.9.4 - Unauthenticated SQL Injection via devices.inc.php
CVSS 9.8
CVE-2020-10547 CRITICAL
rconfig < 3.9.4 - Unauthenticated SQL Injection via compliancepolicyelements.inc.php
CVSS 9.8
CVE-2020-10546 CRITICAL
rconfig < 3.9.4 - Unauthenticated SQL Injection via compliancepolicies.inc.php
CVSS 9.8
CVE-2020-3339 MEDIUM
Cisco Prime Infrastructure - SQL Injection
CVSS 5.4
CVE-2020-4035 MEDIUM
WatermelonDB < 0.15.1 - SQL Injection via Malicious Record ID
CVSS 5.9
CVE-2020-8967 CRITICAL
GESIO ERP < 11.2 - SQL Injection
CVSS 10.0
CVE-2020-13433 CRITICAL
Jason2605 AdminPanel 4.0 - SQL Injection
CVSS 9.8
CVE-2020-3184 HIGH
Cisco Prime Collaboration Provisioning Software - SQL Injection
CVSS 7.2
CVE-2020-5579 HIGH
Paid Memberships <2.3.3 - SQL Injection
CVSS 7.2
CVE-2020-12034 HIGH
Rockwell Automation EDS Subsystem <= 28.0.1 - SQL Injection via Crafted EDS Files
CVSS 8.2
CVE-2020-4345 LOW
IBM i 7.2-7.4 - SQL Injection
CVSS 3.3
CVE-2020-13118 CRITICAL
Mikrotik Router Monitoring System <2018-10-22 - SQL Injection
CVSS 9.8
CVE-2020-6253 HIGH
SAP ASE Web Services <16.0 - Privilege Escalation
CVSS 7.2
CVE-2020-6249 HIGH
SAP Master Data Governance < S4CORE 101 - SQL Injection
CVSS 8.8
CVE-2020-6241 HIGH
SAP Adaptive Server Enterprise 16.0 - Privilege Escalation
CVSS 8.8
CVE-2020-12766 CRITICAL
Gnuteca 3.8 - SQL Injection via exemplaryStatusId Parameter
CVSS 9.8
CVE-2020-11530 CRITICAL
idangero chop_slider - Blind SQL Injection via id GET Parameter
CVSS 9.8
CVE-2020-12014 HIGH
Advantech WebAccess < 8.4.4 - SQL Injection
CVSS 7.5
CVE-2020-12720 CRITICAL
vBulletin <5.5.6pl1, <5.6.0pl1, <5.6.1pl1 - Privilege Escalation
CVSS 9.8
CVE-2020-11032 HIGH
GLPI < 9.4.6 - Authenticated SQL Injection
CVSS 7.6
Details
Vulnerabilities 19,844
Exploit Likelihood High