CWE-89

High likelihood

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Parent: CWE-943 - Improper Neutralization of Special Elements in Data Query Logic

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

19,849 vulnerabilities with CWE-89
CVE-2019-25100 MEDIUM
happyman twmap <2.9_v4.31 - SQL Injection
CVSS 5.5
CVE-2019-12359 HIGH
zzcms 2019 - Authenticated SQL Injection via id Parameter
CVSS 7.2
CVE-2019-12358 HIGH
zzcms 2019 - SQL Injection via dlid Cookie in /dl/dl_sendsms.php
CVSS 8.8
CVE-2019-12357 HIGH
zzcms 2019 - Authenticated SQL Injection via /admin/deluser.php id Parameter
CVSS 7.2
CVE-2019-12356 HIGH
zzcms 2019 - SQL Injection via /user/dls_download.php id Parameter
CVSS 8.8
CVE-2019-12355 HIGH
zzcms 2019 - SQL Injection via id Parameter in dls_print.php
CVSS 8.8
CVE-2019-12354 HIGH
zzcms 2019 - Authenticated SQL Injection via id Parameter
CVSS 7.2
CVE-2019-12353 HIGH
zzcms 2019 - Authenticated SQL Injection via /admin/dl_sendmail.php id Parameter
CVSS 7.2
CVE-2019-12352 HIGH
zzcms 2019 - SQL Injection via dlid Cookie in dl_sendmail.php
CVSS 8.8
CVE-2019-4575 CRITICAL
IBM Financial Transaction Manager for Digital Payments <3.2.9 - SQL...
CVSS 9.8
CVE-2019-12351 CRITICAL
zzcms 2019 - SQL Injection via dl/dl_print.php id Parameter
CVSS 9.8
CVE-2019-12350 CRITICAL
zzcms 2019 - SQL Injection via dl/dl_download.php id Parameter
CVSS 9.8
CVE-2019-12349 CRITICAL
zzcms 2019 - SQL Injection via /admin/dl_sendsms.php id Parameter
CVSS 9.8
CVE-2019-12348 CRITICAL
zzcms 2019 - SQL Injection via daohang or img POST Parameter
CVSS 9.8
CVE-2019-25019 CRITICAL
LimeSurvey <4.0.0-RC4 - SQL Injection
CVSS 9.8
CVE-2019-7726 CRITICAL
NukeViet < 4.3.04 - SQL Injection via HTTP Header Data
CVSS 9.8
CVE-2019-19286 HIGH
Siemens XHQ < 6.1.0.0 - SQL Injection via Web Interface
CVSS 7.2
CVE-2019-19876 CRITICAL
B&R Industrial Automation APROL < R4.2 - SQL Injection via EnMon PHP Script
CVSS 9.8
CVE-2019-4680 HIGH
IBM Sterling B2B Integrator Standard Edition <6.0.2.2 - SQL Injection
CVSS 8.8
CVE-2019-4671 MEDIUM
IBM Maximo Asset Management <7.6.1 - SQL Injection
CVSS 6.3
CVE-2019-19499 MEDIUM
Grafana <= 6.4.3 - Authenticated Arbitrary File Read via Data Source Configuration
CVSS 6.5
CVE-2019-20896 CRITICAL
WebChess 1.0 - SQL Injection via messageFrom, gameID, opponent, messageID, or to Parameter
CVSS 9.8
CVE-2019-14900 MEDIUM
Redhat Openstack < 5.3.18 - SQL Injection
CVSS 6.5
CVE-2019-4650 MEDIUM
IBM Maximo Asset Management 7.6.1.1 - SQL Injection
CVSS 6.3
CVE-2019-20842 HIGH
Mattermost Server < 5.9.7 - Authenticated SQL Injection via SearchAllChannels
CVSS 7.2
Details
Vulnerabilities 19,849
Exploit Likelihood High