CWE-89

High likelihood

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Parent: CWE-943 - Improper Neutralization of Special Elements in Data Query Logic

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

19,852 vulnerabilities with CWE-89
CVE-2019-15570 CRITICAL
BEdita < 4.0.0 - SQL Injection via Relation Save Operation
CVSS 9.8
CVE-2019-15569 CRITICAL
HM Courts & Tribunals ccd-data-store-api < 2019-06-10 - SQL Injection via SearchQueryFactoryOperation.java
CVSS 9.8
CVE-2019-15568 CRITICAL
idseq-web < 2019-07-01 - SQL Injection via tax_levels
CVSS 9.8
CVE-2019-15567 CRITICAL
OpenForis Arena < 2019-05-07 - SQL Injection via Sorting Feature
CVSS 9.8
CVE-2019-15566 CRITICAL
Alfresco < 1.8.7 - SQL Injection in HistorySearchProvider
CVSS 9.8
CVE-2019-15565 CRITICAL
webimpacto icommktconnector < 1.0.7 - SQL Injection in icommktconnector.php
CVSS 9.8
CVE-2019-15564 CRITICAL
Compassion Switzerland 10.01.4 - SQL Injection in Partner Compassion Model
CVSS 9.8
CVE-2019-15563 CRITICAL
OHDSI WebAPI < 2.7.2 - SQL Injection in FeatureExtractionService
CVSS 9.8
CVE-2019-15562 CRITICAL
gorm < 1.9.10 - SQL Injection via Incomplete Parentheses
CVSS 9.8
CVE-2019-15561 CRITICAL
flashlingo < 2019-06-12 - SQL Injection via flashlingo.js and db.js
CVSS 9.8
CVE-2019-15556 CRITICAL
social_network < 2019-07-03 - SQL Injection in register_handler.php
CVSS 9.8
CVE-2019-15534 CRITICAL
raml-module-builder 26.4.0 - SQL Injection in PostgresClient.update
CVSS 9.8
CVE-2019-15537 CRITICAL
CESNET proxystatistics < 3.1.0 - SQL Injection in DatabaseCommand.php
CVSS 9.8
CVE-2019-15536 CRITICAL
Acclaim < 2019-06-26 - SQL Injection via delete_records
CVSS 9.8
CVE-2019-15535 CRITICAL
hostosm/tasking_manager < 3.4.0 - SQL Injection via Custom SQL
CVSS 9.8
CVE-2019-12385 HIGH
Ampache < 3.9.1 - Unauthenticated SQL Injection via Search Engine
CVSS 8.8
CVE-2019-10687 CRITICAL
KBPublisher 6.0.2.1 - SQL Injection via entry_id or id Parameter
CVSS 9.8
CVE-2019-4483 CRITICAL
IBM Contract Management <10.1.4 - SQL Injection
CVSS 9.8
CVE-2019-4481 CRITICAL
IBM Contract Management <10.1.3 - SQL Injection
CVSS 9.8
CVE-2019-14430 MEDIUM
YouPHPTube < 7.2 - SQL Injection in AuditTable.php
CVSS 5.3
CVE-2019-14937 HIGH
REDCap 8.11.5-9.2.9 - Time-Based SQL Injection via Calendar Event cal_id Parameter
CVSS 7.5
CVE-2019-15105 HIGH
ManageEngine Applications Manager < 14.2 - SQL Injection via NewThresholdConfiguration.jsp resourceid Parameter
CVSS 8.8
CVE-2019-15104 HIGH
ManageEngine Applications Manager 12.0-13.9 - SQL Injection via NewThresholdConfiguration.jsp resourceid Parameter
CVSS 8.8
CVE-2019-13578 CRITICAL
Impress GiveWP Give <2.5.0 - SQL Injection
CVSS 9.8
CVE-2019-15025 CRITICAL
ninjaforms < 3.3.21.2 - SQL Injection via Submissions Page Search Filter
CVSS 9.8
Details
Vulnerabilities 19,852
Exploit Likelihood High