Cwe 89

🧬 CWE Related 54
slug: cwe-89

Explanation

CWE-89は「Webアプリがユーザー入力をきちんとパラメータ化せずにSQL文に埋め込んでしまう欠陥」のことです。 攻撃者はSQL文の構造を書き換えてデータベースを直接操作でき、全ユーザーのID/パスワードを抜く・データ改ざん・データベース全削除など何でもされます。 対策は「プリペアドステートメント (パラメータ化クエリ)」を必ず使うこと。
📌 Example
Equifax事件 (2017): 米国最大の信用情報機関で1.4億人の個人情報流出。直接的にはApache Strutsの脆弱性だったが、SQLi脆弱性を経由した類似事件は無数にある。

🔖 Related tags

🛡 Vulnerabilities tagged with this 1,707

ID Title
CVE-2017-17871 SQL Injection in sqli (CVE-2017-17871)
CVE-2017-17872 SQL Injection in sqli (CVE-2017-17872)
CVE-2017-17873 Vanguard Marketplace Digital Products PHP 1.4 has SQL Injection via the PATH_INFO to the /p URI.
CVE-2017-17875 SQL Injection in sqli (CVE-2017-17875)
CVE-2017-0304 SQL Injection in sqli (CVE-2017-0304)
CVE-2017-17829 SQL Injection in sqli (CVE-2017-17829)
CVE-2017-17822 SQL Injection in sqli (CVE-2017-17822)
CVE-2017-17823 SQL Injection in sqli (CVE-2017-17823)
CVE-2017-17824 SQL Injection in sqli (CVE-2017-17824)
CVE-2012-2576 SQL Injection in sqli (CVE-2012-2576)
CVE-2017-16733 SQL Injection in sqli (CVE-2017-16733)
CVE-2017-16735 SQL Injection in sqli (CVE-2017-16735)
CVE-2017-1757 SQL Injection in sqli (CVE-2017-1757)
CVE-2017-17779 Paid To Read Script 2.0.5 has SQL injection via the referrals.php id parameter.
CVE-2017-15875 SQL Injection in sqli (CVE-2017-15875)
CVE-2017-17721 SQL Injection in csharp (CVE-2017-17721)
CVE-2017-17643 FS Lynda Clone 1.0 has SQL Injection via the keywords parameter to tutorial/.
CVE-2017-17645 Bus Booking Script 1.0 has SQL Injection via the txtname parameter to admin/index.php.
CVE-2017-17651 SQL Injection in sqli (CVE-2017-17651)
CVE-2017-17730 DedeCMS through 5.7 has SQL Injection via the logo parameter to plus/flink_add.php.
CVE-2017-17731 DedeCMS through 5.7 has SQL Injection via the $_FILES superglobal to plus/recommend.php.
CVE-2017-17713 SQL Injection in sqli (CVE-2017-17713)
CVE-2017-17695 SQL Injection in sqli (CVE-2017-17695)
CVE-2017-5663 SQL Injection in apache (CVE-2017-5663)
CVE-2017-17648 SQL Injection in sqli (CVE-2017-17648)
CVE-2017-17638 Groupon Clone Script 3.01 has SQL Injection via the city_ajax.php state_id parameter.
CVE-2017-17639 Muslim Matrimonial Script 3.02 has SQL Injection via the success-story.php succid parameter.
CVE-2017-17640 SQL Injection in sqli (CVE-2017-17640)
CVE-2017-17641 Resume Clone Script 2.0.5 has SQL Injection via the preview.php id parameter.
CVE-2017-17642 Basic Job Site Script 2.0.5 has SQL Injection via the keyword parameter to /job.

🍪 About cookies

We use cookies to keep you logged in, remember your language, and improve the service.

Details →