CWE-89 SQL命令中使用的特殊元素转义处理不恰当(SQL注入) 类弱点 9206 条 CVE 漏洞汇总,含 AI 中文分析。
CWE-89即SQL注入,属于输入验证类漏洞。当软件未对用户输入进行充分净化或转义,直接将其拼接到SQL命令中时,攻击者可注入恶意SQL代码,从而篡改查询逻辑、绕过身份验证或窃取敏感数据。开发者应避免直接拼接字符串,转而使用参数化查询或预编译语句,确保用户输入仅被视为数据而非可执行代码,从而从根本上阻断注入路径。
... string userName = ctx.getAuthenticatedUserName(); string query = "SELECT * FROM items WHERE owner = '" + userName + "' AND itemname = '" + ItemName.Text + "'"; sda = new SqlDataAdapter(query, conn); DataTable dt = new DataTable(); sda.Fill(dt); ...SELECT * FROM items WHERE owner = <userName> AND itemname = <itemName>;| CVE ID | 标题 | CVSS | 风险等级 | Published |
|---|---|---|---|---|
| CVE-2020-6114 | Glacies IceHRM SQL注入漏洞 — Glacies IceHRM" | 7.2 | - | 2020-07-10 |
| CVE-2020-7500 | 多款Schneider Electric产品SQL注入漏洞 — U.motion Servers and Touch Panels (affected versions listed in the security notification) | 9.8 | - | 2020-06-16 |
| CVE-2020-7493 | Schneider Electric EcoStruxure Operator Terminal Expert SQL注入漏洞 — EcoStruxure Operator Terminal Expert 3.1 Service Pack 1 and prior (formerly known as Vijeo XD) | 7.8 | - | 2020-06-16 |
| CVE-2020-3339 | Cisco Prime Infrastructure Software SQL注入漏洞 — Cisco Prime Infrastructure | 8.1 | - | 2020-06-03 |
| CVE-2020-4035 | WatermelonDB SQL注入漏洞 — WatermelonDB | 5.9 | Medium | 2020-06-03 |
| CVE-2020-8967 | GESTI?NINTEGRAL ONLINE GESIO ERP SQL注入漏洞 — GESIO ERP | 10.0 | Critical | 2020-06-01 |
| CVE-2020-3184 | Cisco Prime Collaboration Provisioning SQL注入漏洞 — Cisco Prime Collaboration Provisioning | 7.2 | - | 2020-05-22 |
| CVE-2020-12034 | Rockwell Automation EDS Subsystem SQL注入漏洞 — EDS Subsystem, FactoryTalk Linx software (Previously called RSLinx Enterprise), RSLinx Classic, RSNetWorx software, Studio 5000 Logix Designer software | 7.9 | - | 2020-05-20 |
| CVE-2020-12014 | Advantech WebAccess Node SQL注入漏洞 — Advantech WebAccess Node | 9.1 | - | 2020-05-08 |
| CVE-2020-11032 | GLPI SQL注入漏洞 — GLPI | 7.6 | High | 2020-05-05 |
| CVE-2020-11004 | Admidio SQL注入漏洞 — admidio | 7.7 | High | 2020-04-24 |
| CVE-2020-11010 | Tortoise ORM SQL注入漏洞 — tortoise-orm | 6.3 | Medium | 2020-04-20 |
| CVE-2020-10512 | HGiga C&Cmail SQL注入漏洞 — C&Cmail | 8.8 | High | 2020-04-15 |
| CVE-2020-10505 | ALLE INFORMATION School Manage System SQL注入漏洞 — School Manage System | 9.8 | Critical | 2020-04-15 |
| CVE-2020-10617 | Advantech WebAccess/NMS SQL注入漏洞 — WebAccess/NMS | 7.5 | - | 2020-04-09 |
| CVE-2020-10623 | Advantech WebAccess/NMS SQL注入漏洞 — WebAccess/NMS | 6.5 | - | 2020-04-09 |
| CVE-2019-19094 | ABB eSOMS SQL注入漏洞 — eSOMS | 7.6 | High | 2020-04-02 |
| CVE-2020-6009 | LearnDash SQL注入漏洞 — LearnDash Wordpress Plugin | 9.8 | - | 2020-04-01 |
| CVE-2020-5292 | Leantime SQL注入漏洞 — Leantime | 8.7 | High | 2020-03-31 |
| CVE-2020-5726 | Grandstream UCM6200 SQL注入漏洞 — Grandstream UCM6200 series | 7.5 | - | 2020-03-30 |
| CVE-2020-5725 | Grandstream UCM6200 SQL注入漏洞 — Grandstream UCM6200 series | 9.1 | - | 2020-03-30 |
| CVE-2020-5724 | Grandstream UCM6200 SQL注入漏洞 — Grandstream UCM6200 series | 7.5 | - | 2020-03-30 |
| CVE-2020-3936 | Unisoon UltraLog Express SQL注入漏洞 — UltraLog Express | 10.0 | Critical | 2020-03-27 |
| CVE-2019-19292 | Siemens SiNVR 3 Central Control Server和SiNVR 3 Video Server SQL注入漏洞 — Control Center Server (CCS) | 8.8 | High | 2020-03-10 |
| CVE-2020-3154 | Cisco Cloud Web Security SQL注入漏洞 — Cisco Cloud Web Security | 4.9 | - | 2020-02-19 |
| CVE-2019-15622 | Nextcloud Android SQL注入漏洞 — Nextcloud Android | 2.4 | - | 2020-02-04 |
| CVE-2017-14807 | SUSE Studio onsite susestudio-ui-server SQL注入漏洞 — Studio onsite | 8.1 | High | 2020-01-27 |
| CVE-2019-12619 | Cisco SD-WAN Solution SQL注入漏洞 — Cisco SD-WAN Solution | 6.5 | - | 2020-01-26 |
| CVE-2020-6960 | 多款Honeywell产品 SQL注入漏洞 — Honeywell Maxpro VMS & NVR | 9.8 | - | 2020-01-22 |
| CVE-2019-15984 | Cisco Data Center Network Manager SQL注入漏洞 — Cisco Data Center Network Manager | 7.2 | - | 2020-01-06 |
CWE-89(SQL命令中使用的特殊元素转义处理不恰当(SQL注入)) 是常见的弱点类别,本平台收录该类弱点关联的 9206 条 CVE 漏洞。