SYM_GO_0055 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') |
| OWASP | A01:2017 - Injection |
| Confidence Level | High |
| Impact Level | Medium |
| Likelihood Level | High |
Description
User input is being directly inserted into SQL query strings without proper handling. This makes it possible for attackers to manipulate the query and access or modify database data. Always use prepared statements or an ORM to safely include user data in SQL queries.
Impact
If exploited, an attacker could bypass authentication, steal sensitive information, or alter and delete database records. This can lead to data breaches, loss of data integrity, and significant damage to the application's trust and reputation.