SYM_JAVA_0022 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') |
| OWASP | A01:2017 - Injection |
| Confidence Level | High |
| Impact Level | Medium |
| Likelihood Level | High |
Description
User input from HTTP requests is being directly inserted into SQL queries using string concatenation or formatting. This exposes the code to SQL injection attacks because attackers can manipulate the input to alter the query's behavior. Use prepared statements or an ORM to safely handle user data in SQL queries.
Impact
If exploited, an attacker could read, modify, or delete sensitive data in the database, bypass authentication, or even execute administrative operations. This can lead to data breaches, data loss, and compromise of the entire application or backend systems.