SYM_JSTS_0114 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') |
| OWASP | A01:2017 - Injection |
| Confidence Level | Medium |
| Impact Level | Medium |
| Likelihood Level | High |
Description
User input from HTTP request objects (like req.query, req.body, etc.) is being directly included in raw SQL queries using Knex without proper sanitization. This practice can allow attackers to inject malicious SQL code into your database operations.
Impact
If exploited, attackers could execute arbitrary SQL commands against your database, potentially exposing, modifying, or deleting sensitive data. This could lead to data breaches, loss of data integrity, and compromise of the entire application.