SYM_PHP_0004 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') |
| OWASP | A01:2017 - Injection |
| Confidence Level | Medium |
| Impact Level | Medium |
| Likelihood Level | High |
Description
User input from the HTTP request is being passed directly to the 'ignore' parameter in Laravel's Rule::unique validation. This allows attackers to inject malicious input that could alter or break the underlying SQL query.
Impact
If exploited, an attacker could perform SQL injection, potentially exposing, modifying, or deleting database records. This could lead to data breaches, loss of data integrity, or unauthorized access to sensitive information.