SYM_PY_0064 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') |
| OWASP | A01:2017 - Injection |
| Confidence Level | Low |
| Impact Level | High |
| Likelihood Level | Low |
Description
The code builds SQL queries by directly inserting variables into strings using formatting or f-strings. This approach makes the queries vulnerable to SQL injection if any user input is included.
Impact
An attacker could manipulate input to run arbitrary SQL commands, potentially exposing, modifying, or deleting sensitive data in your database. This can lead to data breaches, data loss, or unauthorized access to your application's backend.