SYM_PY_0102 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') |
| OWASP | A01:2017 - Injection |
| Confidence Level | Medium |
| Impact Level | Medium |
| Likelihood Level | High |
Description
User input from the 'event' object is being directly included in SQL queries without proper sanitization or parameterization. This makes the code vulnerable to SQL injection attacks, where malicious input can manipulate the database query.
Impact
If exploited, an attacker could read, modify, or delete database records, gain unauthorized access to sensitive data, or compromise the entire database. This could lead to data breaches, loss of integrity, and serious harm to the application's users and reputation.