SYM_PY_0113 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') |
| OWASP | A01:2017 - Injection |
| Confidence Level | Medium |
| Impact Level | Medium |
| Likelihood Level | High |
Description
Your code builds SQL queries using values taken directly from the event object, which may contain user input. Without proper sanitization or parameterization, this allows attackers to inject malicious SQL code.
Impact
If exploited, an attacker could manipulate database queries to access, modify, or delete data they shouldn't have permission to, potentially exposing sensitive information or compromising the integrity of your application.