SYM_PY_0114 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') |
| OWASP | A01:2017 - Injection |
| Confidence Level | Medium |
| Impact Level | Medium |
| Likelihood Level | High |
Description
User input from the 'event' object is being used directly in SQL queries with pymssql without proper sanitization. This allows attackers to manipulate the SQL statements, creating a risk of SQL injection.
Impact
If exploited, an attacker could execute arbitrary SQL commands on your database—potentially stealing, modifying, or deleting sensitive data, or even taking control of the database server. This compromises data integrity and can lead to data breaches or system downtime.