SYM_PY_0177 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') |
| OWASP | A01:2017 - Injection |
| Confidence Level | Low |
| Impact Level | High |
| Likelihood Level | Low |
Description
Using QuerySet.extra() in Django can allow raw SQL fragments into queries without proper protection, making your code vulnerable to SQL injection. Instead, use Django's ORM methods and parameterized queries to safely handle user input.
Impact
If exploited, attackers could manipulate SQL queries to access, modify, or delete sensitive database data, potentially leading to data breaches, loss of integrity, or complete compromise of the application's database. This can expose confidential information and severely damage user trust and organizational reputation.