SYM_PY_0179 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') |
| OWASP | A01:2017 - Injection |
| Confidence Level | Low |
| Impact Level | High |
| Likelihood Level | Low |
Description
Extending Django's expression or SQL-related classes can introduce SQL injection risks if user input is not carefully handled or sanitized. Custom expressions may allow unsafe data to be incorporated directly into SQL queries.
Impact
If exploited, attackers could inject malicious SQL commands through unsanitized input, leading to unauthorized data access, data leaks, or manipulation of the database. This can result in exposure of sensitive information or compromise of the entire application.