SYM_PY_0217 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') |
| OWASP | A01:2017 - Injection |
| Confidence Level | Medium |
| Impact Level | High |
| Likelihood Level | Medium |
Description
User input from web requests is being directly included in the SQL 'where' clause via Django's 'extra()' method without proper sanitization or parameterization. This allows attackers to inject malicious SQL code, making the query vulnerable to SQL injection.
Impact
If exploited, an attacker could manipulate database queries to access, modify, or delete sensitive data, bypass authentication, or execute administrative operations. This could lead to data breaches, loss of data integrity, or full compromise of the application's backend database.