SYM_PY_0218 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') |
| OWASP | A01:2017 - Injection |
| Confidence Level | Medium |
| Impact Level | High |
| Likelihood Level | Medium |
Description
User input from HTTP requests is being directly included in SQL queries executed via cursor.execute(), instead of using Django's parameterized QuerySets. This makes the code vulnerable to SQL injection because attackers can manipulate the query through crafted input.
Impact
If exploited, an attacker could execute arbitrary SQL commands against your database, leading to unauthorized data access, data modification or deletion, and potential exposure of sensitive information. This could compromise user data, application integrity, and lead to data breaches or loss.