SYM_PY_0241 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') |
| OWASP | A01:2017 - Injection |
| Confidence Level | Medium |
| Impact Level | High |
| Likelihood Level | Medium |
Description
User input is being directly inserted into SQLAlchemy query clauses like group_by, order_by, distinct, having, or filter without proper parameter binding. This allows attackers to inject malicious SQL code if untrusted data reaches these clauses.
Impact
If exploited, attackers could manipulate database queries to access, modify, or delete sensitive data, bypass authentication, or disrupt application functionality. This could lead to data breaches, data loss, or full compromise of the application's database.