SYM_RB_0036 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') |
| OWASP | A01:2017 - Injection |
| Confidence Level | Medium |
| Impact Level | High |
| Likelihood Level | Medium |
Description
User input is being directly inserted into SQL queries by building query strings manually. This practice makes the code vulnerable to SQL injection attacks because untrusted data can alter the structure of the SQL command.
Impact
If exploited, an attacker could steal, modify, or delete data in your database, gain unauthorized access to sensitive information, or potentially compromise the entire application. This can lead to data breaches, data loss, and regulatory or reputational damage.