SYM_RB_0058 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') |
| OWASP | A01:2017 - Injection |
| Confidence Level | Medium |
| Impact Level | Medium |
| Likelihood Level | High |
Description
User input from parameters or cookies is being directly concatenated into SQL queries using the pg gem in Ruby. This allows attackers to inject malicious SQL code if the input is not properly sanitized. Use parameterized queries to prevent this risk.
Impact
If exploited, an attacker could modify, access, or delete database records, bypass authentication, or leak sensitive data. This can lead to data breaches, loss of integrity, and compromise of the entire application or its underlying data.