| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-89: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) |
| OWASP | A01:2017 - Injection |
| Confidence Level | Low |
| Impact Level | Medium |
| Likelihood Level | High |
SQL queries are being constructed using function arguments without proper sanitization, which can allow untrusted input to be included directly in database statements. This makes the code vulnerable to SQL injection attacks if user input is not handled safely.
| Property | |
|---|---|
| Language | |
| Severity | |
| CWE | CWE-89: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) |
| OWASP | A01:2017 - Injection |
| Confidence Level | Low |
| Impact Level | Medium |
| Likelihood Level | High |
Building SQL queries by concatenating variables directly into query strings in mssql can allow user-supplied data to alter the intended SQL logic. This practice creates a risk of SQL injection if the variables aren’t properly sanitized.
| Property | |
|---|---|
| Language | |
| Severity |  |
| CWE | CWE-89: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) |
| OWASP | A01:2017 - Injection |
| Confidence Level | Medium |
| Impact Level | Medium |
| Likelihood Level | High |
User input from HTTP request objects (like req.query, req.body, etc.) is being directly included in raw SQL queries using Knex without proper sanitization. This practice can allow attackers to inject malicious SQL code into your database operations.
| Property | |
|---|---|
| Language | |
| Severity | |
| CWE | CWE-89: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) |
| OWASP | A01:2017 - Injection |
| Confidence Level | Medium |
| Impact Level | High |
| Likelihood Level | Medium |
User input from the AWS Lambda event object is being directly used to build SQL queries without proper sanitization. This practice allows attackers to inject malicious SQL code into your database operations.
If exploited, attackers could manipulate database queries to access, modify, or delete sensitive data, bypass authentication, or cause data loss. This can lead to data breaches, unauthorized access, and significant harm to your application’s integrity and user trust.
| Property | |
|---|---|
| Language | |
| Severity |  |
| CWE | CWE-89: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) |
| OWASP | A01:2017 - Injection |
| Confidence Level | Low |
| Impact Level | Medium |
| Likelihood Level | Low |
User input is being directly included in SQL query strings, rather than using parameterized queries. This practice can let attackers inject malicious SQL, making your code vulnerable to SQL injection attacks.
If exploited, an attacker could read, modify, or delete sensitive database information, potentially causing data breaches, data loss, or unauthorized access. This can lead to loss of user trust, legal consequences, and serious damage to your application’s integrity.
| Property | |
|---|---|
| Language | |
| Severity | |
| CWE | CWE-89: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) |
| OWASP | A01:2017 - Injection |
| Confidence Level | Medium |
| Impact Level | High |
| Likelihood Level | Medium |
User input from the event object is being directly included in SQL queries without proper sanitization. This allows attackers to craft input that can manipulate the query, leading to SQL injection vulnerabilities.
If exploited, attackers could read, modify, or delete data in your database, bypass authentication, or gain unauthorized access to sensitive information. This can result in data breaches, data loss, or full compromise of your application and its users.
| Property | |
|---|---|
| Language | |
| Severity | |
| CWE | CWE-89: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) |
| OWASP | A01:2017 - Injection |
| Confidence Level | Medium |
| Impact Level | High |
| Likelihood Level | Medium |
User input from the event object is being directly included in SQL queries without proper sanitization. This makes the application vulnerable to SQL injection attacks because attackers could manipulate input to execute arbitrary SQL commands.
If exploited, an attacker could read, modify, or delete database records, bypass authentication, or even gain full control over the database. This can lead to data breaches, loss of sensitive information, and potentially severe damage to the application and organization.
| Property | |
|---|---|
| Language | |
| Severity | |
| CWE | CWE-89: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) |
| OWASP | A01:2017 - Injection |
| Confidence Level | Medium |
| Impact Level | High |
| Likelihood Level | Medium |
User input from the AWS Lambda event object is being used directly in Knex raw SQL queries without proper sanitization. This allows attackers to inject malicious SQL code if the input is not safely handled. To prevent this, always use parameterized queries with Knex.
| Property | |
|---|---|
| Language | |
| Severity |  |
| CWE | CWE-89: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) |
| OWASP | A01:2017 - Injection |
| Confidence Level | High |
| Impact Level | High |
| Likelihood Level | High |
User input from HTTP requests is being directly included in raw SQL queries using Sequelize without proper sanitization or parameterization. This allows attackers to inject malicious SQL code via request data, making the application vulnerable to SQL injection.
| Property | |
|---|---|
| Language | |
| Severity | |
| CWE | CWE-89: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) |
| OWASP | A01:2017 - Injection |
| Confidence Level | Low |
| Impact Level | High |
| Likelihood Level | Low |
Building raw SQL queries by directly inserting user input (e.g., string concatenation or template literals) in Sequelize can allow attackers to inject malicious SQL. Always use parameterized queries or data binding to safely include user data in SQL statements.