Property
Language	java
Severity
CWE	CWE-943: Improper Neutralization of Special Elements in Data Query Logic
OWASP	A01:2017 - Injection
Confidence Level	Low
Impact Level	High
Likelihood Level	Low

Description

User-controlled or non-constant data is being passed into MongoDB queries using the ‘$where’ operator, which allows execution of arbitrary JavaScript code. This makes the application vulnerable to NoSQL injection attacks if the input is not properly sanitized.

Impact

If exploited, an attacker could inject malicious queries, access or modify unauthorized data, bypass authentication, or execute arbitrary code in the database context. This could lead to data breaches, loss of data integrity, or full compromise of the application’s backend database.

Property
Language
Severity
CWE	CWE-943: Improper Neutralization of Special Elements in Data Query Logic
OWASP	A01:2017 - Injection
Confidence Level	Medium
Impact Level	High
Likelihood Level	Medium

Description

User input from the Lambda event object is being passed directly into DynamoDB queries without proper validation or sanitization. This can allow attackers to inject malicious data into database operations, leading to insecure database access.

Impact

If exploited, an attacker could manipulate database queries to access, modify, or delete data they shouldn’t, potentially exposing sensitive information or corrupting your database. This can lead to data breaches, data loss, or unauthorized actions within your AWS environment.

Property
Language
Severity
CWE	CWE-943: Improper Neutralization of Special Elements in Data Query Logic
OWASP	A01:2017 - Injection
Confidence Level	Medium
Impact Level	Medium
Likelihood Level	Medium

Description

User input from the event object is being used directly in DynamoDB query filters without validation or sanitization. This allows attackers to manipulate queries by injecting malicious data into filter parameters.

Impact

An attacker could craft requests that alter database queries, potentially exposing, modifying, or deleting data they shouldn’t have access to. This can lead to data breaches, unauthorized access, or disruption of business operations.

Property
Language
Severity
CWE	CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component (‘Injection’)
OWASP	A03:2021 - Injection
Confidence Level	Medium
Impact Level	Medium
Likelihood Level	Medium

Description

User input from HTTP requests is being included directly in the ‘html_message’ parameter of Django’s send_mail() function without proper sanitization. This allows attackers to inject malicious HTML or JavaScript into emails sent by your application.

Property
Language
Severity
CWE	CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component (‘Injection’)
OWASP	A03:2021 - Injection
Confidence Level	Medium
Impact Level	Medium
Likelihood Level	Medium

Description

User input from the HTTP request is being included directly in the HTML body of an email without proper sanitization or escaping. This allows attackers to inject malicious HTML or JavaScript into emails sent from your application.

Property
Language
Severity
CWE	CWE-77: Improper Neutralization of Special Elements used in a Command (‘Command Injection’)
OWASP	A03:2021 - Injection
Confidence Level	High
Impact Level	Medium
Likelihood Level	High

Description

Using ’local-exec’ or ‘remote-exec’ provisioners in Terraform allows arbitrary shell commands to run during resource creation, which is risky and difficult to track. This can introduce unintended changes and opens the door to command injection vulnerabilities.

Impact

If exploited, attackers could execute unauthorized commands on infrastructure, leading to potential data breaches, system compromise, or further lateral movement within the environment. This undermines infrastructure security and can result in loss of control or exposure of sensitive resources.

Property
Language
Severity
CWE	CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine
Confidence Level	Medium
Impact Level	High
Likelihood Level	Low

Description

User input is being directly incorporated into the template string before parsing with html/template, allowing attackers to inject malicious template code. This can lead to execution of unintended actions on the server side.

Impact

If exploited, an attacker could execute arbitrary template code on the server, potentially exposing sensitive data, altering application behavior, or performing unauthorized actions. This could result in data breaches, privilege escalation, or complete compromise of the application.

Property
Language
Severity
CWE	CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine
OWASP	A03:2021 - Injection
Confidence Level	Medium
Impact Level	Medium
Likelihood Level	Medium

Description

User-supplied data from request objects (such as query, body, params, cookies, or headers) is being directly passed into template engines like Pug, EJS, or Handlebars without proper sanitization. This allows attackers to inject malicious code into server-side templates.

Property
Language	csharp
Severity
CWE	CWE-90: Improper Neutralization of Special Elements used in an LDAP Query (‘LDAP Injection’)
OWASP	A01:2017 - Injection
Confidence Level	Medium
Impact Level	Medium
Likelihood Level	Medium

Description

The code builds LDAP queries by directly including user input without proper validation or encoding. This allows attackers to inject malicious LDAP statements into queries.

Impact

If exploited, an attacker could access, modify, or delete sensitive directory data by manipulating LDAP queries, potentially leading to unauthorized access, data leaks, or compromised user accounts within your application.

Property
Language	java
Severity
CWE	CWE-90: Improper Neutralization of Special Elements used in an LDAP Query (‘LDAP Injection’)
OWASP	A01:2017 - Injection
Confidence Level	Medium
Impact Level	Medium
Likelihood Level	Medium

Description

User input from an HttpServletRequest is being used directly in an LDAP query without proper sanitization. This allows attackers to inject malicious LDAP statements by manipulating request parameters.

Impact

If exploited, an attacker could modify, access, or delete sensitive records in the LDAP directory, potentially bypassing authentication, escalating privileges, or disrupting application functionality. This threatens data integrity and security across your system.