Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-89: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) |
| OWASP | A01:2017 - Injection |
| Confidence Level | High |
| Impact Level | Medium |
| Likelihood Level | High |
Description#
User input is being passed directly to dangerous GORM methods like Order, Exec, or Raw without proper validation or escaping. This allows attackers to manipulate SQL queries, leading to SQL injection vulnerabilities.
Impact#
If exploited, an attacker could run arbitrary SQL commands against your database—stealing, modifying, or deleting data, bypassing authentication, or even gaining full control of the application’s backend. This puts both user data and system integrity at severe risk.