Improper Neutralization of Special Elements in Data Query Logic
| Property | |
|---|---|
| Language | java |
| Severity |  |
| CWE | CWE-943: Improper Neutralization of Special Elements in Data Query Logic |
| OWASP | A01:2017 - Injection |
| Confidence Level | Low |
| Impact Level | High |
| Likelihood Level | Low |
Description#
User-controlled or non-constant data is being passed into MongoDB queries using the ‘$where’ operator, which allows execution of arbitrary JavaScript code. This makes the application vulnerable to NoSQL injection attacks if the input is not properly sanitized.
Impact#
If exploited, an attacker could inject malicious queries, access or modify unauthorized data, bypass authentication, or execute arbitrary code in the database context. This could lead to data breaches, loss of data integrity, or full compromise of the application’s backend database.