Improperly Controlled Modification of Dynamically-Determined Object Attributes
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes |
| OWASP | A08:2021 - Software and Data Integrity Failures |
| Confidence Level | Low |
| Impact Level | Medium |
| Likelihood Level | Medium |
Description#
The code builds SQL queries by directly concatenating variables into the query string when using node-postgres. If any of these variables contain user input and are not properly sanitized, this can allow attackers to inject malicious SQL commands.
Impact#
An attacker could manipulate the SQL query to access, modify, or delete database data without authorization. This could lead to data breaches, corruption, or loss, and potentially compromise the entire application’s security.