Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-89: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) |
| OWASP | A01:2017 - Injection |
| Confidence Level | Medium |
| Impact Level | High |
| Likelihood Level | Medium |
Description#
User input from the event object is being directly included in SQL queries without proper sanitization. This makes the application vulnerable to SQL injection attacks because attackers could manipulate input to execute arbitrary SQL commands.
Impact#
If exploited, an attacker could read, modify, or delete database records, bypass authentication, or even gain full control over the database. This can lead to data breaches, loss of sensitive information, and potentially severe damage to the application and organization.