Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-89: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) |
| OWASP | A01:2017 - Injection |
| Confidence Level | High |
| Impact Level | High |
| Likelihood Level | High |
Description#
User input from HTTP requests is being directly included in raw SQL queries using Sequelize without proper sanitization or parameterization. This allows attackers to inject malicious SQL code via request data, making the application vulnerable to SQL injection.
Impact#
Exploiting this vulnerability, an attacker could access, modify, or delete sensitive database information, bypass authentication, or execute arbitrary SQL commands. This can lead to data breaches, data loss, or complete compromise of the application and underlying database.