Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-89: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) |
| OWASP | A01:2017 - Injection |
| Confidence Level | Medium |
| Impact Level | Medium |
| Likelihood Level | High |
Description#
User input from the ’event’ object is being used directly in SQL queries with pymssql without proper sanitization. This allows attackers to manipulate the SQL statements, creating a risk of SQL injection.
Impact#
If exploited, an attacker could execute arbitrary SQL commands on your database—potentially stealing, modifying, or deleting sensitive data, or even taking control of the database server. This compromises data integrity and can lead to data breaches or system downtime.