Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-89: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) |
| OWASP | A01:2017 - Injection |
| Confidence Level | Medium |
| Impact Level | High |
| Likelihood Level | Medium |
Description#
User input from HTTP requests is being passed directly into Django’s raw() SQL queries without proper sanitization or parameterization. This allows attackers to inject malicious SQL code, making your application vulnerable to SQL injection.
Impact#
If exploited, attackers can access, modify, or delete data in your database, potentially exposing sensitive information, corrupting data, or gaining unauthorized access to user accounts. This can lead to data breaches, loss of user trust, and significant harm to your organization.