Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-89: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) |
| OWASP | A01:2017 - Injection |
| Confidence Level | Medium |
| Impact Level | High |
| Likelihood Level | Medium |
Description#
User input from HTTP requests is being used directly in RawSQL queries without proper sanitization or parameterization. This allows attackers to inject malicious SQL code by manipulating request data.
Impact#
If exploited, an attacker could execute arbitrary SQL commands against your database—leading to data leaks, unauthorized data modification or deletion, and potentially full compromise of the application’s data layer. This puts sensitive information and system integrity at severe risk.