155 – SQL Injection - Headers

Description

The application allows injecting SQL statements in the idClient header and application fields.

Impact

- Obtain confidential information from the database. - Modify and delete information from the database.

Recommendation

Perform database queries by means of parameterized statements or stored procedures.

Threat

Authenticated internal attacker in the application.

Expected Remediation Time

60 minutes.

Score 4.0

Default score using CVSS 4.0. It may change depending on the context of the src.

Base 4.0

• Attack vector: A
• Attack complexity: L
• Attack Requirements: N
• Privileges required: L
• User interaction: N
• Confidentiality (VC): H
• Integrity (VI): H
• Availability (VA): H
• Confidentiality (SC): N
• Integrity (SI): N
• Availability (SA): N

Threat 4.0

• Exploit maturity: X

Requirements

• 169 - Use parameterized queries
• 173 - Discard unsafe inputs

Fixes

• Csharp
• Elixir
• Go
• Java
• Php
• Python
• Ruby
• Scala
• Typescript

Last updated

2024/02/14