SQL Query Disclosure

XMLWordPrintable

    • Type: Task
    • Resolution: Unresolved
    • Priority: Medium
    • 3.8.0
    • Affects Version/s: None
    • FLW Sprint 37, FLW Sprint 38, FLW Sprint 39, FLW Sprint 40
    • FLW Mobile App
    • All

      Internal SQL queries are exposed through logs, error messages, or API responses.

      Impact:
      Allows attackers to understand database structure and facilitate SQL injection.

       

      Vulnerability Name Vulnerable URL CVE/CWE CVSS Score Overall Risk
      (Severity)      		 Observation / Description Impact Recommendation Reference Steps to reproduce
      https://uatamrit.piramalswasthya.org/identity-api/rmnch/syncDataToAmrit SQL Query Disclosure  CWE-209 5.3 Medium One or more pages contain HTML comments that look like SQL statements. These SQL statements may disclose sensitive information to an attacker. An SQL Injection vulnerability may affect any website or web application that uses an SQL database such as MySQL, Oracle, SQL Server, or others. may use it to gain unauthorized access to your sensitive data: customer information, personal data, trade secrets, intellectual property, and more. These comments should be investigated and, if necessary, removed from the pages. https://owasp.org/www-community/attacks/SQL_Injection Step 1: During security assessment we got an  endpoint https://uatamrit.piramalswasthya.org/identity-api/rmnch/syncDataToAmrit
      Step 2: We captured the request on Burpsuite, and then we observed Sql Query Disclosure in the response.

              Assignee:
              Vishwanath Balkur
              Reporter:
              Shashank Kharkwal
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated: