← Back to Findings

info SQL Injection

Details

Severityinfo
StatusOpen
Enginezap
Target URLhttps://easm.liifecore.com/technologies/detail?name=%22&version=3.4.1
First Seen2026-07-14 03:00:20 UTC
Last Seen2026-07-14 03:00:20 UTC
CWECWE-89

Description

SQL injection may be possible.

Evidence

HTTP/1.1 500 Internal Server Error

Raw Output

{
  "alert": "SQL Injection",
  "alertRef": "40018",
  "attack": "\"",
  "confidence": "Low",
  "cweid": "89",
  "description": "SQL injection may be possible.",
  "evidence": "HTTP/1.1 500 Internal Server Error",
  "id": "2659",
  "inputVector": "querystring",
  "messageId": "15547",
  "method": "GET",
  "name": "SQL Injection",
  "other": "",
  "param": "name",
  "pluginId": "40018",
  "reference": "https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html",
  "risk": "High",
  "solution": "Do not trust client side input, even if there is client side validation in place.\nIn general, type check all data on the server side.\nIf the application uses JDBC, use PreparedStatement or CallableStatement, with parameters passed by \u0027?\u0027\nIf the application uses ASP, use ADO Command Objects with strong type checking and parameterized queries.\nIf database Stored Procedures can be used, use them.\nDo *not* concatenate strings into queries in the stored procedure, or use \u0027exec\u0027, \u0027exec immediate\u0027, or equivalent functionality!\nDo not create dynamic SQL queries using simple string concatenation.\nEscape all data received from the client.\nApply an \u0027allow list\u0027 of allowed characters, or a \u0027deny list\u0027 of disallowed characters in user input.\nApply the principle of least privilege by using the least privileged database user possible.\nIn particular, avoid using the \u0027sa\u0027 or \u0027db-owner\u0027 database users. This does not eliminate SQL injection, but minimizes its impact.\nGrant the minimum database access that is necessary for the application.",
  "sourceMessageId": 626,
  "sourceid": "1",
  "tags": {
    "CWE-89": "https://cwe.mitre.org/data/definitions/89.html",
    "HIPAA": "https://www.zaproxy.org/docs/desktop/addons/common-library/alerttags/#compliance",
    "OWASP_2017_A01": "https://owasp.org/www-project-top-ten/2017/A1_2017-Injection.html",
    "OWASP_2021_A03": "https://owasp.org/Top10/A03_2021-Injection/",
    "PCI_DSS": "https://www.zaproxy.org/docs/desktop/addons/common-library/alerttags/#compliance",
    "POLICY_API": "",
    "POLICY_DEV_CICD": "",
    "POLICY_DEV_FULL": "",
    "POLICY_DEV_STD": "",
    "POLICY_PENTEST": "",
    "POLICY_QA_CICD": "",
    "POLICY_QA_FULL": "",
    "POLICY_QA_STD": "",
    "POLICY_SEQUENCE": "",
    "WSTG-v42-INPV-05": "https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/07-Input_Validation_Testing/05-Testing_for_SQL_Injection"
  },
  "url": "https://easm.liifecore.com/technologies/detail?name=%22\u0026version=3.4.1",
  "wascid": "19"
}

Update Status