mixpanel-android icon indicating copy to clipboard operation
mixpanel-android copied to clipboard
verified publisher icon mixpanel

Raw SQL query flagged in vulnerability testing

Open MohitIH opened this issue 5 years ago • 5 comments

When testing my application for vulnerabilities using MobSF it flagged com\mixpanel\android\mpmetrics\MPDbAdapter.java for using raw SQL queries which can lead to SQL injection attacks. Here's the report :

App uses SQLite Database and execute raw SQL query. Untrusted user input in raw SQL queries can cause SQL Injection. Also sensitive information should be encrypted and written to the database.

Severity : High

CVSS V2: 5.9 (medium) CWE: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') OWASP Top 10: M7: Client Code Quality

MohitIH avatar Jun 23 '20 11:06 MohitIH

Could we have comment on this from the dev team? My app also got flagged for this now.

woxblom avatar Jul 12 '21 10:07 woxblom

Bumping this. This is also causing an issue on our application.

danmazz avatar Dec 22 '21 20:12 danmazz

Showing as a medium issue in pen test

Can someone look into mitigation?

Prashoor avatar Jun 14 '22 11:06 Prashoor

hi @Prashoor , which tool are you using? could you share the log or its screenshot?

zihejia avatar Jun 27 '22 21:06 zihejia

@MohitIH Seems to be a long time since you made this post. Do you happen to have any updates on this issue, by chance? I am also experiencing the same in my current project.

C022IN avatar Mar 19 '23 15:03 C022IN