## Security Finding - DevSync RTO **RTO ID:** `e2825b4f-f753-4768-8a85-6e48bce56d4b` **Severity:** HIGH **Status:** created **Service:** backend-api ### Description ## Vulnerability Details A SQL injection vulnerability was detected in the user authentication module. **Location:** `backend/auth/login.py:45` **Severity:** High **CWE:** CWE-89 (SQL Injection) ### Attack Vector User-supplied input is concatenated directly into SQL query without sanitization. ### Proof of Concept ```python username = "admin' OR '1'='1" query = f"SELECT * FROM users WHERE username = '{username}'" ``` ### Remediation Use parameterized queries or an ORM to prevent SQL injection. ### Details - **Source:** N/A - **Type:** vulnerability - **File:** N/A ### Links - [DevSync Dashboard](https://devsync-backend-production-0d9a.up.railway.app) --- *This issue was automatically created by DevSync*