Details
Description
Is there any reason why in org.apache.syncope.core.persistence.impl.AttributableSearchDAOImpl:419
the like condition is appended by string concatenation?
query.append(" LIKE '").append(cond.getExpression()).append("'");
IMO this could open up a possible SQL injection vulnerability.
In AttributableSearchDAOImpl:387 a query parameter is used, as I would have expected.