=== What is the potential impact?

In the context of a web application that is vulnerable to NoSQL injection: +
After discovering the injection point, attackers insert data into the vulnerable
field to execute malicious commands in the affected databases.

Below are some real-world scenarios that illustrate some impacts of an attacker
exploiting the vulnerability.

==== Identity spoofing and data leakage

In the context of simple query logic breakouts, a malicious database query
enables privilege escalation or direct data leakage from one or more databases. +
This threat is the most widespread impact.

==== Data deletion and denial of service

The malicious query makes it possible for the attacker to delete data in the
affected databases. +
This threat is particularly insidious if the attacked organization does not
maintain a disaster recovery plan (DRP) as missing data can disrupt the regular
operations of an organization.

==== Chaining NoSQL injections with other vulnerabilities

Attackers who exploit NoSQL injections rely on other vulnerabilities to maximize
their profits. +
Most of the time, organizations overlook some defense in depth measures because
they assume attackers cannot reach certain points in the infrastructure. This
misbehavior can lead to multiple attacks with great impact:

* When secrets are stored unencrypted in databases: Secrets can be exfiltrated and lead to compromise of other components.
* If server-side OS and/or database permissions are misconfigured, injection can lead to remote code execution (RCE).