CVE-2018-25201
7.1
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N
Summary
School Management System CMS 1.0 contains an SQL injection vulnerability in the admin login functionality that allows attackers to bypass authentication by injecting SQL code through the username parameter. Attackers can submit malicious payloads using boolean-based blind SQL injection techniques to the processlogin endpoint to authenticate as administrator without valid credentials.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Wecodex Solutions | School Management System CMS | 1.0 | affected |
Weaknesses
- CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: poc
- Automatable: no
- Technical Impact: partial
References
- https://www.exploit-db.com/exploits/44727
- https://www.wecodex.com/item/view/school-management-system-in-php-and-mysql/5
- https://www.vulncheck.com/advisories/school-management-system-cms-admin-login-sql-injection
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.