| عنوان | PHPGurukul Pre-School Enrollment System 1.0 Authorization Bypass Through User-Controlled SQL Primary Key |
|---|
| الوصف | During the security review of "Pre-School Enrollment System",I discovered a SQL injection vulnerability in the "/admin/profile.php" file. This vulnerability stems from insufficient user input validation of the 'fullname', emailid' and 'mobileNumber' parameter, allowing attackers can use any parameter to inject malicious SQL statement. Attackers can bypass authorization through user controlled SQL primary keys.This may lead to the risk of arbitrarily modifying the information or even passwords of other users or administrators.Since this system uses the MD5 algorithm, attackers can impersonate users to perform operations. |
|---|
| المصدر | ⚠️ https://github.com/SECWG/cve/issues/2 |
|---|
| المستخدم | WenGui (UID 82184) |
|---|
| ارسال | 05/03/2025 03:46 PM (1 سنة منذ) |
|---|
| الاعتدال | 07/03/2025 07:15 AM (2 days later) |
|---|
| الحالة | تمت الموافقة |
|---|
| إدخال VulDB | 298902 [PHPGurukul Pre-School Enrollment System حتى 1.0 /admin/profile.php fullname/emailid/mobileNumber حقن SQL] |
|---|
| النقاط | 20 |
|---|