Invia #666326: itsourcecode Leave Management System in PHP v1 SQL Injectioninformazioni

Titoloitsourcecode Leave Management System in PHP v1 SQL Injection
DescrizioneThe password reset endpoint is vulnerable to unauthenticated SQL injection. The backend concatenates the employid parameter into WHERE EMPLOYID=... without quotes, allowing conditions like 0 OR 1=1 to evaluate as true for all rows. An attacker can mass-reset all employee passwords to an arbitrary value and take over accounts. Severity: Critical; impact: organization-wide account compromise.
Fonte⚠️ https://github.com/romatdibrohiksnov/vulndb.com/tree/main/itsourcecode%20leave%20management%20system%20Bulk%20Password%20Reset%20SQL%20Injection
Utente
 px_kanten (UID 90960)
Sottomissione01/10/2025 11:07 (9 mesi fa)
Moderazione07/10/2025 15:01 (6 days later)
StatoAccettato
Voce VulDB327369 [itsourcecode Leave Management System 1.0 /reset.php employid iniezione SQL]
Punti20

PrecedenteVisione D'ensembleIl prossimo

Do you want to use VulDB in your project?

Use the official API to access entries easily!