| 제목 | Portfolio Management System MCA Project using PHP and MySQL V1.0 SQL Injection |
|---|
| 설명 | A critical SQL Injection vulnerability has been identified in the “Portfolio Management System MCA Project” (version 1.0) under the file /update_ed.php. This weakness enables attackers to exploit the application by injecting malicious SQL commands into the “MULTIPART e_id” parameter, potentially leading to full database compromise, unauthorized data manipulation, and severe impacts on business continuity.
Root Cause:
User input from the MULTIPART e_id parameter is consumed directly within SQL statements without adequate validation or sanitization. As a result, an attacker can append or modify SQL syntax to perform unauthorized database operations.
Potential Impacts:
Unauthorized Access to Database: Attackers can read private tables or sensitive columns.
Data Leakage and Modification: Confidential data may be exfiltrated or altered without detection.
Escalation to System-wide Control: In certain scenarios, privileged actions (e.g., dropping tables or creating new admin accounts) are feasible.
Service Disruption: Database corruption or heavy load queries can lead to application downtime. |
|---|
| 원천 | ⚠️ https://github.com/naotuo/CVE/blob/main/SQL_Injection_in_Portfolio_Management_System.md |
|---|
| 사용자 | naotuo (UID 79484) |
|---|
| 제출 | 2024. 12. 27. AM 06:39 (1 년도 ago) |
|---|
| 모더레이션 | 2024. 12. 28. AM 09:45 (1 day later) |
|---|
| 상태 | 수락 |
|---|
| VulDB 항목 | 289664 [1000 Projects Portfolio Management System MCA 1.0 /update_ed.php e_id SQL 주입] |
|---|
| 포인트들 | 20 |
|---|