| 제목 | Best POS Management System 1.0 SQL injection vulnerability on login page |
|---|
| 설명 | Best POS Management System 1.0 login page contains a SQL injection vulnerability via username parameter in /kruxton/admin_class.php. An attacker can login system as an administrator without valid username or password, the attacker can then READ/WRITE/DELETE the system data.
This is the first report for the vulnerability. CVE search result
https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=Best+pos+management+system
source of disclosure
In `admin_class.php:login` function, the `username` parameter is directly spliced into the SQL statement without sanitization
Impact
Allows an attacker to bypass user authentication and manipulate system information.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
|---|
| 원천 | ⚠️ https://github.com/movonow/demo/blob/main/kruxton.md |
|---|
| 사용자 | zhangguohu (UID 30684) |
|---|
| 제출 | 2023. 07. 11. AM 09:51 (3 연령 ago) |
|---|
| 모더레이션 | 2023. 07. 11. PM 04:32 (7 hours later) |
|---|
| 상태 | 수락 |
|---|
| VulDB 항목 | 233565 [SourceCodester Best POS Management System 1.0 Login Page admin_class.php 사용자 이름 SQL 주입] |
|---|
| 포인트들 | 20 |
|---|