| Title | gopeak MasterLab ≤v3.3.10 Pre-Auth SQL Injection |
|---|
| Description | Overview:
A critical SQL injection vulnerability has been identified in the MasterLab project management tool, specifically within the sqlInjectDelete function of the Framework.php controller file. This vulnerability, discovered by the researcher glzjin, affects versions up to and including 3.3.10. MasterLab is an open-source project management system that is designed to help teams collaborate and manage tasks effectively.
Description:
The vulnerability resides in the sqlInjectDelete function where user-supplied input, associated with the 'phone' parameter, is improperly sanitized before being used in an SQL query. This oversight allows an attacker to inject arbitrary SQL commands into the backend database. It appears that this function may have been intended for debugging or testing purposes and was inadvertently left in the production code.
The exploit can be triggered without authentication, making it particularly dangerous as it could potentially be used by an unauthenticated attacker to manipulate the database, leading to data leakage, corruption, or loss. |
|---|
| Source | ⚠️ https://note.zhaoj.in/share/QgaxbPDi4bS4 |
|---|
| User | glzjin (UID 59815) |
|---|
| Submission | 12/27/2023 10:46 (2 years ago) |
|---|
| Moderation | 12/28/2023 09:34 (23 hours later) |
|---|
| Status | Duplicate |
|---|
| VulDB entry | 249149 [gopeak MasterLab up to 3.3.10 HTTP POST Request Feature.php sqlInjectDelete phone sql injection] |
|---|
| Points | 0 |
|---|