| Title | Attendance Tracking Management System (PHP & MySQL) 1.0 SQL Injection |
|---|
| Description | Initial Observation
Researchers noticed abnormal query responses when modifying the parameter attendance_id (in practice, labeled as course_id in the actual request) in /admin/report.php.
Root Cause
Input from course_id is used directly in SQL queries without proper cleansing or validation.
Attackers can embed malicious SQL statements by manipulating the parameter, thereby gaining unauthorized access to or control of the database.
If successfully exploited, this SQL injection can result in:
Unauthorized Database Access: Attackers read or retrieve sensitive information.
Data Leakage: Confidential records such as attendance logs or user info may be exposed.
Data Manipulation: Potential to create, update, or delete rows maliciously.
System Disruption: Use of time-based (SLEEP) queries could degrade performance or crash services.
Wider Network Risks: Lateral movement if privileged credentials are compromised. |
|---|
| Source | ⚠️ https://github.com/matias-a11y/cve/issues/2 |
|---|
| User | mxh9934 (UID 73328) |
|---|
| Submission | 12/29/2024 15:25 (2 years ago) |
|---|
| Moderation | 12/29/2024 16:45 (1 hour later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 289770 [1000 Projects Attendance Tracking Management System 1.0 /admin/report.php attendance_report course_id sql injection] |
|---|
| Points | 20 |
|---|