Det var en kritisksvag punkt upptäcktes i SourceCodester Prison Management System 1.0. Som påverkar en okänd funktion filen /admin/?page=inmates/view_inmate av komponenten Inmate Handler. Manipulering av argumenten id med ingången 1%27%20and%201=2%20union%20select%201,user(),3,4,5,6,7,8,9,0,database(),2,3,4,5,6,7,8,9,0,1,2,3,4--+ en okänd ingång leder till en sårbarhet klass sql injektion svag punkt. Den rådgivande finns tillgänglig för nedladdning på github.com.
Denna svaga punkt behandlas som CVE-2022-2018. Attacken på nätet kan. Det finns tekniska detaljer känd.
Han deklarerade proof-of-concept. Den exploit kan laddas ner från github.com.
En möjlig åtgärd har utfärdats före och inte bara efter offentliggörandet.
| Fält | 07/06/2022 12:15 | 10/06/2022 08:51 |
|---|
| vendor | SourceCodester | SourceCodester |
| name | Prison Management System | Prison Management System |
| version | 1.0 | 1.0 |
| component | Inmate Handler | Inmate Handler |
| file | /admin/?page=inmates/view_inmate | /admin/?page=inmates/view_inmate |
| argument | id | id |
| cwe | 89 (sql injektion) | 89 (sql injektion) |
| risk | 2 | 2 |
| cvss3_vuldb_av | N | N |
| cvss3_vuldb_ac | L | L |
| cvss3_vuldb_pr | H | H |
| cvss3_vuldb_ui | N | N |
| cvss3_vuldb_s | U | U |
| cvss3_vuldb_c | L | L |
| cvss3_vuldb_i | L | L |
| cvss3_vuldb_a | L | L |
| cvss3_vuldb_e | P | P |
| cvss3_vuldb_rc | R | R |
| url | https://github.com/ch0ing/vul/blob/main/WebRay.com.cn/Prison%20Management%20System(SQLI).md | https://github.com/ch0ing/vul/blob/main/WebRay.com.cn/Prison%20Management%20System(SQLI).md |
| availability | 1 | 1 |
| publicity | 1 | 1 |
| url | https://github.com/ch0ing/vul/blob/main/WebRay.com.cn/Prison%20Management%20System(SQLI).md | https://github.com/ch0ing/vul/blob/main/WebRay.com.cn/Prison%20Management%20System(SQLI).md |
| cve | CVE-2022-2018 | CVE-2022-2018 |
| responsible | VulDB | VulDB |
| date | 1654552800 (07/06/2022) | 1654552800 (07/06/2022) |
| cvss2_vuldb_av | N | N |
| cvss2_vuldb_ac | L | L |
| cvss2_vuldb_au | M | M |
| cvss2_vuldb_ci | P | P |
| cvss2_vuldb_ii | P | P |
| cvss2_vuldb_ai | P | P |
| cvss2_vuldb_e | POC | POC |
| cvss2_vuldb_rc | UR | UR |
| cvss2_vuldb_rl | ND | ND |
| cvss3_vuldb_rl | X | X |
| cvss2_vuldb_basescore | 5.8 | 5.8 |
| cvss2_vuldb_tempscore | 5.0 | 5.0 |
| cvss3_vuldb_basescore | 4.7 | 4.7 |
| cvss3_vuldb_tempscore | 4.3 | 4.3 |
| cvss3_meta_basescore | 4.7 | 4.7 |
| cvss3_meta_tempscore | 4.3 | 4.3 |
| price_0day | $0-$5k | $0-$5k |
| input_value | 1%27%20and%201=2%20union%20select%201,user(),3,4,5,6,7,8,9,0,database(),2,3,4,5,6,7,8,9,0,1,2,3,4--+ | 1%27%20and%201=2%20union%20select%201,user(),3,4,5,6,7,8,9,0,database(),2,3,4,5,6,7,8,9,0,1,2,3,4--+ |
| cve_assigned | | 1654552800 (07/06/2022) |
| cve_nvd_summary | | A vulnerability classified as critical has been found in SourceCodester Prison Management System 1.0. Affected is an unknown function of the file /admin/?page=inmates/view_inmate of the component Inmate Handler. The manipulation of the argument id with the input 1%27%20and%201=2%20union%20select%201,user(),3,4,5,6,7,8,9,0,database(),2,3,4,5,6,7,8,9,0,1,2,3,4--+ leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. |