提交 #855969: code-projects Online Job Portal System V1.0 SQL Injection信息

标题code-projects Online Job Portal System V1.0 SQL Injection
描述During a security review of "Online Job Portal System", a UNION-based SQL injection vulnerability was discovered in /Admin/EditUser.php. The UserId GET parameter is injected directly into a SELECT query with no sanitization. The query result is rendered into editable HTML form fields, making injected column values immediately visible and extractable via standard HTTP responses. This endpoint requires no authentication, and when combined with the other SQL injection vulnerabilities in the same project, provides the most straightforward path to full database extraction and credential theft, including plaintext administrator passwords.
来源⚠️ https://github.com/shihuizhang-dazhi/MY-CVE/issues/3
用户
 dazhi (UID 87857)
提交2026-06-11 12時30分 (1 月前)
管理2026-07-13 23時19分 (1 month later)
状态已接受
VulDB条目378165 [code-projects Online Job Portal 1.0 /Admin/EditUser.php UserId SQL注入]
积分20

Interested in the pricing of exploits?

See the underground prices here!