PT-2021-10283 · Unknown · Online Book Store
Liao10086
·
Published
2021-05-05
·
Updated
2021-05-07
·
CVE-2020-19112
CVSS v3.1
9.8
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions:
Online Book Store version 1.0
Description:
The issue allows a remote malicious user to execute arbitrary code via SQL Injection in the
bookisbn parameter to the "admin delete.php" API endpoint. This could potentially lead to unauthorized access and data manipulation.Recommendations:
For Online Book Store version 1.0, consider restricting access to the
admin delete.php endpoint until a patch is available, and avoid using the bookisbn parameter in this endpoint to minimize the risk of exploitation.Exploit
Fix
SQL injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Online Book Store