CVE-2021-44599

Name of the Vulnerable Software and Affected Versions: Online Enrollment Management System version 1.0

Description: The issue allows for SQL injection attacks through the id parameter. An attacker can craft a payload that injects a SQL sub-query, utilizing MySQL's load file function with a UNC file path referencing a URL on an external domain. This results in the application interacting with the external domain, indicating successful execution of the injected SQL query. The attacker can retrieve sensitive information for all users of the system.

Recommendations: For Online Enrollment Management System version 1.0, consider restricting access to the id parameter to minimize the risk of exploitation. As a temporary workaround, avoid using the id parameter in sensitive operations until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.