PT-2022-14847 · Sourcecodester · Sourcecodester Loan Management System

Joinia

Published

2022-06-15

Updated

2022-06-23

CVE-2022-2086

CVSS v3.1

8.8

High

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions SourceCodester Bank Management System version 1.0

Description A critical issue has been found in the login functionality. The manipulation of the password argument with a specific input leads to SQL injection. The attack can be launched remotely. Technical details include the exploitation of the login.php endpoint, where the input 1'and 1=2 union select 1,sleep(10),3,4,5 --+ is used to demonstrate the vulnerability.

Recommendations For SourceCodester Bank Management System version 1.0, consider disabling the login.php endpoint until a patch is available to prevent SQL injection attacks. Restrict access to the password argument in the login functionality to minimize the risk of exploitation.

Exploit

Fix

SQL injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-89

Related Identifiers

CVE-2022-2086

Affected Products

Sourcecodester Loan Management System

PT-2022-14847 · Sourcecodester · Sourcecodester Loan Management System

CVE-2022-2086

Weakness Enumeration

Related Identifiers

Affected Products

References · 6