BigProf Online Invoicing System before 2.9 suffers from an unauthenticated SQL Injection found in /membership_passwordReset.php (the endpoint that is responsible for issuing self-service password resets). An unauthenticated attacker is able to send a request containing a crafted payload that can result in sensitive information being extracted from the database, eventually leading into an application takeover. This vulnerability was introduced as a result of the developer trying to roll their own sanitization implementation in order to allow the application to be used in legacy environments.
References
Link | Resource |
---|---|
https://labs.ingredous.com/2020/07/13/ois-sqli/ | Broken Link |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: mitre
Published: 2020-12-24T03:05:28
Updated: 2022-09-29T16:38:55
Reserved: 2020-12-24T00:00:00
Link: CVE-2020-35674
JSON object: View
NVD Information
Status : Analyzed
Published: 2022-09-29T03:15:14.130
Modified: 2022-10-03T18:31:13.977
Link: CVE-2020-35674
JSON object: View
Redhat Information
No data.
CWE