来源

关联漏洞

描述

SQL Injection Vulnerability in Vehicle Management System 1.0 - 1.3

介绍

# CVE-2024-48245
SQL Injection Vulnerability in Vehicle Management System 1.0 - 1.3

# Description
Vehicle Management System 1.0 is vulnerable to SQL Injection. Low-authenticated guest users or administrative accounts can exploit vulnerable POST parameters in several endpoints to execute arbitrary SQL commands. This can lead to unauthorized database access, data retrieval, or privilege escalation.

# Affected Parameters:
Booking ID

Action Name

Payment Confirmation ID

# Affected Endpoints:

/vehicle-management/newvehicle.php

/vehicle-management/newdriver.php

# Vulnerability Details

Type: SQL Injection

Vendor: Vehicle Management System

Affected Version: 1.0

# Attack Vectors

Guest User: Exploits can be performed via the Booking Action Name parameter during vehicle booking.

Admin User: Additional affected components accessible through the admin interface.

# Impact:

Exploiting this vulnerability allows attackers to:

Bypass authentication or access sensitive information.

Manipulate or delete database records.

Escalate privileges and execute unauthorized administrative actions.

# Mitigation:

Validate and sanitize all user input, especially POST parameters.

Use parameterized queries or prepared statements to prevent SQL Injection.

Restrict access to sensitive endpoints and enforce strong authentication measu

文件快照

 [4.0K]  /data/pocs/eac0a21008c11aa1169c5b5765ea621ce11eea47
├── [1.0K]  LICENSE
└── [1.3K]  README.md

0 directories, 2 files

备注