BigProf Online Invoicing System before 2.9 suffers from an unauthenticated SQL Injection found in /membership_passwordReset.php (the endpoint that is responsible for issuing self-service password resets). An unauthenticated attacker is able to send a request containing a crafted payload that can result in sensitive information being extracted from the database, eventually leading into an application takeover. This vulnerability was introduced as a result of the developer trying to roll their own sanitization implementation in order to allow the application to be used in legacy environments.
References
Link | Resource |
---|---|
https://labs.ingredous.com/2020/07/13/ois-sqli/ | Broken Link |
https://labs.ingredous.com/2020/07/13/ois-sqli/ | Broken Link |
Configurations
History
21 Nov 2024, 05:27
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2022-09-29 03:15
Updated : 2024-11-21 05:27
NVD link : CVE-2020-35674
Mitre link : CVE-2020-35674
CVE.ORG link : CVE-2020-35674
JSON object : View
Products Affected
bigprof
- online_invoicing_system
CWE
CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')