Sacco Management system v1.0 was discovered to contain a SQL injection vulnerability via the password parameter at /sacco/ajax.php.
The application does not properly validate or filter input data passed in the password parameter during database queries. An attacker can inject malicious SQL code directly into the query executed by the /sacco/ajax.php endpoint. This allows manipulation of database query logic without needing authentication.
An attacker can gain unauthorized access to data stored in the database, including confidential and authentication data, and in certain configurations may also modify or delete data and potentially take control of the database system.
Apply patches available from the vendor according to references. Additionally, it is recommended to implement parameterized SQL queries (prepared statements) and strict server-side input validation. Until the patch is applied, it is recommended to restrict access to the /sacco/ajax.php endpoint at the firewall or WAF level.
Mayurik Sacco Management System v1.0
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HMayurik Sacco Management System
APPMayurik1.0
Related vulnerabilities
SQL Injection w Pet Grooming Management Software via parametr ID
SQL Injection w 101news — parametr sadminusername w panelu admina
SQL Injection w 101news — podatność w parametrze 'username'
SQL Injection w 101news (Mayurik Best Online News Portal) via parametr pagedescription
SQL Injection w 101news – parametry category i subcategory