Code-projects Scholars Tracking System 1.0 is vulnerable to SQL Injection under Eligibility Information Update.
The vulnerability results from the lack of proper validation and sanitization of input data passed to database queries in the eligibility information update section. An attacker can inject malicious SQL code directly into query parameters, thereby manipulating the database logic. Due to the network vector (AV:N) and lack of authentication requirement (PR:N) and user interaction (UI:N), the attack can be conducted remotely by an unauthorized person.
An attacker can obtain unauthorized access to data stored in the database, modify or delete data, and under favorable conditions take control of the database server, which includes complete violation of the system's confidentiality, integrity, and availability.
Patches available from the manufacturer should be applied in accordance with the references. Additionally, it is recommended to implement parameterized SQL queries (prepared statements) and server-side input data validation. Until the fix is applied, consider restricting access to the vulnerable module at the firewall or application server level.
Code-Projects Scholars Tracking System version 1.0
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HCode Projects Scholars Tracking System
APPCode-Projects1.0
Related vulnerabilities
SQL Injection w Code-Projects Scholars Tracking System 1.0
SQL Injection vulnerability in Code-projects.org Scholars Tracking System 1.0 allows attackers to run arbitrar...
Cross Site Scripting (XSS) vulnerability in Code-projects Scholars Tracking System 1.0 allows attackers to run...
Code-projects Scholars Tracking System 1.0 is vulnerable to SQL Injection under Employment Status Information ...
Auth Bypass w Simple Car Rental System — przejęcie sesji wysokich uprawnień