Asset Management System v1.0 - Authenticated SQL Injection (SQLi)
Summary
| Name | Asset Management System v1.0 - Authenticated SQL Injection (SQLi) |
| Code name | |
| Product | Asset Management System |
| Affected versions | Version 1.0 |
| State | Public |
| Release date | 2023-09-28 |
Vulnerability
| Kind | Authenticated SQL Injection (SQLi) |
| Rule | |
| Remote | Yes |
| CVSSv3.1 Vector | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
| CVSSv3.1 Base Score | 8.8 |
| Exploit available | Yes |
| CVE ID(s) |
Description
Asset Management System v1.0 is vulnerable to an Authenticated SQL Injection vulnerability on the 'first_name' and 'last_name' parameters of user.php page, allowing an authenticated attacker to dump all the contents of the database contents.
Vulnerability
The 'first_name' and 'last_name' parameters of the user.php resource does not validate the characters received and they are sent unfiltered to the database. The vulnerable function is 'update_profile()' located at core/functions/user.php:
function update_profile($con,$update_user,$id){ $update = array(); $update_user['password']= md5($update_user['password']); foreach($update_user as $field=>$data) {
$update[] = '`' . $field . '`=\'' . $data . '\'';
mysqli_query($con, "UPDATE `users` SET" . implode(', ', $update) . " WHERE `id`=$id");
}
}
Evidence of exploitation
Our security policy
We have reserved the ID CVE-2023-43014 to refer to this issue from now on.
System Information
- Version: Asset Management System v1.0
- Operating System: Any
Mitigation
There is currently no patch available for this vulnerability.
Credits
The vulnerability was discovered by Andres Roldan from Fluid Attacks' Offensive Team.
References
Vendor page https://projectworlds.in/
Timeline
2023-09-21
Vulnerability discovered.
2023-09-21
Vendor contacted.
2023-09-28
Public Disclosure.
