

Advisories

Online Bus Booking System v1.0 - Multiple Unauthenticated SQL Injections (SQLi)

9,8

Critical

9,8

Critical

Discovered by

Andres Roldan

Offensive Team, Fluid Attacks

Summary

Full name

Online Bus Booking System v1.0 - Multiple Unauthenticated SQL Injections (SQLi)

Code name

O'Connor

State

Public

Release date

1 nov 2023

Affected product

Online Bus Booking System

Vendor

Projectworlds Pvt. Limited

Affected version(s)

Version 1.0

Vulnerability name

Unauthenticated SQL Injections (SQLi)

Vulnerability type

146. SQL Injection

Remotely exploitable

Yes

CVSS v3.0 vector string

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v3.0 base score

9.8

Exploit available

Yes

CVE ID(s)

CVE-2023-45012, CVE-2023-45015, CVE-2023-45018, CVE-2023-45019

Description

Online Bus Booking System v1.0 is vulnerable to multiple Unauthenticated SQL Injection vulnerabilities.

Vulnerabilities

CVE-2023-45012

The 'user_email' parameter of the bus_info.php resource does not validate the characters received and they are sent unfiltered to the database. The vulnerable code is:

CVE-2023-45015

The 'date' parameter of the search.php resource does not validate the characters received and they are sent unfiltered to the database. The vulnerable code is:

CVE-2023-45018

The 'username' parameter of the includes/login.php resource does not validate the characters received and they are sent unfiltered to the database. The vulnerable code is:

CVE-2023-45019

The 'category' parameter of the category.php resource does not validate the characters received and they are sent unfiltered to the database. The vulnerable code is:

Our security policy

We have reserved the IDs CVE-2023-45012, CVE-2023-45015, CVE-2023-45018 and CVE-2023-45019 to refer to these issues from now on.

Disclosure policy

System Information

Version: Online Bus Booking System v1.0
Operating System: Any

Mitigation

There is currently no patch available for this vulnerability.

References

Vendor page https://projectworlds.in/

Timeline



2 oct 2023

Vulnerability discovered



2 oct 2023

Vendor contacted



1 nov 2023

Public disclosure

Does your application use this vulnerable software?

During our free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.

Start free trial

Solución

Planes

Recursos

Advisories

Compañía

Select Language



Contactar a ventas

Iniciar sesión

Prueba gratis

Select Language



Contactar a ventas

Prueba gratis

Solución

Planes

Recursos

Advisories

Compañía

Select Language



Contactar a ventas

Iniciar sesión

Prueba gratis

Select Language



Las soluciones de Fluid Attacks permiten a las organizaciones identificar, priorizar y remediar vulnerabilidades en su software a lo largo del SDLC. Con el apoyo de la IA, herramientas automatizadas y pentesters, Fluid Attacks acelera la mitigación de la exposición al riesgo de las empresas y fortalece su postura de ciberseguridad.