Money Transfer Management System 1.0 - SQL Injection
4,3
Medium
Discovered by
Offensive Team, Fluid Attacks
Summary
Full name
Money Transfer Management System - SQL Injection
Code name
State
Public
Release date
15 de mar. de 2022
Affected product
Money Transfer Management System 1.0
Affected version(s)
Version 1.0
Vulnerability name
SQL injection
Vulnerability type
Remotely exploitable
Yes
CVSS v3.1 vector string
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
CVSS v3.1 base score
4.3
Exploit available
No
CVE ID(s)
Description
Money Transfer Management System Version 1.0 allows an authenticated user to inject SQL queries in mtms/admin/?page=transaction/view_details via the id parameter.
Proof of Concept
Steps to reproduce
Log in to the application as a normal user.
Go to
http://127.0.0.1/mtms/admin/?page=transaction/view_details&id=1Insert the following query inside the
idparameter.The current database user will be shown inside the
Tracking Codefield.
System Information
Version: Money Transfer Management System version 1.0.
Operating System: Linux.
Web Server: Apache
PHP Version: 7.4
Database and version: MySQL
Exploit
There is no exploit for the vulnerability but can be manually exploited.
Mitigation
By 2022-03-15 there is not a patch resolving the issue.
References
Timeline
Vulnerability discovered
15 de fev. de 2022
Vendor contacted
15 de fev. de 2022
Public disclosure
15 de mar. de 2022
