Skip to content

SQL Injection in "utilisateurs.php" id_utilisateur POST parameter (Authenticated) #5

Open
@Frentzen

Description

Product Version: 9.4.0

Author: Frentzen

CVE Assigned: CVE-2021-41672

Vulnerability Description: Authenticated user (with some administrator pivileges) can inject malicious query in order to achive SQL injection via "id_utilisateur" POST parameter on the /peel-shopping_9_4_0/administrer/utilisateurs.php endpoint. After this attack, attacker can read sensitive information from the database and until modify its data.

Vulnerable URL: http://localhost/peel-shopping_9_4_0/administrer/utilisateurs.php

Proof of Concept:

cverequest2

cveresponse

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions