CHT Security Red Team Discovered Vulnerability in Well-Known E-Learning system

Summary

Vulnerability List

[CVE-2024-xxxxx] – SQL Injection

[CVE-2024-xxxxx] – Local File Inclusion

Details

1. SQL Injection

Description

Certain URL lacks validation for certain input parameters, allowing a logged in remote attacker to inject arbitrary SQL commands. 

Impact

This vulnerability enables unauthorized access to read, modify, and delete database records. 

2. Local File Inclusion

Description

The user-supplied input is not properly validated in server, allowing authenticated attacker to include files from the server through manipulated user input. 

Impact

An authenticated attacker can exploit LFI to access sensitive files, execute arbitrary code, and potentially gain control over the server. 

Credits

• Fi Liu (CHT Security)