CHT Security Red Team Discovered Several Vulnerabilities in Well-Known School Management System
Summary
Vulnerability List
1. [CVE-2020-10505] SQL Injection
2. [CVE-2020-10506] Path Traversal
3. [CVE-2020-10507] Unrestricted file upload (RCE)
Details
1. SQL Injection
Description
Several parameters were affected by SQL Injection.
Impact
This vulnerability allows attackers to perform a union-based injection query string to get database schema and username/password.
Known Affected Software
• versions before the year 2020
2. Path Traversal
Description
Several parameters can be manipulated by attackers.
Impact
Attackers can download files of the target machine for further analysis.
Known Affected Software
• versions before the year 2020
3. Unrestricted file upload (RCE)
Description
Several file upload fields contain a vulnerability of misconfigured file upload filter.
Impact
Attackers can upload unrestricted files that would allow attackers to gain access in the hosting machine.
Known Affected Software
• versions before the year 2020
Credits
• Jalong Chen (CHT Security)