Headline
CVE-2021-41433: CVE-References/CVE-2021-41433.md at main · martinkubecka/CVE-References
SQL Injection vulnerability exists in version 1.0 of the Resumes Management and Job Application Website application login form by EGavilan Media that allows authentication bypass through login.php.
Authentication Bypass in “Resumes Management and Job Application Website” application by EGavilan Media
- Vendor Homepage: https://egavilanmedia.com/resumes-management-and-job-application-website/
- Github: https://github.com/EGavilan-Media/Resumes-Management-and-Job-Application-Website-with-PHP-Bootstrap-and-MySQL
- Version 1.0
- CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41433
SQL Injection vulnerability exists in the Resumes Management and Job Application Website application login form by EGavilan Media that allows Authentication Bypass.
SQL Injection attack consists of inserting an SQL query through the input data from the client into the application. Upon successful misuse, it is possible to retrieve detailed data from the database, edit database data such as inserting, updating or deleting data, work with administrative operations in the database, or in some situations run commands directly on the operating system.
Steps to reproduce
- Download, install and run Resumes Management and Job Application Website application.
- Visit the following resource localhost/login.html.
- Enter the below mentioned credentials in the vulnerable field:
- username: admin’-- -
- password: anything
- Press the Login button, this will result in a successful Authentication Bypass.
Remediation
- Use of Prepared Statements (with Parameterized Queries)
- Use of Stored Procedures
- Allow-list Input Validation
- Escaping All User Supplied Input
Discovered by Martin Kubecka, September 15, 2021.