Headline
CVE-2023-25350: Faveo Helpdesk has SQL injection vulnerability · Issue #7827 · ladybirdweb/faveo-helpdesk
Faveo Helpdesk 1.0-1.11.1 is vulnerable to SQL Injection. When the user logs in through the login box, he has no judgment on the validity of the user’s input data. The parameters passed from the front end to the back end are controllable, which will lead to SQL injection.
I don’t know which version of SQL injection vulnerability exists, but I found that there are SQL injection vulnerabilities in thousands of IP addresses on the cyberspace mapping platform.
When logging in, the email account [email protected] After that, add ', there are SQL statement errors, which will lead to SQL injection vulnerability.
Use the Burpsuite network packet capturing tool to capture the POST data packets when users log in, and use the Sqlmap tool for SQL injection.
As this picture show: