A hacker may inject arbitrary SQL queries that can compromise the integrity of the management system. In addition, the source code of the management system was not audited to ensure the safety of the users. Consequently, SACCO Open Source SACCO Management System v1.0 was vulnerable to cross-site request forgery.
SACCO Open Source SACCO Management System v1.0 was vulnerable to cross-site request forgery due to the lack of input validation.
Unfortunately, SACCO Open Source SACCO Management System v1.0 did not provide a mechanism to restrict access to the /manage_user.php endpoint via a firewall or authentication. Consequently, any hacker with access to the management system could exploit this cross-site request forgery vulnerability to control the SACCO Open Source SACCO Management System v1.0 account and modify the status of the management system.
Description of the vulnerability
A hacker may inject arbitrary SQL queries that can compromise the integrity of the management system. In addition, the source code of the management system was not audited to ensure the safety of the users. Consequently, SACCO Open Source SACCO Management System v1.0 was vulnerable to cross-site request forgery.
In this scenario, a hacker could inject a malicious HTTP request into the /manage_user.php endpoint to control an account on the SACCO Open Source SACCO Management System v1.0 management system and modify its status according to their wishes.
References:
1. CVE-2022-41536
2. http://www.sacco.com/
3. https://medium.com/@SACCO_INT/6-reasons-why-digital-marketing-is-important-8c55f88b1dff
Timeline
Published on: 10/14/2022 06:15:00 UTC
Last modified on: 10/17/2022 16:15:00 UTC