CVE-2022-41536 The Open Source SACCO Management System v1.0 had a SQL injection vulnerability where id was used as the parameter.

A hacker may inject arbitrary SQL queries that can compromise the integrity of the management system. In addition, the source code of the management system was not audited to ensure the safety of the users. Consequently, SACCO Open Source SACCO Management System v1.0 was vulnerable to cross-site request forgery.

SACCO Open Source SACCO Management System v1.0 was vulnerable to cross-site request forgery due to the lack of input validation.

Unfortunately, SACCO Open Source SACCO Management System v1.0 did not provide a mechanism to restrict access to the /manage_user.php endpoint via a firewall or authentication. Consequently, any hacker with access to the management system could exploit this cross-site request forgery vulnerability to control the SACCO Open Source SACCO Management System v1.0 account and modify the status of the management system.

Description of the vulnerability

A hacker may inject arbitrary SQL queries that can compromise the integrity of the management system. In addition, the source code of the management system was not audited to ensure the safety of the users. Consequently, SACCO Open Source SACCO Management System v1.0 was vulnerable to cross-site request forgery.

In this scenario, a hacker could inject a malicious HTTP request into the /manage_user.php endpoint to control an account on the SACCO Open Source SACCO Management System v1.0 management system and modify its status according to their wishes.

References:

1. CVE-2022-41536
2. http://www.sacco.com/
3. https://medium.com/@SACCO_INT/6-reasons-why-digital-marketing-is-important-8c55f88b1dff

Timeline

Published on: 10/14/2022 06:15:00 UTC
Last modified on: 10/17/2022 16:15:00 UTC

References