CVE-2022-42237 An SQL injection issue in Merchandise Online Store v.1.0 allows attackers to log in to the admin account.

An attacker can log in to the admin account by using the following request: This can be fixed by updating the application code. An attacker can view the admin password by sending a request like the following: This can be fixed by updating the application code. An attacker can change the password by sending a request like the following: This can be fixed by updating the application code. An attacker can delete the admin account by sending a request like the following: This can be fixed by updating the application code. An attacker can create new admin accounts by sending a request like the following: This can be fixed by updating the application code. An attacker can change the password of the admin account by sending a request like the following: This can be fixed by updating the application code. An attacker can delete the admin account by sending a request like the following: This can be fixed by updating the application code. An attacker can create new admin accounts by sending a request like the following: This can be fixed by updating the application code. An attacker can upload files to the server by sending a request like the following: This can be fixed by updating the application code. An attacker can delete the admin account by sending a request like the following: This can be fixed by updating the application code. An attacker can create new admin accounts by sending a request like the following: This can be fixed by updating the application code

Anonymous Login

Anonymous login is available in this application. An attacker can log in to the admin account anonymously by sending a request like the following: This can be fixed by updating the application code.

Timeline

Published on: 10/17/2022 14:15:00 UTC
Last modified on: 10/19/2022 15:05:00 UTC

References