cnvd - cnvd-2022-87956

cnvd-2022-87956

Vulnerability from cnvd

Title: Web-Based Student Clearance System SQL注入漏洞

Description:

Web-Based Student Clearance System是Ndueso Okorie个人开发者的一个基于网络的学生通关系统。

Web-Based Student Clearance System存在SQL注入漏洞，该漏洞源于Admin/login.php的参数txtusername缺少对外部输入SQL语句的验证。攻击者可利用该漏洞执行非法SQL命令窃取数据库敏感数据。

Severity: 高

Formal description:

厂商尚未提供漏洞修复方案，请关注厂商主页更新：https://www.sourcecodester.com/php/15627/web-based-student-clearance-system.html

Reference: https://www.jianshu.com/p/8f7b7b532c02

Impacted products

Name
Ndueso Okorie Web-Based Student Clearance System

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2022-3414",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2022-3414"
    }
  },
  "description": "Web-Based Student Clearance System\u662fNdueso Okorie\u4e2a\u4eba\u5f00\u53d1\u8005\u7684\u4e00\u4e2a\u57fa\u4e8e\u7f51\u7edc\u7684\u5b66\u751f\u901a\u5173\u7cfb\u7edf\u3002\n\nWeb-Based Student Clearance System\u5b58\u5728SQL\u6ce8\u5165\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8eAdmin/login.php\u7684\u53c2\u6570txtusername\u7f3a\u5c11\u5bf9\u5916\u90e8\u8f93\u5165SQL\u8bed\u53e5\u7684\u9a8c\u8bc1\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u6267\u884c\u975e\u6cd5SQL\u547d\u4ee4\u7a83\u53d6\u6570\u636e\u5e93\u654f\u611f\u6570\u636e\u3002",
  "formalWay": "\u5382\u5546\u5c1a\u672a\u63d0\u4f9b\u6f0f\u6d1e\u4fee\u590d\u65b9\u6848\uff0c\u8bf7\u5173\u6ce8\u5382\u5546\u4e3b\u9875\u66f4\u65b0\uff1ahttps://www.sourcecodester.com/php/15627/web-based-student-clearance-system.html",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2022-87956",
  "openTime": "2022-12-15",
  "products": {
    "product": "Ndueso Okorie Web-Based Student Clearance System"
  },
  "referenceLink": "https://www.jianshu.com/p/8f7b7b532c02",
  "serverity": "\u9ad8",
  "submitTime": "2022-10-10",
  "title": "Web-Based Student Clearance System SQL\u6ce8\u5165\u6f0f\u6d1e"
}

CVE-2022-3414 (GCVE-0-2022-3414)

Vulnerability from cvelistv5

Published

2022-10-07 00:00

Modified

2025-04-15 13:46

Severity ?

5.0 (Medium) - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L

CWE

CWE-707 - Improper Neutralization -> CWE-74 Injection -> CWE-89 SQL Injection

Summary

A vulnerability was found in SourceCodester Web-Based Student Clearance System. It has been classified as critical. Affected is an unknown function of the file /Admin/login.php of the component POST Parameter Handler. The manipulation of the argument txtusername leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-210246 is the identifier assigned to this vulnerability.

References

▼	URL	Tags
	https://www.jianshu.com/p/8f7b7b532c02
	https://vuldb.com/?id.210246

Impacted products

	Vendor	Product	Version
	SourceCodester	Web-Based Student Clearance System	Version: n/a

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T01:07:06.566Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.jianshu.com/p/8f7b7b532c02"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://vuldb.com/?id.210246"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2022-3414",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-04-14T16:59:45.573391Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-04-15T13:46:23.454Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Web-Based Student Clearance System",
          "vendor": "SourceCodester",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A vulnerability was found in SourceCodester Web-Based Student Clearance System. It has been classified as critical. Affected is an unknown function of the file /Admin/login.php of the component POST Parameter Handler. The manipulation of the argument txtusername leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-210246 is the identifier assigned to this vulnerability."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-707",
              "description": "CWE-707 Improper Neutralization -\u003e CWE-74 Injection -\u003e CWE-89 SQL Injection",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-10-07T00:00:00.000Z",
        "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "shortName": "VulDB"
      },
      "references": [
        {
          "url": "https://www.jianshu.com/p/8f7b7b532c02"
        },
        {
          "url": "https://vuldb.com/?id.210246"
        }
      ],
      "title": "SourceCodester Web-Based Student Clearance System POST Parameter login.php sql injection",
      "x_generator": "vuldb.com"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
    "assignerShortName": "VulDB",
    "cveId": "CVE-2022-3414",
    "datePublished": "2022-10-07T00:00:00.000Z",
    "dateReserved": "2022-10-07T00:00:00.000Z",
    "dateUpdated": "2025-04-15T13:46:23.454Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted