SQL injection in Royal Event Management System - CVE-2022-28080
Published: May 16, 2022 / Updated: May 16, 2022
Vulnerability identifier: #VU63201
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P/U:Green
CVE-ID: CVE-2022-28080
CWE-ID: CWE-89
Exploitation vector: Remote access
Exploit availability:
Public exploit is available
Vendor: sourcecodester
Affected software:
Royal Event Management System
Royal Event Management System
Detailed vulnerability description
The vulnerability allows a remote user to execute arbitrary SQL queries in database.
The vulnerability exists due to insufficient sanitization of user-supplied data passed via the todate parameter. A remote user can send a specially crafted request to the affected application and execute arbitrary SQL commands within the application database.
Successful exploitation of this vulnerability may allow a remote attacker to read, delete, modify data in database and gain complete control over the affected application.
How to mitigate CVE-2022-28080
Cybersecurity Help is currently unaware of any official solution to address this vulnerability..
Sources
- https://github.com/erengozaydin/Royal-Event-Management-System-todate-SQL-Injection-Authenticated
- https://www.sourcecodester.com/php/15238/event-management-system-project-php-source-code.html
- https://www.sourcecodester.com/sites/default/files/download/oretnom23/Royal%20Event.zip
- http://packetstormsecurity.com/files/167123/Royal-Event-Management-System-1.0-SQL-Injection.html