Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in ArslanSoft Education Portal allows SQL Injection. This issue affects Education Portal: before v1.1.
The application does not properly neutralize special characters passed by the user before using them in SQL queries (CWE-89). An attacker can inject their own SQL code into the portal's input parameters, manipulating the logic of queries directed to the database. The vulnerability is accessible over the network without requiring an account or any user interaction.
An attacker can gain unauthorized access to data stored in the database (confidentiality), modify or delete data (integrity), and potentially cause system unavailability (availability). In extreme cases, complete takeover of the database and user data contained within is possible.
ArslanSoft Education Portal should be immediately updated to version v1.1 or later. Detailed information is available in the vendor's references and USOM security notice (TR-23-0670).
ArslanSoft Education Portal in all versions prior to v1.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HArslansoft Education Portal Project Arslansoft Education Portal
APPArslansoft Education Portal Project< 1.1
Related vulnerabilities
Nieograniczony upload pliku umoΕΌliwiajΔ cy Command Injection w ArslanSoft Education Portal
Improper Protection for Outbound Error Messages and Alert Signals vulnerability in ArslanSoft Education Portal...
Unrestricted Upload of File with Dangerous Type vulnerability in ArslanSoft Education Portal allows Read Sensi...