A SQL Injection vulnerability was discovered in the askquery.php file of CloudClassroom-PHP Project v1.0. The squeryx parameter accepts unsanitized input, which is passed directly into backend SQL queries.
The 'squeryx' parameter in the askquery.php file is not subject to any validation or sanitization before being passed to the database backend. An attacker can inject arbitrary SQL code into this parameter, modifying the logic of executed queries. Since the attack requires no authentication, authorization, or user interaction, the exploit can be carried out remotely over the network.
An attacker can gain unauthorized access to sensitive data, modify or delete database contents, and in favorable server configurations β completely take over system control.
Apply patches available from the vendor according to references. Temporarily, it is recommended to implement validation and parameterization of SQL queries (prepared statements) for the 'squeryx' parameter in the askquery.php file and restrict access to the vulnerable resource at the firewall or web server level.
CloudClassroom-PHP Project v1.0 (Vishalmathur)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HVishalmathur Cloudclassroom PHP Project
APPVishalmathur1.0
Related vulnerabilities
Nieszyfrowana transmisja danych logowania w CloudClassroom-PHP-Project
SQL Injection w CloudClassroom-PHP β ominiΔcie uwierzytelnienia admina
SQL injection vulnerability in the registrationform endpoint of CloudClassroom-PHP-Project v1.0. The pass para...
A time-based SQL injection vulnerability exists in mydetailsstudent.php in the CloudClassroom PHP Project 1.0....
CloudClassroom-PHP Project v1.0 was discovered to contain a SQL injection vulnerability via the viewid paramet...