A blind SQL Injection (SQLi) vulnerability in mJobtime v15.7.2 allows unauthenticated attackers to execute arbitrary SQL statements via a crafted POST request to the /Default.aspx/update_profile_Server endpoint .
An attacker sends a specially crafted HTTP POST request to the endpoint /Default.aspx/update_profile_Server, injecting malicious SQL code fragments into the request parameters. The vulnerability is of a blind SQLi nature — the application does not directly return query results, however the attacker can infer the contents of the database based on the application's behavior (e.g., response time or differences in responses). The absence of any authentication mechanism when accessing the vulnerable endpoint makes the exploit available to any network user.
An attacker can read, modify, or delete data collected in the application's database, including potentially authentication credentials and employee information. Depending on the database server configuration, it is also possible to escalate the attack to the operating system level.
Patches available from the vendor should be applied according to the references. As immediate remedial measures, it is recommended to restrict network access to the vulnerable endpoint /Default.aspx/update_profile_Server through firewall or WAF rules and to monitor logs for anomalous POST requests.
mJobtime version 15.7.2
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HMjobtime
APPMjobtime15.7.2