Overview A significant security vulnerability, identified as CVE-2024-55016, has been discovered in PHPGurukul Student Record Management System version 3.20. This flaw allows for SQL Injection through the id and password parameters within the login.php script. Successful exploitation of this vulnerability could grant attackers unauthorized access to sensitive student data, system administration privileges, and potentially compromise the entire system. Technical Details The vulnerability resides in the login.php file of PHPGurukul Student Record Management System 3.20. The application fails to properly sanitize or parameterize user-supplied input provided via the id and password parameters in the login form. This allows an attacker to…
-
-
Overview CVE-2024-44640 identifies a SQL Injection vulnerability present in PHPGurukul Student Record System version 3.20. This vulnerability, located in the add-course.php file, allows attackers to potentially execute arbitrary SQL queries by manipulating the course-short, course-full, and cdate parameters. Successful exploitation could lead to unauthorized data access, modification, or deletion. Technical Details The vulnerability lies within the add-course.php file, where user-supplied input from the course-short, course-full, and cdate parameters is not properly sanitized before being used in SQL queries. This lack of sanitization allows an attacker to inject malicious SQL code into these parameters. Specifically, crafting a malicious payload within these…
-
Overview CVE-2024-44639 details a SQL Injection vulnerability present in PHPGurukul Student Record System version 3.20. This vulnerability allows an attacker to potentially execute arbitrary SQL queries, potentially leading to data breaches, modification, or deletion. The vulnerability resides within the add-subject.php file. Technical Details The vulnerability exists due to insufficient input sanitization in the add-subject.php file. Specifically, the parameters sub1, sub2, sub3, sub4, and course-short are vulnerable to SQL injection. An attacker can inject malicious SQL code through these parameters, which can then be executed by the application’s database query. The lack of proper escaping or parameterized queries allows for the…
-
Overview CVE-2024-44636 describes a SQL Injection vulnerability affecting PHPGurukul Student Record System version 3.20. This vulnerability allows a remote attacker to potentially execute arbitrary SQL commands within the application’s database, leading to data breaches, modification, or even complete system compromise. The vulnerability exists within the /admin-profile.php script. Technical Details The vulnerability stems from insufficient input sanitization within the /admin-profile.php script. Specifically, the adminname and aemailid parameters are vulnerable to SQL injection. An attacker can manipulate these parameters by injecting malicious SQL code. Because the application fails to properly validate or escape user-supplied data before incorporating it into a SQL query,…
-
Overview CVE-2024-44635 describes a Cross-Site Scripting (XSS) vulnerability found in PHPGurukul Student Record System version 3.20. This vulnerability allows attackers to inject malicious scripts into the application, potentially leading to unauthorized access, data theft, or other malicious activities. Technical Details The vulnerability exists within the /admin-profile.php page of the application. Specifically, the adminname and aemailid parameters are susceptible to XSS. An attacker can inject malicious JavaScript code into these parameters. When an administrator views the profile page, the injected script will be executed within their browser context. The lack of proper input validation and output encoding on the adminname and…
-
Overview CVE-2024-44633 identifies a critical SQL Injection vulnerability found in PHPGurukul Student Record System version 3.20. This vulnerability allows a malicious actor to potentially execute arbitrary SQL queries against the system’s database by exploiting a flaw in the change-password.php script. Successful exploitation could lead to unauthorized data access, modification, or even complete database compromise. Technical Details The vulnerability resides within the change-password.php script, specifically in the handling of the currentpassword parameter. The application fails to properly sanitize or validate user-supplied input for this parameter before incorporating it into an SQL query. As a result, an attacker can inject malicious SQL…
-
Overview CVE-2024-44632 details an SQL Injection vulnerability found in the PHPGurukul Student Record System version 3.20. This vulnerability resides within the password-recovery.php script and can be exploited through the id and emailid parameters. Successful exploitation can allow attackers to potentially gain unauthorized access to sensitive data, modify database contents, or even compromise the entire system. This article provides a detailed analysis of the vulnerability, its potential impact, and recommended mitigation steps. Technical Details The password-recovery.php script is intended to allow users to recover their passwords. However, the input validation for the id and emailid parameters is insufficient. This lack of…
-
Overview CVE-2024-44630 identifies a significant SQL injection vulnerability found in the PHPGurukul Student Record System version 3.20. This vulnerability resides within the register.php file and affects numerous input parameters, potentially allowing attackers to execute arbitrary SQL commands on the system’s database. Technical Details The vulnerability stems from insufficient input sanitization in the register.php script. Multiple parameters are susceptible to SQL injection, including (but not limited to): c-full fname mname lname gname ocp nation mobno email board1 roll1 pyear1 board2 roll2 pyear2 sub1 marks1 sub2 course-short income category ph country state city padd cadd gender An attacker can craft malicious SQL…
-
Overview A Cross-Site Scripting (XSS) vulnerability has been discovered in Alto CMS version 1.1.13. This vulnerability, identified as CVE-2024-42749, allows a local attacker to inject and execute arbitrary JavaScript code within the context of a user’s browser. Successful exploitation could lead to various malicious activities, including session hijacking, defacement, and the theft of sensitive information. Technical Details of CVE-2024-42749 The vulnerability resides in Alto CMS v.1.1.13 where insufficient input sanitization allows for the injection of malicious scripts. A crafted script, likely injected through a vulnerable input field or parameter, can then be executed when a user interacts with the affected…
-
Overview CVE-2025-13168 is a medium-severity SQL injection vulnerability discovered in Ury-ERP versions up to 0.2.0. This flaw allows a remote attacker to execute arbitrary SQL commands by manipulating the search_term argument in the overrided_past_order_list function of the ury/ury/api/pos_extend.py file. Exploitation of this vulnerability could lead to unauthorized data access, modification, or even complete system compromise. A public exploit is available, increasing the risk of active exploitation. Ury-ERP developers have released version 0.2.1 to address this issue, demonstrating a proactive and professional response. Technical Details The vulnerability resides within the overrided_past_order_list function in the ury/ury/api/pos_extend.py file. Insufficient input validation on the…