header-logo
Suggest Exploit
vendor:
Blaze Apps
by:
7.5
CVSS
HIGH
SQL Injection, HTML Injection
89
CWE
Product Name: Blaze Apps
Affected Version From: 1.4.0.051909
Affected Version To: 1.4.0.051909
Patch Exists: NO
Related CWE:
CPE: a:blaze_apps:blaze_apps:1.4.0.051909
Metasploit:
Other Scripts:
Platforms Tested:

Blaze Apps Multiple SQL and HTML Injection Vulnerabilities

Blaze Apps is prone to multiple SQL-injection vulnerabilities and an HTML-injection vulnerability because it fails to sufficiently sanitize user-supplied input. An attacker may exploit the HTML-injection issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials, control how the site is displayed, and launch other attacks. The attacker may exploit the SQL-injection issues to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

Mitigation:

Implement proper input validation and sanitization to prevent SQL injection and HTML injection attacks. Use parameterized queries or prepared statements to mitigate SQL injection. Use output encoding or HTML escaping to prevent HTML injection. Regularly update to the latest version of Blaze Apps to ensure security patches are applied.
Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/40212/info

Blaze Apps is prone to multiple SQL-injection vulnerabilities and an HTML-injection vulnerability because it fails to sufficiently sanitize user-supplied input.

An attacker may exploit the HTML-injection issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials, control how the site is displayed, and launch other attacks.

The attacker may exploit the SQL-injection issues to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

Blaze Apps 1.4.0.051909 and prior are vulnerable. 

HTML Injection

<script>alert('Stored XSS')</script>

SQL Injection

aa' OR [SQL] OR 'a'='1