header-logo
Suggest Exploit
vendor:
Virtual Airlines Manager
by:
Pankaj Kumar Thakur
8.8
CVSS
HIGH
SQL Injection
89
CWE
Product Name: Virtual Airlines Manager
Affected Version From: 2.6.2
Affected Version To: 2.6.2
Patch Exists: Yes
Related CWE: N/A
CPE: 2.6.2
Metasploit: N/A
Other Scripts: N/A
Platforms Tested: Ubuntu
2020

Virtual Airlines Manager 2.6.2 – ‘notam’ SQL Injection

The 'notam_id' parameter in Virtual Airlines Manager 2.6.2 is vulnerable to SQL injection. The parameter's value is going into the SQL query directly, allowing an attacker to inject malicious code. Proof of concept can be found at https://localhost:8080/vam/index.php?page=notam&notam_id=11%27%27

Mitigation:

The vendor has released a patch to address the vulnerability. Users should update to the latest version of Virtual Airlines Manager.
Source

Exploit-DB raw data:

# Exploit Title: Virtual Airlines Manager 2.6.2 - 'notam' SQL Injection
# Date: 2020-06-07
# Exploit Author: Pankaj Kumar Thakur
# Vendor Homepage: http://virtualairlinesmanager.net/
# Dork: inurl:notam_id=
# Affected Version: 2.6.2
# Tested on: Ubuntu
# CVE : N/A

Vulnerable parameter 
-------------------
notam_id=%27%27

Id parameter's value is going into sql query directly!

Proof of concept
---------------
https://localhost:8080/vam/index.php?page=notam&notam_id=11%27%27


Submitted: Jun 1 2020
Fixed: Jun 5 2020
Acknowledgement : https://ibb.co/Y3WYdFN

Navigation

Suggest Exploit

Services By CQR