vendor:
Blaze Apps
by:
7.5
CVSS
HIGH
SQL Injection, HTML Injection
89
CWE
Product Name: Blaze Apps
Affected Version From: 1.4.0.051909
Affected Version To: 1.4.0.051909
Patch Exists: NO
Related CWE:
CPE: a:blaze_apps:blaze_apps:1.4.0.051909
Platforms Tested:
Blaze Apps Multiple SQL and HTML Injection Vulnerabilities
Blaze Apps is prone to multiple SQL-injection vulnerabilities and an HTML-injection vulnerability because it fails to sufficiently sanitize user-supplied input. An attacker may exploit the HTML-injection issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials, control how the site is displayed, and launch other attacks. The attacker may exploit the SQL-injection issues to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
Mitigation:
Implement proper input validation and sanitization to prevent SQL injection and HTML injection attacks. Use parameterized queries or prepared statements to mitigate SQL injection. Use output encoding or HTML escaping to prevent HTML injection. Regularly update to the latest version of Blaze Apps to ensure security patches are applied.