vendor:
Simple Attendance System
by:
()t/\/\1
N/A
CVSS
HIGH
Unauthenticated Blind SQL Injection
89
CWE
Product Name: Simple Attendance System
Affected Version From: 1.0
Affected Version To: 1.0
Patch Exists: NO
Related CWE:
CPE: a:simple_attendance_system:1.0
Platforms Tested: Linux
2021
Simple Attendance System 1.0 – Unauthenticated Blind SQLi
The application suffers from an unauthenticated SQL Injection vulnerability. Input passed through 'employee_code' POST parameter in 'http://127.0.0.1//attendance/Actions.php?a=save_attendance' is not properly sanitised before being returned to the user or used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code and retrieve sensitive data.
Mitigation:
To mitigate this vulnerability, input validation and parameterized queries should be implemented to prevent SQL injection attacks.