Adianti Framework SQL Injection Vulnerability Allowing Administrative Access
Vulnerability
A SQL injection vulnerability has been identified in Adianti Framework versions 5.5.0 and 5.6.0. This vulnerability allows authenticated users to manipulate database queries by injecting SQL code through the name field in the SystemProfileForm. Exploitation of this vulnerability could lead to unauthorized modification of user credentials and grant administrative access.
Impact
Exploitation of this vulnerability allows authenticated users to perform SQL injection, potentially leading to unauthorized access and privilege escalation by modifying user credentials to gain administrative rights.
Reproduction
To reproduce this vulnerability, an authenticated user can access the profile edit endpoint. Injected SQL code in the name field can be crafted to alter login credentials, such as username and password, effectively taking over the account. For instance, an injection could be made to change the name field while simultaneously altering the login and password fields through SQL injection, using a payload that exploits the application's SQL query handling.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.