Simple Job Script SQL Injection Vulnerability

A SQL injection vulnerability has been identified in Simple Job Script versions through 1.66. This vulnerability allows unauthenticated attackers to manipulate database queries by injecting SQL code via the landing_location parameter. Exploitation involves sending POST requests to the searched endpoint with malicious SQL payloads, enabling attackers to bypass authentication and access sensitive database information.

Impact

Exploitation of this vulnerability allows for unauthorized SQL injection, which can be used to manipulate database queries, bypass authentication, and extract sensitive information from the database.

Reproduction

To reproduce this vulnerability, send a POST request to the 'searched' endpoint with the 'landing_location' parameter. Inject SQL payloads to manipulate the database query. The vulnerability can also be reproduced by sending SQL injection payloads through the 'job_id' parameter on the 'get_job_applications_ajax.php' endpoint, the 'employerid' parameter on the 'register-recruiters' endpoint, or the 'app_id' parameter on the 'delete_application_ajax.php' endpoint.