Simple Job Script SQL Injection Vulnerability

A SQL injection vulnerability has been identified in Simple Job Script versions through 1.66. This vulnerability allows unauthenticated attackers to manipulate database queries by injecting SQL code via the employerid parameter. Exploitation involves sending POST requests to the register-recruiters endpoint with crafted SQL injection payloads, potentially leading to the extraction of sensitive data or modification of database contents.

Impact

Exploitation of this vulnerability allows for SQL injection, where attackers can manipulate database queries to extract or alter data.

Reproduction

To reproduce this vulnerability, send a POST request to the register-recruiters endpoint with a payload that includes a time-based SQL injection vector in the employerid parameter. The injected SQL code can be crafted to, for example, use a time-based delay (such as the SLEEP function) to confirm the injection's success.