VIAVIWEB Wallpaper Admin SQL Injection Vulnerability Allowing Authentication Bypass
Vulnerability
A SQL injection vulnerability has been identified in VIAVIWEB Wallpaper Admin version 1.0. This vulnerability allows attackers to bypass authentication by manipulating login credentials. Exploitation occurs on the login page, where injected payloads such as 'admin' or '1=1--' can be used to gain unauthorized access to the administrative interface.
Impact
Exploitation of this vulnerability allows for authenticated SQL injection, which could be used to manipulate the application's database. Additionally, this vulnerability has been chained to achieve remote code execution, according to the source.
Reproduction
To reproduce this vulnerability, disable JavaScript in the browser, inject the SQL payload into the login form, and submit the request. After reactivating JavaScript, resend the request to bypass authentication. The SQL injection can also be exploited on the 'edit_gallery_image.php' endpoint by manipulating the 'img_id' parameter.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.