Beakon Learning Management System SCORM SQL Injection Vulnerability

A SQL injection vulnerability has been identified in Beakon Learning Management System (LMS) versions prior to 5.4.3. This vulnerability allows remote, unauthenticated attackers to execute arbitrary SQL commands by injecting SQL syntax into the 'ks' parameter of the 'json_scorm.php' file. The exploitation of this vulnerability could lead to the unauthorized disclosure of sensitive information.

Impact

Exploitation of this vulnerability allows for time-based SQL injection, where an attacker can execute arbitrary SQL commands and potentially extract sensitive information from the database.

Reproduction

To reproduce this vulnerability, send a crafted HTTP request to 'json_scorm.php' with the 'ks' parameter injected with SQL syntax that creates a conditional time delay, such as using 'SLEEP' or 'WAITFOR DELAY'. This will demonstrate the ability to execute arbitrary SQL commands through the injection.