mJobtime Client-Side Authorization Vulnerability Allowing Access to Administrative Features
Vulnerability
A vulnerability in mJobtime version 15.7.2 has been identified, where client-side authorization is improperly managed. This flaw enables an attacker to alter the client-side code and gain access to administrative functionalities. Furthermore, attackers can create requests based on the modified client-side code to directly invoke these administrative functions.
Impact
Exploitation of this vulnerability allows unauthorized users to access administrative features, potentially leading to unauthorized modifications of application data or settings.
Reproduction
The vulnerability can be reproduced by manipulating the client-side code to bypass authorization checks. This can be done by setting the username to 'SUPERVISOR', which grants access to the administrative interface. Once in the admin console, the SQL injection vulnerability can be exploited by sending crafted SQL queries that are executed on the server, leading to remote code execution.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.