Gibbon Authenticated SQL Injection Vulnerability
Vulnerability
An authenticated SQL injection vulnerability has been identified in Gibbon versions prior to v30.0.01. This vulnerability arises in the Tracking/graphing module, specifically within a SQL query that improperly sanitizes user input. Exploitation of this vulnerability, which requires Teacher or higher privileges, could lead to unauthorized read or write operations on the database.
Impact
Successful exploitation allows for SQL injection, which could be used to manipulate database queries, potentially leading to unauthorized data access or modification.
Reproduction
The vulnerability can be reproduced by sending a POST request to the Tracking/graphing module with crafted payloads that exploit the SQL query's input handling. The injection point is in the 'gibbonDepartmentIDs' parameter, where SQL payloads can be inserted to manipulate the query execution.
Remediation
Users are advised to update to Gibbon version v30.0.01, which addresses this vulnerability.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.