CVE-2020-29214 Scanner

The Alumni Management System is used by educational institutions to manage and engage with their alumni. Typically implemented by the alumni offices or departments, the system aims to maintain an organized database of former students. This system facilitates the coordination between alumni and the institution, allowing information sharing and event planning. Moreover, it helps in maintaining communication through newsletters and notifications, significantly aiding in alumni networking. For educational institutions, it serves as a vital tool in creating opportunities for alumni involvement and fundraising efforts. Moreover, this system often acts as a portal for alumni to access exclusive content and opportunities.

The vulnerability at hand is an SQL Injection, a critical flaw enabling attackers to manipulate database operations. It occurs due to insufficient sanitization of user inputs in the admin login page. By inserting malicious SQL queries, attackers can exploit this vulnerability to bypass authentication mechanisms. As a result, unauthorized individuals may gain access to sensitive areas and data within the application. The potential impact of this vulnerability extends to data leakage, unauthorized actions, and compromise of database integrity. Addressing this flaw is essential to protect the integrity and confidentiality of the system's data.

The SQL Injection vulnerability is specifically present in the admin/login.php endpoint of the Alumni Management System. The vulnerable parameter involves the input fields accepting user credentials, such as username and password. When attackers input crafted SQL statements, these fields do not escape or verify the input sufficiently, permitting malicious SQL code execution. As seen in the attack pattern, injecting SQL code like ''or''1''= ''1'' effectively tricks the system into recognizing the statement as a legitimate request. This lack of proper input validation opens up significant security risks and necessitates immediate remediation strategies.

Exploitation of this vulnerability could lead to substantial risks including unauthorized system access and data compromise. Attackers might use this access to alter, delete, or steal sensitive data stored within the system's database. Furthermore, administrative privileges may enable attackers to spread further attacks, deepen system infiltration, and disrupt normal operations. Such consequences can not only lead to reputational damage but also potential legal liabilities related to data privacy breaches. Consequently, regular security assessments and immediate patching are imperative.

REFERENCES

• https://www.exploit-db.com/exploits/48883
• https://nvd.nist.gov/vuln/detail/CVE-2020-29214