CVE-2022-3495 A critical vulnerability has been found in SourceCodester Simple Online Public Access Catalog 1.0 and affected code of the file /opac/Actions.php?a=login. It compromises the Admin Login component.

The security risk of manipulating the username/password argument via sql injection in SourceCodester Simple Online Public Access Catalog 1.0 is estimated as critical. The poc video is available below. Further details about this vulnerability are yet to be revealed. Software vendors and hosting providers may block access to their servers if they are aware of this incident. If you suspect that you were affected by this issue, then you should change your password for all applications/sites that you have access to. You can also monitor for active/possible sql injections and change your passwords accordingly. By monitoring for active/possible sql injections, you can change your password accordingly. All security issues may be monitored by querying your DNS. For example, dig +short @HOST or dig +short HOST.

References:

- CVE-2022-3495

The security risk of manipulating the username/password argument via sql injection in SourceCodester Simple Online Public Access Catalog 1.0 is estimated as critical. The poc video is available below. Further details about this vulnerability are yet to be revealed. Software vendors and hosting providers may block access to their servers if they are aware of this incident. If you suspect that you were affected by this issue, then you should change your password for all applications/sites that you have access to. You can also monitor for active/possible sql injections and change your passwords accordingly. By monitoring for active/possible sql injections, you can change your password accordingly. All security issues may be monitored by querying your DNS. For example, dig +short @HOST or dig +short HOST.

Potential Risk and How to Stay Protected

The primary risk of this vulnerability is having your username/password pairs compromised. You should also be on the lookout for other potential security issues as well. Other risks may include loss of sensitive data and denial-of-service attacks. To stay protected, you should monitor your DNS to see if any security issues are active or have been reported and change your passwords accordingly.

How to detect SQL Injection in SourceCodester

SourceCodester Simple Online Public Access Catalog 1.0 is an online catalog that allows users to make a request for a code and has the capability to accept username/password values as the arguments. It has been found that the software is vulnerable to sql injection and password guessing attacks. A video poc of SQL Injection in SourceCodester can be found below:

Google Adwords: Spend or not?
In order:
1) It's worth it for some companies.
2) You might want to spend on it, but you don't have to.
3) It depends on your budget and how much you value your advertising dollars.
4) No, definitely not worth it

Timeline

Published on: 10/14/2022 07:15:00 UTC
Last modified on: 10/15/2022 02:37:00 UTC

References

• https://github.com/Hakcoder/Simple-Online-Public-Access-Catalog-OPAC---SQL-injection/blob/main/POC
• https://vuldb.com/?id.210784
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-3495