A remote attacker able to access the vulnerable application via frontend could leverage the SQL injection flaw to execute arbitrary SQL commands.
Moreover, it was discovered that Edoc-doctor-appointment-system v1.0.1 did not properly restrict access to the id parameter via the Restrict GET directive at /configuration/restrict.php. Thus, if a remote attacker had access to the application, they could potentially exploit the access violation to run arbitrary SQL commands.
Finally, it was discovered that Edoc-doctor-appointment-system v1.0.1 did not restrict the use of the id parameter by unrestricted users at /configuration/user-role-restrict.php. If a remote attacker was able to access the application, and if they were an unrestricted user, they could inject SQL queries into the application and have full access to the database.
Edoc-doctor-appointment-system v2.0.0 - SQL Injuri
Edoc-doctor-appointment-system v2.0.0 is a development release that fixes all three flaws discovered in Edoc-doctor-appointment-system v1.0.1
All of these vulnerabilities were reported to the vendor and the vendor was able to quickly fix the bugs.
Edoc-doctor-appointment-system v1.0.1
The Edoc-doctor-appointment-system application is 1SaaS and is vulnerable to SQL injection and a remote attacker having access to the application could leverage the flaw to execute arbitrary SQL commands. Furthermore, it was discovered that Edoc-doctor-appointment-system v1.0.1 did not properly restrict access to the id parameter via the Restrict GET directive at /configuration/restrict.php. Thus, if a remote attacker had access to the application, they could potentially exploit the access violation to run arbitrary SQL commands. Finally, it was discovered that Edoc-doctor-appointment-system v1.0.1 did not restrict the use of the id parameter by unrestricted users at /configuration/user-role-restrict.php. If a remote attacker was able to access the application, and if they were an unrestricted user, they could inject SQL queries into the application and have full access to the database.
Edoc-doctor-appointment-system: Overall guidance on protecting your online presence
There are a number of steps you can take to protect your online presence from malicious attacks in order to avoid becoming the victim of any cyberattacks.
First, it is critical that you have adequate security software in place. That way, if an attack does happen, you will be able to detect it and/or know when it has already happened.
Next, make sure that you are implementing effortless access control for your company’s personnel. This allows you to fully monitor who is accessing your sensitive information and what they have been doing with it.
Timeline
Published on: 08/26/2022 21:15:00 UTC
Last modified on: 08/31/2022 18:38:00 UTC