CVE-2022-36690 An SQL injection vulnerability was found in the Stock Management System v1.0's id parameter.

Exploiting this issue may allow remote attackers to execute arbitrary SQL commands in the database or leak database information. The id parameter appears to be susceptible to SQL injection attacks, due to its use of a tailed numeric field.

The id parameter appears to be susceptible to SQL injection attacks, due to its use of a tailed numeric field. It was discovered that Stock Management System v1.0 contained an XSS vulnerability via the username field at /admin/?page=settings&field=username.

It was discovered that Stock Management System v1.0 contained an XSS vulnerability via the username field at /admin/?page=settings&field=username. It was discovered that Stock Management System v1.0 contained a stored XSS vulnerability via the username field at /admin/?page=settings&field=email.

It was discovered that Stock Management System v1.0 contained a stored XSS vulnerability via the username field at /admin/?page=settings&field=email. It was discovered that Stock Management System v1.0 contained a persistent XSS vulnerability via the username field at /admin/?page=settings&field=password.

Vulnerable packages:

Stock Management System v1.0

Vulnerable field

: id
The id parameter appears to be vulnerable to SQL injection attacks, due to its use of a tailed numeric field.

Vulnerabilities Found By Automated detection

The analyst found a number of vulnerabilities in Stock Management System v1.0, via automated detection through static analysis of the application’s source code. This included multiple stored XSS vulnerabilities, as well as persistent and non-persistent XSS vulnerabilities.

The findings from this report are used to help determine which system is the most vulnerable to attacks and how it may be exploited. The findings are not just limited to those listed here but also include other vulnerabilities that were discovered by the analyst during testing. In addition, these findings have been corroborated with manual testing and by security professionals on the team.

Vulnerable Source Code

The source code of the affected software appears to be publicly available, and is viewable at https://github.com/stock-management-system/stock-managment.

The source code of the affected software appears to be publicly available, and is viewable at https://github.com/stock-management-system/stock-managment. The following vulnerable source code is included in Stock Management System v1.0: https://github.com/stock-management-system/stock-managment

Timeline

Published on: 08/29/2022 14:15:00 UTC
Last modified on: 09/01/2022 06:36:00 UTC

References

• https://github.com/k0xx11/vul-wiki/blob/master/vendors/oretnom23/ingredients-stock-management-system/SQLi-4.md
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-36690