CVE-2022-38267 Activity updates with SMS notification v1.0 had a SQL injection vulnerability.

An attacker can exploit this flaw to access or edit any database record of the affected application and cause significant disruption to its operations. Depending on the privileges associated with the user, this might lead to the compromise of the entire application.

An attacker must first acquire access to the system where the vulnerable application is installed. Next, the attacker must lure the user to access the vulnerable application by any means necessary.

Once the user has accessed the application, the attacker can exploit the SQL injection flaw to gain access to the database and carry out actions that are difficult to trace.

Finally, the attacker must escape from the network or remote system to prevent detection.

v1.0 of Activity Updates with SMS Notification is vulnerable; however, it is recommended that administrators upgrade as soon as possible.

END

Activity Updates with SMS Notification is a web-based application that allows schools to manage and monitor student attendance, grades, and other school-related information.

Summary

A vulnerability in Activity Updates with SMS Notification has been identified. Administrators of the application should upgrade as soon as possible to avoid potential attacks or disruption.

Alert s

When an administrator logs into the application, it will send an alert to their smartphone if a student's absence exceeds three days. Administrators can also receive alerts when students report grades or attendance changes.

These updates are provided through the SMS notification service which is hosted on the same server as Activity Updates with SMS Notification.

The following table contains all strings used in Activity Updates with SMS Notification v1.0 file

SQL injection vulnerability is a type of attack that occurs when an attacker sends specially crafted input to a vulnerable application. An SQL injection vulnerability makes it possible for the attacker to execute arbitrary code on the target system by passing parameters through SQL queries.

SQL Injection Vulnerability

The system is vulnerable to SQL injection because the application allows users to input malformed SQL queries that are processed by the database. This issue can be exploited if an attacker sends a malformed SQL query in the 'Activity Update with SMS Notification' web application's contact form. The attacker must first attain access to the system where Activity Updates with SMS Notification is installed, then lure users into submitting this form. Once an unsuspecting user submits this form and is authenticated, the attacker can exploit the flaw to gain access to the database and carry out actions that are difficult to trace.

System requirements

Activity Updates with SMS Notification is web-based so it can work on any device that has a web browser.

Timeline

Published on: 09/08/2022 21:15:00 UTC
Last modified on: 09/15/2022 14:13:00 UTC

References

• https://github.com/moyess/bug_report/blob/main/vendors/janobe/school-activity-updates-sms-notification/SQLi-1.md
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-38267