CVE-2022-40353 The local file of the Tour & Travels Management System v1.0 was found to be vulnerable to SQL injection.

An attacker can exploit this vulnerability to inject arbitrary SQL queries into the application, causing the backend to crash.

An attacker can exploit this vulnerability to inject arbitrary SQL queries into the application, causing the backend to crash. In addition, this software may collect users’ data via the name and email fields at /up_booking/edit.cgi.

In addition, this software may collect users’ data via the name and email fields at /up_booking/edit.cgi. Finally, this software may allow attackers to hijack the login form at /up_booking/login.html, due to the lack of the CSRF protection. An attacker can use this vulnerability to access the login form and potentially exploit it to gain access to the backend. End users are advised to be cautious when it comes to clicking on links sent in emails, as we can see in most of the cases that an attacker’s email may be used to send phishing emails, which can cause an end user to enter their personal information, such as their name and email address.

Timeline

Published on: 09/27/2022 23:15:00 UTC
Last modified on: 09/28/2022 22:47:00 UTC

References

• https://github.com/songbingxue/Bug_report/blob/main/vendors/mayuri_k/online-tours-travels-management-system/SQLi-2.md
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-40353