cbcvebase.
CVE-2018-7477
published 2018-02-28

CVE-2018-7477: SQL Injection exists in PHP Scripts Mall School Management Script 3.0.4 via the Username and Password fields to parents/Parent_module/parent_login.php.

PriorityP260critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
2.80%
84.7th percentile
SQL Injection exists in PHP Scripts Mall School Management Script 3.0.4 via the Username and Password fields to parents/Parent_module/parent_login.php.

Affected

1 ranges
VendorProductVersion rangeFixed in
school_management_script_projectschool_management_script

Detection & IOCsextracted from sources · hover to see the quote

pathparents/Parent_module/parent_login.php
commandx'or'x'='x
  • Monitor HTTP POST requests to the path `parents/Parent_module/parent_login.php` for SQL injection payloads in the Username or Password fields, particularly payloads containing single quotes and OR-based logic (e.g., `x'or'x'='x`).
  • Successful exploitation results in authentication bypass granting admin-level access; alert on successful logins to the parent login endpoint that originate from unexpected or unauthenticated sessions immediately following a malformed login attempt.
  • ·The exploit was tested on Windows; behavior or path casing may differ on Linux-based deployments of the School Management Script.
  • ·The vulnerable endpoint is scoped specifically to version 3.0.4 of PHP Scripts Mall School Management Script; other versions are not confirmed affected.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.