CVE-2018-7477
published 2018-02-28CVE-2018-7477: SQL Injection exists in PHP Scripts Mall School Management Script 3.0.4 via the Username and Password fields to parents/Parent_module/parent_login.php.
PriorityP260critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
2.80%
84.7th percentile
SQL Injection exists in PHP Scripts Mall School Management Script 3.0.4 via the Username and Password fields to parents/Parent_module/parent_login.php.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| school_management_script_project | school_management_script | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor HTTP POST requests to the path `parents/Parent_module/parent_login.php` for SQL injection payloads in the Username or Password fields, particularly payloads containing single quotes and OR-based logic (e.g., `x'or'x'='x`). ↗
- →Successful exploitation results in authentication bypass granting admin-level access; alert on successful logins to the parent login endpoint that originate from unexpected or unauthenticated sessions immediately following a malformed login attempt. ↗
- ·The exploit was tested on Windows; behavior or path casing may differ on Linux-based deployments of the School Management Script. ↗
- ·The vulnerable endpoint is scoped specifically to version 3.0.4 of PHP Scripts Mall School Management Script; other versions are not confirmed affected. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
2018-02-28
Published