CVE-2020-23935
published 2020-08-20CVE-2020-23935: Kabir Alhasan Student Management System 1.0 is vulnerable to Authentication Bypass via "Username: admin'# && Password: (Write Something)".
PriorityP277critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
15.93%
96.5th percentile
Kabir Alhasan Student Management System 1.0 is vulnerable to Authentication Bypass via "Username: admin'# && Password: (Write Something)".
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| kabir-m-alhasan | student_management_system | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect SQLi authentication bypass attempt by monitoring POST requests to /process.php containing the SQL comment sequence in the username field: U_USERNAME value ending with '# (single-quote followed by hash/comment operator). ↗
- →Monitor POST requests to /process.php with Content-Type: application/x-www-form-urlencoded for the U_USERNAME parameter containing a single-quote character, indicative of SQL injection. ↗
- →Alert on login attempts to /admin/login.php or /index.php?q=login where the submitted username field contains SQL comment characters ('# pattern) regardless of password value. ↗
- ·The exploit was tested specifically on Windows with WampServer; behavior or path structure may differ on other hosting environments. ↗
- ·Default credentials for the application are admin:admin; deployments that have not changed defaults are trivially accessible even without SQLi. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
http://packetstormsecurity.com/files/165215/Kabir-Alhasan-Student-Management-System-1.0-SQL-Injection.htmlhttps://github.com/enesozeser/Vulnerabilities/blob/master/CVE-2020-23935http://packetstormsecurity.com/files/165215/Kabir-Alhasan-Student-Management-System-1.0-SQL-Injection.htmlhttps://github.com/enesozeser/Vulnerabilities/blob/master/CVE-2020-23935
2020-08-20
Published