FKIE_CVE-2020-10505

Vulnerability from fkie_nvd - Published: 2020-04-15 07:15 - Updated: 2024-11-21 04:55
Severity ?
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
The School Manage System before 2020, developed by ALLE INFORMATION CO., LTD., contains a vulnerability of SQL Injection, an attacker can use a union based injection query string to get databases schema and username/password.
References
twcert@cert.org.twhttps://www.chtsecurity.com/news/be93c576-e421-489f-9453-a462bdd4c90d
twcert@cert.org.twhttps://www.twcert.org.tw/tw/cp-132-3530-53d32-1.htmlThird Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://www.chtsecurity.com/news/be93c576-e421-489f-9453-a462bdd4c90d
af854a3a-2127-422b-91ae-364da2661108https://www.twcert.org.tw/tw/cp-132-3530-53d32-1.htmlThird Party Advisory
Impacted products
Vendor Product Version
the_school_manage_system_project the_school_manage_system -
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:the_school_manage_system_project:the_school_manage_system:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "6EAA067C-7930-48F8-8C95-497A19B2BD7E",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "The School Manage System before 2020, developed by ALLE INFORMATION CO., LTD., contains a vulnerability of SQL Injection, an attacker can use a union based injection query string to get databases schema and username/password."
    },
    {
      "lang": "es",
      "value": "El sistema de gesti\u00f3n escolar antes de 2020, desarrollado por ALLE INFORMATION CO., LTD., Contiene una vulnerabilidad de inyecci\u00f3n SQL, un atacante puede usar una cadena de consulta de inyecci\u00f3n basada en uni\u00f3n para obtener el esquema de bases de datos y nombre de usuario / contrase\u00f1a."
    }
  ],
  "id": "CVE-2020-10505",
  "lastModified": "2024-11-21T04:55:29.700",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "HIGH",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "PARTIAL",
          "baseScore": 7.5,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
          "version": "2.0"
        },
        "exploitabilityScore": 10.0,
        "impactScore": 6.4,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 9.8,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 5.9,
        "source": "twcert@cert.org.tw",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 9.8,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2020-04-15T07:15:12.050",
  "references": [
    {
      "source": "twcert@cert.org.tw",
      "url": "https://www.chtsecurity.com/news/be93c576-e421-489f-9453-a462bdd4c90d"
    },
    {
      "source": "twcert@cert.org.tw",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://www.twcert.org.tw/tw/cp-132-3530-53d32-1.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://www.chtsecurity.com/news/be93c576-e421-489f-9453-a462bdd4c90d"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://www.twcert.org.tw/tw/cp-132-3530-53d32-1.html"
    }
  ],
  "sourceIdentifier": "twcert@cert.org.tw",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-89"
        }
      ],
      "source": "twcert@cert.org.tw",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-89"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.