CVE-2020-29285: SQL injection in POS in PHP/ PDO 1.0
Virsec Security Research Lab Vulnerability Analysis
The Virsec Security Research Lab provides timely, relevant analysis about recent and notable security vulnerabilities.
1.1 Vulnerability Summary
SQL injection vulnerability was discovered in Point of Sales in PHP/PDO 1.0, which can be exploited via the id parameter to edit_category.php.
Watch the video to learn more about this and other important vulnerabilities.
1.2 CVSS Score
The CVSS Base score of this vulnerability is 9.8 critical. CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1.3 Affected Version
Point of Sales software PDO package in PHP- Version 1.0.
1.4 Vulnerability Attribution
The advisory is shared at github.com
1.5 Risk Impact
Exploit is available in public domain here.
Nowadays, majority of store owners have replaced their old registers with POS and use the automated Point of Sale system to make sure that all their store operations run smoothly. So, if you are a retail store owner and you are looking for a Point of Sale in PHP/PDO, this one is just right for you. Exploiting this vulnerability can lead to exfiltration of sensitive customer data from POS database
1.6 Virsec Security Platform (VSP) Support:
The Virsec Security Platform (VSP)- Web has capability that can detect all types of SQL injection attack and prevent this attack from being exploited.
1.7 Reference Links:
- NVD - CVE-2020-29285 (nist.gov)
- Point of Sales in PHP/PDO with Full Source Code (2020) | Free Source Code, Projects & Tutorials (sourcecodester.com)
- Point-of-Sales/README.md at main · BigTiger2020/Point-of-Sales · GitHub
Download the full vulnerability report to learn more about this and other important vulnerabilities.