CVE-2020-10505

Description

The School Manage System before 2020, developed by ALLE INFORMATION CO., LTD., contains a vulnerability of SQL Injection, an attacker can use a union based injection query string to get databases schema and username/password.

CVSS breakdown

CVSS 3.1

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Affected products

ALLE INFORMATION CO., LTD. / School Manage Systembefore 2020 – before 2020

References

MISChttps://www.twcert.org.tw/tw/cp-132-3530-53d32-1.html
MISChttps://www.chtsecurity.com/news/be93c576-e421-489f-9453-a462bdd4c90d