阿里云漏洞库

漏洞描述

A vulnerability was found in SourceCodester Loan Management System. It has been rated as critical. Affected by this issue is some unknown functionality of the file /index.php. The manipulation of the argument password leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-206162 is the identifier assigned to this vulnerability.

解决建议

建议您更新当前系统或软件至最新版，完成漏洞的修复。

参考链接
https://github.com/Drun1baby/CVE_Pentest/blob/main/Loan%20Management%20System...
https://vuldb.com/?id.206162

受影响软件情况

1
#	类型	厂商	产品	版本	影响面
	运行在以下环境
	应用	loan_management_system_project	loan_management_system	-	-
	运行在以下环境
	系统	alibaba_cloud_linux_2.1903	kernel	*		Up to (excluding) 4.19.91-25.8.al7
	运行在以下环境
	系统	alibaba_cloud_linux_3	kernel	*		Up to (excluding) 5.10.112-11.al8
	运行在以下环境
	系统	alma_linux_8	kernel	*		Up to (excluding) 4.18.0-372.13.1.rt7.170.el8_6
	运行在以下环境
	系统	alma_linux_9	kernel	*		Up to (excluding) 5.14.0-70.17.1.rt21.89.el9_0
	运行在以下环境
	系统	amazon_2	kernel	*		Up to (excluding) 5.10.106-102.504.amzn2
	运行在以下环境
	系统	amazon_2022	golang	*		Up to (excluding) 1.19.1-1.amzn2022.0.2
	运行在以下环境
	系统	amazon_2023	golang	*		Up to (excluding) 1.19.3-2.amzn2023.0.2
	运行在以下环境
	系统	amazon_AMI	golang	*		Up to (excluding) 1.18.6-1.42.amzn1
	运行在以下环境
	系统	anolis_os_7	kernel	*		Up to (excluding) 4.19
	运行在以下环境
	系统	anolis_os_8	kernel	*		Up to (excluding) 4.19
	运行在以下环境
	系统	fedora_EPEL_7	golang	*		Up to (excluding) 1.18.9-1.el7
	运行在以下环境
	系统	kylinos_aarch64_V10SP1	kernel	*		Up to (excluding) 4.19.90-23.23.v2101.ky10
	运行在以下环境
	系统	kylinos_aarch64_V10SP2	kernel	*		Up to (excluding) 4.19.90-25.14.v2101.ky10
	运行在以下环境
	系统	kylinos_x86_64_V10SP1	kernel	*		Up to (excluding) 4.19.90-23.23.v2101.ky10
	运行在以下环境
	系统	kylinos_x86_64_V10SP2	kernel	*		Up to (excluding) 4.19.90-25.14.v2101.ky10
	运行在以下环境
	系统	opensuse_Leap_15.3	kernel	*		Up to (excluding) 5.3.18-150300.38.53.1
	运行在以下环境
	系统	opensuse_Leap_15.4	wire	*		Up to (excluding) 9.16.6-150000.12.65.1
	运行在以下环境
	系统	opensuse_Leap_15.5	wire	*		Up to (excluding) 0.5.0-150000.1.12.3
	运行在以下环境
	系统	oracle_8	git-lfs	*		Up to (excluding) 2.13.3-3.el8_6
	运行在以下环境
	系统	oracle_9	git-lfs	*		Up to (excluding) 3.2.0-1.el9
	运行在以下环境
	系统	redhat_8	kernel	*		Up to (excluding) 4.18.0-372.13.1.el8_6
	运行在以下环境
	系统	redhat_9	golang	*		Up to (excluding) 1.18.9-1.el9_1
	运行在以下环境
	系统	rocky_linux_8	kernel	*		Up to (excluding) 4.18.0-372.13.1.rt7.170.el8_6
	运行在以下环境
	系统	suse_12_SP5	kernel	*		Up to (excluding) 4.12.14-16.94.1

攻击路径

网络
攻击复杂度

低
权限要求

无
影响范围

未更改
用户交互

无
可用性

高
保密性

高
完整性

高

CWE-ID	漏洞类型
CWE-89	SQL命令中使用的特殊元素转义处理不恰当（SQL注入）

loan_management_system_project loan_management_system sql命令中使用的特殊元素转义处理不恰当（sql注入）

漏洞描述

解决建议

参考链接

受影响软件情况