Skip to content

Instantly share code, notes, and snippets.

@senzee1984

senzee1984/CVE-2022-36256.md

Created August 31, 2022 22:59
Show Gist options
  • Save senzee1984/0fd90a5939ffb401e8a74f4a415e1610 to your computer and use it in GitHub Desktop.
Save senzee1984/0fd90a5939ffb401e8a74f4a415e1610 to your computer and use it in GitHub Desktop.
Download ZIP
Public Reference for CVE-2022-36256
Raw
CVE-2022-36256.md

Product: InvetoryManagementSystem

Vendor: https://github.com/sazanrjb

Affected Version(s): 1.0

CVE ID: CVE-2022-36256

Description: A SQL injection vulnerability in Stocks.java in sazanrjb InventoryManagementSystem 1.0 allows attackers to execute arbitrary SQL commands via the parameters such as "productcode".

Vulnerability Type: SQL injection

Root Cause: Multiple methods and their parameters such as checkStock(String productcode, Statement stmt) in source file Stocks.java do not have user input sanitiazation.

Impact: An attacker is able to extract sensitive data from the database.

PoC:

  1. Set value of parameter "productcode" as '--.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment