Online Examination
Monthly
SQL injection in code-projects Online Examination 1.0 allows authenticated remote attackers to manipulate database queries through multiple unsanitized parameters in the Quiz Creation Feature. The endpoint /update.php?q=addquiz accepts user-supplied input for the name, total, right, wrong, time, tag, and desc arguments without adequate sanitization, enabling read and write access to the underlying database. A public proof-of-concept exploit exists on GitHub, though the application's extremely limited deployment footprint constrains real-world impact.
SQL injection in code-projects Online Examination 1.0 exposes the login endpoint to unauthenticated remote attackers via the uname and password parameters in head.php. Manipulation of either parameter enables classic SQL injection, allowing database enumeration, authentication bypass, and potential data manipulation against any deployed instance. A public proof-of-concept exploit is available on GitHub (no public exploit identified as KEV), making weaponization trivial for low-skill attackers targeting this application.
SQL injection in code-projects Online Examination 1.0 allows authenticated remote attackers to manipulate database queries through multiple unsanitized parameters in the Quiz Creation Feature. The endpoint /update.php?q=addquiz accepts user-supplied input for the name, total, right, wrong, time, tag, and desc arguments without adequate sanitization, enabling read and write access to the underlying database. A public proof-of-concept exploit exists on GitHub, though the application's extremely limited deployment footprint constrains real-world impact.
SQL injection in code-projects Online Examination 1.0 exposes the login endpoint to unauthenticated remote attackers via the uname and password parameters in head.php. Manipulation of either parameter enables classic SQL injection, allowing database enumeration, authentication bypass, and potential data manipulation against any deployed instance. A public proof-of-concept exploit is available on GitHub (no public exploit identified as KEV), making weaponization trivial for low-skill attackers targeting this application.