Attacker Value
Very High
(1 user assessed)
Exploitability
Very High
(1 user assessed)
User Interaction
Unknown
Privileges Required
Unknown
Attack Vector
Unknown
1

CVE-nu11-16-092421

Last updated September 26, 2021
Add MITRE ATT&CK tactics and techniques that apply to this CVE.
Execution
Techniques
Validation
Validated
Validated
Validated

Description

The OBS-PHP(by:oretnom23)v1.0 is vulnerable to remote SqL-Injection bypass Authentication, XSS-Stored and PHPSESSID Hijacking. The vulnerable app: to remote SqL – injection bypass Authentication is “login.php”, with parameters: “username” and “password”. After the successful PWNED of the credentials for the admin account, the malicious user can be storing an XSS payload, whit who can take the active PHPSESSID every time when he wants to log in to the system with an admin account by using this exploit.

Add Assessment

1
Ratings
  • Attacker Value
    Very High
  • Exploitability
    Very High
Technical Analysis

CVE-nu11-16-092421

Description:

The OBS-PHP(by:oretnom23)v1.0 is vulnerable to remote SQL-Injection bypass Authentication, XSS-Stored, and PHPSESSID Hijacking.
The vulnerable app: to remote SQL – injection bypass Authentication is “login.php”, with parameters: “username” and “password”.
After the successful PWNED of the credentials for the admin account, the malicious user can be storing an XSS payload, whit who can take the active PHPSESSID
every time when he wants to log in to the system with an admin account by using this exploit.

Reproduce: href

Proof: href

BR nu11secur1ty

General Information

Technical Analysis