code-projects 在线入学申请系统 oas.sql 敏感信息泄露

CVE-2026-5650 影响 code-projects 的在线入学申请系统 1.0 版本。在文件 /enrollment/database/oas.sql 中一个未知的函数中发现了一个漏洞，允许进行操作，从而导致敏感信息存储不安全。这些信息可能包括申请人的个人数据、入学详情或存储在数据库中的任何其他数据。该漏洞的严重程度在 CVSS 规模上评为 5.3，表明存在中等风险。漏洞利用程序的公开可用性会大大增加风险，因为它便于恶意行为者利用。

Organizations using the Online Application System for Admission in production environments, particularly those with sensitive user data or financial information, are at significant risk. Systems with default configurations or inadequate security practices are especially vulnerable. Shared hosting environments where multiple applications share the same database are also at increased risk.

• generic web: Use curl to test the /enrollment/database/oas.sql endpoint with various SQL injection payloads. Look for errors or unexpected behavior indicating successful injection.

curl 'http://example.com/enrollment/database/oas.sql?param=1' 2>&1 | grep -i "error"

• php: Examine the application's source code for the /enrollment/database/oas.sql file. Search for instances of direct SQL query construction without proper sanitization or parameterization. • php: Check PHP error logs for SQL injection attempts or errors related to database queries. • generic web: Monitor web server access logs for unusual requests targeting the /enrollment/database/oas.sql endpoint, especially those originating from unexpected IP addresses.

1. 2026-04-06Disclosure

   disclosure

1. 已保留2026-04-05
2. 发布日期2026-04-06
3. EPSS 更新日期2026-04-13

目前，code-projects 尚未为 CVE-2026-5650 提供官方修复程序。最有效的即时缓解措施是，在实施解决方案之前禁用或限制对在线申请系统的访问。系统管理员强烈建议密切监控其系统是否存在可疑活动。此外，建议对源代码进行彻底的安全审计，以识别和修复任何类似的漏洞。保持服务器软件和数据库更新是减少攻击面的一种基本实践。考虑实施 Web 应用程序防火墙 (WAF) 以防止常见的攻击。