Online Matrimonial Project v1.0 - Multiple Unauthenticated SQL Injections (SQLi)

Description

Online Matrimonial Project v1.0 is vulnerable to multiple Unauthenticated SQL Injection vulnerabilities.

Vulnerabilities

CVE-2023-46785

The 'id' parameter of the partner_preference.php resource does not validate the characters received and they are sent unfiltered to the database. The vulnerable code is:

CVE-2023-46787

The 'username' parameter of the auth/auth.php resource does not validate the characters received and they are sent unfiltered to the database. The vulnerable code is:

CVE-2023-46788

The 'id' parameter in the 'uploadphoto()' function of the functions.php resource does not validate the characters received and they are sent unfiltered to the database. The vulnerable code is:

photouploader.php:

functions.php:

CVE-2023-46789

The 'filename' attribute of the 'pic1' multipart parameter of the functions.php resource does not validate the characters received and they are sent unfiltered to the database. The vulnerable code is:

CVE-2023-46793

The 'day' parameter in the 'register()' function of the functions.php resource does not validate the characters received and they are sent unfiltered to the database. The vulnerable code is:

CVE-2023-46800

The 'id' parameter of the view_profile.php resource does not validate the characters received and they are sent unfiltered to the database. The vulnerable code is:

Our security policy

We have reserved the IDs CVE-2023-46785, CVE-2023-46787, CVE-2023-46788, CVE-2023-46789, CVE-2023-46793, and CVE-2023-46800 to refer to these issues from now on. Disclosure policy

System Information

• Version: Online Matrimonial Project v1.0

• Operating System: Any

Mitigation

There is currently no patch available for this vulnerability.

References

• Vendor page https://projectworlds.in/