CVE-2020-37154

Vulnerability

Description

The eLection 2.0 application contains an authenticated SQL injection vulnerability in the candidate management endpoint, specifically within the 'id' parameter passed to the op_kandidat.php handler [1][2][4]. The root cause is improper neutralization of special elements used in an SQL command (CWE-89), allowing an attacker to manipulate database queries [4].

Exploitation

An attacker must first authenticate to the admin portal. By intercepting the POST request to /election/admin/ajax/op_kandidat.php and modifying the 'id' parameter, they can inject malicious SQL payloads [1][2]. Using automated tools like SQLMap with the --os-shell flag, the attacker can escalate the injection to remote code execution by uploading a backdoor file to the web server directory [1][2].

Impact

Successful exploitation grants the attacker the ability to execute arbitrary operating system commands and upload additional files, leading to full compromise of the application server [1][2][4]. The CVSS v3.1 score is 7.1 (High) with the vector indicating high impact on confidentiality and low impact on integrity and availability [4].

Mitigation

As of the latest available information, no official patch has been released. The project appears to be unmaintained [3]. Mitigations include restricting network access to the admin interface, implementing strict input validation on the 'id' parameter, and using a web application firewall. Users should consider migrating to a supported alternative [3][4].