CVE-2020-9340
Description
fauzantrif eLection 2.0 has SQL Injection via the admin/ajax/op_kandidat.php id parameter.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2- fauzantrif/eLectiondescription
- Range: =2.0
Patches
Vulnerability mechanics
Root cause
"Missing input sanitization on the `id` parameter in `admin/ajax/op_kandidat.php` allows SQL injection."
Attack vector
An attacker must first authenticate to the admin portal. After logging in, they navigate to the candidates section and capture the POST request to `admin/ajax/op_kandidat.php`. The `id` parameter in that request is injectable. SQLMap can be used to exploit the injection, and because the application's setup requires writable directory permissions, the attacker can upload a web shell and achieve remote code execution. [ref_id=1]
Affected code
The vulnerability resides in `admin/ajax/op_kandidat.php`, specifically the `id` parameter passed via POST. The file is part of the eLection 2.0 admin panel's candidate management functionality.
What the fix does
No patch is provided in the bundle. The advisory [ref_id=1] does not include a fix; it only documents the exploit path. To remediate, the application should use parameterized queries or prepared statements for the `id` parameter in `op_kandidat.php` to prevent SQL injection.
Preconditions
- authAttacker must have valid admin credentials to log into the admin portal.
- configThe web application directory must have writable permissions (as required by the application's setup).
- networkThe attacker must be able to send HTTP POST requests to the target server.
- inputThe `id` POST parameter must be user-controllable and unsanitized.
Generated on May 31, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- github.com/J3rryBl4nks/eLection-TriPath-/blob/master/SQLiIntoRCE.mdmitrex_refsource_MISC
News mentions
0No linked articles in our index yet.