From portswigger.net
Vulnerabilities in the e-commerce domain of Indian bookseller Oswaal Books could have allowed attackers to seize control of the website, a security researcher has claimed.
In a blog post, ‘Vikaran101’ recounts how a malicious hacker could then change the administrator password, cancel orders, initiate refunds, edit book details and prices, edit blog posts and SEO settings, deface the website, view customers’ resumes, and edit customer information such as postal address and phone numbers.
After taking control of the administrator account via SQL injection the researcher achieved remote code execution (RCE), bypassed one-time password (OTP) authentication, and unearthed a cross-site request forgery (CSRF) bug, he claims.