Mohamed told The Hacker News that SQLi vulnerability in the Jobvite website allows him to gain access to the company’s website database which includes the confidential data of its admin users (jobvite employees) along with their emails, hashing salt and hashed passwords.
When The Hacker News asked Fouad about the fixes, he replied, “I think they fixed LFI because it's not working now but during my attack I got all LINUX USERS. But The site is still vulnerable to the SQLi vulnerability.”
“I approached the company 6 times during the last 4 months but I got no reply specifically from "Mahesh," the security consultant, Jobvite security. I dont know what about their plan for SQLi fix but the last reply was 4 months ago,” he added.
Jobvite's CTO 'Adam Hyder', told The Hacker News that the website is using "SilverStripe" an open source CMS to hosts Jobvite marketing content only.
"Our corporate site does not contain any application or customer data. Jobvite application and customer data are completely secure." he said.
But SQL Injection vulnerability in the SilverStripe CMS exposes the jobvite login employee's credentials to an attacker.
SilverSprite told researcher that the SQLi vulnerability exists in the Jobvite's website because of their own custom codes, not originated from default CMS.