Backstage access: an unauthenticated SQL injection in Front Gate Tickets
Summary
The article exposes an unauthenticated SQL injection in Front Gate Tickets' device API, enabling read access to a large customer and staff data store and potentially full administrative control via password reset tokens. It also discusses bypassing a AWS WAF and the impact of the breach, including ticketing manipulation and credential exposure, followed by disclosure and vendor response. This highlights critical API security flaws and the need for robust input validation, authentication, and mitigations for SMB IT environments.