An attacker can login as any user he/she wishes and make arbitrary changes to the application data.
It is possible to access other users' support tickets simply by changing the 'sys_request_id' parameter to an arbitrary value on the editrequestuser.asp page.
3. Unencrypted login vulnerability.
An attacker may be able to login to the application using credentials captured off the wire.
Since the login page is not encrypted (no SSL encryption layer) usernames and passwords are sent over the network in cleartext. These could be intercepted by an attacker on the same network and used to gain access to the application
4. Password disclosure vulnerability
An attacker may be able to login to the database directly with the credentials disclosed.
The error page discloses the ODBC database connection string containing the cleartext username and password for the database connection. An attacker can then use these details to access the database. The vulnerable page was 'selectawasset.asp' with a querystring parameter of 'element=sys_asset_id'.
5. Embedded cross-site scripting vulnerability
An attacker may be able to steal session cookies, elevate privileges, attempt to install software or redirect victims to malicious sites.
An attacker can login as any user he/she wishes and make arbitrary changes to the application data.
The following cookies control the user's login session and can be trivially modified to login as admin or any other known username. The 'loggedinuserusergroup' can be set to 'administrator' to gain full privileges.
