Computer Laboratory Management System v1.0 is vulnerable to SQL Injection via the "id" parameter of /admin/damage/view_damage.php.
An attacker sends a crafted HTTP request to the /admin/damage/view_damage.php endpoint, injecting malicious SQL code into the 'id' parameter. The application does not properly validate or filter input data, so the injected code is executed directly by the database engine. The lack of authentication requirement (PR:N) and low attack complexity (AC:L) make the exploit executable without any special prerequisites.
An attacker can gain unauthorized access to all data stored in the database (confidentiality), modify or delete data (integrity), and in certain configurations cause system unavailability (availability). It is also possible to steal authentication credentials to the system and take over administrator accounts.
Patches available from the vendor should be applied according to the references. Until the fix is implemented, it is recommended to restrict access to the administration panel (/admin/) at the firewall or web server level and implement parameterized SQL queries (prepared statements) in the application code.
Computer Laboratory Management System v1.0 by Oretnom23
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HOretnom23 Computer Laboratory Management System
APPOretnom231.0
Related vulnerabilities
SQL Injection w SourceCodester Computer Laboratory Management System
SQL Injection w SourceCodester Computer Laboratory Management System 1.0
SQL Injection w Computer Laboratory Management System v1.0 (parametr 'id')
SQL Injection w Computer Laboratory Management System v1.0
A SQL injection vulnerability in manage_damage.php in Sourcecodester Computer Laboratory Management System v1....