SourceCodester Computer Laboratory Management System 1.0 allows admin/category/view_category.php id SQL Injection.
An attacker sends a specially crafted HTTP request to the admin/category/view_category.php endpoint, placing a malicious SQL payload in the 'id' parameter. The application does not properly validate or filter input data before passing it to the database query, which allows manipulation of the executed SQL query logic. Due to the network vector (AV:N), lack of authentication requirement (PR:N), and lack of user interaction (UI:N), the attack can be conducted remotely and fully automatically.
An attacker can gain unauthorized access to data stored in the database, modify or delete data, and in certain database server configurations potentially execute system commands — which means complete loss of data confidentiality, integrity, and availability.
Apply patches available from the vendor according to references. Additionally, it is recommended to implement parameterized queries (prepared statements) in the application code and restrict access to the administrative panel exclusively to trusted IP addresses.
SourceCodester Computer Laboratory Management System version 1.0
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HOretnom23 Computer Laboratory Management System
APPOretnom231.0
Related vulnerabilities
SQL Injection w SourceCodester Computer Laboratory Management System
SQL Injection w Computer Laboratory Management System v1.0 (parametr 'id')
SQL Injection w Computer Laboratory Management System v1.0
SQL Injection w Computer Laboratory Management System v1.0 — parametr 'id'
A SQL injection vulnerability in manage_damage.php in Sourcecodester Computer Laboratory Management System v1....