An SQL injection vulnerability in the pjActionGetUser function of PHPJabbers Cinema Booking System v2.0 allows attackers to manipulate database queries via the column parameter. Exploiting this flaw can lead to unauthorized information disclosure, privilege escalation, or database manipulation.
The vulnerability exists in the pjActionGetUser function, where the column parameter is directly inserted into the SQL query without proper validation or parameterized query execution (CWE-89). An attacker can submit a crafted HTTP request containing a malicious SQL payload as the column parameter value. This allows modification of the logic of queries executed by the application against the database, leading to unauthorized reading, writing, or modification of data.
An attacker can gain unauthorized access to sensitive data stored in the database (information disclosure), perform privilege escalation through user data manipulation, and directly modify or delete database contents.
Apply patches available from the vendor according to references. Until the fix is implemented, it is recommended to restrict application access exclusively to trusted networks and implement Web Application Firewall rules blocking SQL injection attempts.
PHPJabbers Cinema Booking System v2.0
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HPhpjabbers Cinema Booking System
APPPhpjabbers2.0
Related vulnerabilities
Stored XSS w PHPJabbers Cinema Booking System v2.0
PHPJabbers Cinema Booking System v1.0 is vulnerable to CSV Injection vulnerability which allows an attacker to...
PHPJabbers Cinema Booking System v1.0 is vulnerable to Reflected Cross-Site Scripting (XSS) in Now Showing men...
PHPJabbers Cinema Booking System v1.0 is vulnerable to Multiple Stored Cross-Site Scripting (XSS) in the "titl...
A lack of rate limiting in the 'Forgot Password' feature of PHPJabbers Cinema Booking System v1.0 allows attac...