Multiple SQL injection vulnerabilitites in ycf1998 money-pos system before commit 11f276bd20a41f089298d804e43cb1c39d041e59 (2025-09-14) allows a remote attacker to execute arbitrary code via the orderby parameter
An attacker remotely sends a crafted HTTP request containing a malicious payload injected into the 'orderby' parameter. The application does not validate or sanitize the value of this parameter before passing it to the SQL query, allowing manipulation of the database logic. This vulnerability enables escalation from SQL injection to arbitrary code execution (RCE) on the target server. The attack requires no authentication or user interaction.
An attacker can gain full control over the system — read, modify, or delete data in the database, as well as execute arbitrary code on the server, which poses a risk of complete system and infrastructure takeover.
The Money-Pos system must be updated to a version containing commit 11f276bd20a41f089298d804e43cb1c39d041e59 (dated 2025-09-14) or newer. Details available in the producer's references on GitHub.
Ycf1998 Money-Pos system in all versions prior to commit 11f276bd20a41f089298d804e43cb1c39d041e59 dated 2025-09-14
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:HYcf1998 Money Pos
APPYcf1998< 2025-09-14