CRITICAL🇵🇱 Wersja polska

CVE-2026-30530

CVSS 9.8v3.1pub. 2026-03-27upd. 2026-03-30

A SQL Injection vulnerability exists in SourceCodester Online Food Ordering System v1.0 in the Actions.php file (specifically the save_customer action). The application fails to properly sanitize user input supplied to the "username" parameter. This allows an attacker to inject malicious SQL commands.

🤖 AI Analysis
How it works

The application does not properly sanitize user input provided to the 'username' parameter in the save_customer action of the Actions.php file. The lack of filtering allows an attacker to inject arbitrary SQL commands into the query executed by the database server. The attack is possible remotely, without authentication and without user interaction, corresponding to a network vector with low complexity (AV:N/AC:L/PR:N/UI:N).

Impact

An attacker can gain unauthorized access to data stored in the database (confidentiality), modify or delete data (integrity), and potentially cause service unavailability or take control of the database server (availability).

Mitigation & patch

Apply patches available from the vendor according to the references. As temporary measures, it is recommended to implement validation and parameterization of SQL queries (prepared statements), restrict access to the vulnerable endpoint at the firewall/WAF level, and monitor logs for anomalous queries.

Who is affected

SourceCodester Online Food Ordering System v1.0 (Actions.php file, save_customer action)

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Oretnom23 Online Food Ordering System

    APP
    Oretnom23
    1.0
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
SQLi
CWE
References

Related vulnerabilities

CVE-2026-30533CRITICAL9.8PL ✓ten sam produkt

SQL Injection w Online Food Ordering System przez parametr 'id'

CVE-2026-30532CRITICAL9.8PL ✓ten sam produkt

SQL Injection w SourceCodester Online Food Ordering System via parametr 'id'

CVE-2023-30122CRITICAL9.8ten sam produkt

An arbitrary file upload vulnerability in the component /admin/ajax.php?action=save_menu of Online Food Orderi...

CVE-2023-24646CRITICAL9.8ten sam produkt

An arbitrary file upload vulnerability in the component /fos/admin/ajax.php of Food Ordering System v2.0 allow...

CVE-2020-29297CRITICAL9.8ten sam produkt

Multiple SQL Injection vulnerabilities in tourist5 Online-food-ordering-system 1.0.