A SQL Injection vulnerability exists in SourceCodester Online Food Ordering System v1.0 in the admin/view_product.php file via the "id" parameter.
The vulnerability occurs in the 'id' parameter handled by the admin/view_product.php file. Data supplied by the user is passed directly to the SQL query without proper validation or parameterization. An attacker can inject malicious SQL code, modifying the query logic and gaining unauthorized access to the database. The attack vector is network-based, requires no authentication or user interaction (CVSS AV:N/AC:L/PR:N/UI:N).
An attacker can gain full access to data stored in the database (including user and administrator data), modify or delete data, and in some configurations potentially execute operations at the server operating system level.
Apply patches available from the manufacturer according to the references. Until the patch is implemented, it is recommended to restrict access to the administration panel (e.g., through a firewall or IP address restrictions) and implement SQL query validation and parameterization on the application side.
SourceCodester Online Food Ordering System v1.0 (admin/view_product.php file, 'id' parameter)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HOretnom23 Online Food Ordering System
APPOretnom231.0
Related vulnerabilities
SQL Injection w Online Food Ordering System przez parametr 'id'
SQL Injection w Online Food Ordering System — parametr username
An arbitrary file upload vulnerability in the component /admin/ajax.php?action=save_menu of Online Food Orderi...
An arbitrary file upload vulnerability in the component /fos/admin/ajax.php of Food Ordering System v2.0 allow...
Multiple SQL Injection vulnerabilities in tourist5 Online-food-ordering-system 1.0.