A SQL Injection vulnerability exists in SourceCodester Online Food Ordering System v1.0 in the admin/manage_product.php file via the "id" parameter.
The vulnerability exists in the admin/manage_product.php file, where the 'id' parameter transmitted in the HTTP request is not properly validated or parameterized before use in an SQL query. An attacker can inject malicious SQL code by manipulating the value of this parameter, allowing execution of arbitrary queries to the database. The attack is possible remotely, without authentication, and without user interaction.
An attacker can gain full access to data stored in the database (including user and product data), and depending on the database server configuration, can also modify or delete data, leading to violations of system confidentiality, integrity, and availability.
Patches available from the vendor should be applied according to the references. It is also recommended to implement parameterized SQL queries (prepared statements) and server-side input validation. Until updates are applied, it is recommended to restrict access to the admin panel exclusively to trusted IP addresses.
SourceCodester Online Food Ordering System v1.0 (admin/manage_product.php file, 'id' parameter)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HOretnom23 Online Food Ordering System
APPOretnom231.0
Related vulnerabilities
SQL Injection w SourceCodester Online Food Ordering System via parametr 'id'
SQL Injection w Online Food Ordering System — parametr username
An arbitrary file upload vulnerability in the component /admin/ajax.php?action=save_menu of Online Food Orderi...
An arbitrary file upload vulnerability in the component /fos/admin/ajax.php of Food Ordering System v2.0 allow...
Multiple SQL Injection vulnerabilities in tourist5 Online-food-ordering-system 1.0.