Facturation System SQL Injection Vulnerability

A SQL injection vulnerability has been identified in Facturation System version 1.0. This vulnerability allows authenticated attackers to execute arbitrary SQL queries by injecting malicious payloads through the 'mod_id' parameter. Exploitation of this vulnerability can lead to the extraction of sensitive database information, including usernames, database names, and version details. The issue arises in the 'editar_producto.php' endpoint, where crafted SQL injections can manipulate database queries and retrieve confidential data.

Impact

Exploitation of this vulnerability allows for SQL injection, enabling attackers to execute arbitrary SQL commands and potentially access or manipulate sensitive database information.

Reproduction

To reproduce this vulnerability, send a POST request to the 'ajax/editar_producto.php' endpoint with a crafted SQL payload in the 'mod_id' parameter. The injection can be verified by extracting database information such as usernames and version details.