Inventory Webapp SQL Injection Vulnerability

A SQL injection vulnerability has been identified in Inventory Webapp, allowing unauthenticated attackers to manipulate database queries by injecting SQL code through GET parameters. The vulnerability is present in the 'add-item.php' file, where attackers can exploit the 'name', 'description', 'quantity', or 'cat_id' parameters to execute arbitrary database commands.

Impact

Exploitation of this vulnerability allows for SQL injection, where attackers can manipulate database queries. This could lead to unauthorized data access, data manipulation, or in some cases, executing administrative operations on the database.

Reproduction

To reproduce this vulnerability, send a GET request to 'php/add-item.php' with injected SQL payloads in the 'name', 'description', 'quantity', or 'cat_id' parameters. The injected SQL will be executed by the application, allowing for manipulation of the database.