Campcodes Online Beauty Parlor Management System SQL Injection Vulnerability in add-customer.php
Vulnerability
A SQL injection vulnerability has been identified in Campcodes Online Beauty Parlor Management System version 1.0. The issue arises in the file /admin/add-customer.php, where the mobilenum parameter can be manipulated to execute unauthorized SQL commands. This vulnerability can be exploited remotely, and a public proof-of-concept exploit is available.
Impact
Exploitation of this vulnerability allows for SQL injection, where an attacker can interfere with the application's database queries. This could lead to unauthorized data access, data manipulation, or in some cases, executing administrative operations on the database.
Reproduction
To reproduce this vulnerability, log into the application and navigate to the admin panel. Access the 'add customer' page and submit a POST request to the add-customer.php file. Include a crafted mobilenum parameter that exploits the application's SQL query handling. The vulnerability can be verified using the sqlmap tool.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.