Haxxorsid Stock-Management-System SQL Injection Vulnerability

A SQL injection vulnerability has been identified in the Haxxorsid Stock-Management-System in all versions prior to the commit fbbbf213e9c93b87183a3891f77e3cc7095f22b0. The vulnerability resides in the file model/User.php, where user-supplied input for the employee_id, id, and admin arguments is not properly sanitized before being concatenated into SQL queries. This oversight allows remote attackers to inject malicious SQL commands, potentially leading to unauthorized access to sensitive data or manipulation of the database.

Impact

Exploitation of this vulnerability allows for SQL injection, where an attacker can interfere with the application's database queries. This could lead to unauthorized data access, data manipulation, or in some cases, executing administrative operations on the database.

Reproduction

To reproduce this vulnerability, send a request to the application that includes unsanitized input in the employee_id, id, or admin fields. The injected SQL payload can then be executed by the database, exploiting the application's SQL query handling.