VAM Virtual Airlines Manager SQL Injection Vulnerability in HTTP GET Parameter Handler

Vulnerability

A critical SQL injection vulnerability has been identified in VAM Virtual Airlines Manager versions prior to 2.6.2. The issue arises in an unknown function of the file /vam/index.php, specifically within the HTTP GET Parameter Handler. The vulnerability is triggered by manipulating the ID, registry_id, or plane_icao parameters, allowing for remote exploitation. While the primary parameters have been identified, other parameters may also be affected.

Impact

Exploitation of this vulnerability allows for SQL injection, which could be used to manipulate database queries, potentially leading to unauthorized data access or modification.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

5.0

exploitability

5.2

remediation

0.0

relevance

0.0

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

5.0

exploitability

5.2

remediation

0.0

relevance

0.0

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

VAM Virtual Airlines Manager SQL Injection Vulnerability in HTTP GET Parameter Handler

Vulnerability

Impact

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating