SourceCodester Stock Management System SQL Injection Vulnerability in Return View Page
Vulnerability
A critical SQL injection vulnerability has been identified in SourceCodester Stock Management System version 1.0. The issue arises in the admin return view page, specifically within the ID parameter. This vulnerability allows remote attackers to inject arbitrary SQL queries, potentially leading to unauthorized access to sensitive data. Exploitation of this vulnerability has been publicly disclosed and is available as a proof-of-concept.
Impact
Exploitation of this vulnerability allows attackers to extract sensitive information from the database, such as usernames and password hashes, which could be used for unauthorized access or privilege escalation.
Reproduction
To reproduce this vulnerability, log into a staff member account and navigate to the return view page in the admin panel. Once there, modify the ID parameter to include a UNION-based SQL injection payload that exploits the vulnerability by extracting data from the database.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.