Code-Projects Medical Store Management System SQL Injection Vulnerability

A SQL injection vulnerability has been identified in version 1.0 of the Code-Projects Medical Store Management System. The issue resides in the UpdateMedicines.java file, specifically within the Update Medicines Page component. This vulnerability allows remote attackers to manipulate the productNameTxt argument, injecting malicious SQL queries that could be executed by the application's database. The lack of proper input validation is the root cause of this vulnerability.

Impact

Exploitation of this vulnerability allows for unauthorized database access, potential leakage or manipulation of sensitive data, and could disrupt normal service operations.

Reproduction

To reproduce this vulnerability, navigate to the Update Medicines page in the application. Once there, send a request that includes a crafted payload in the productNameTxt parameter. The payload should be designed to exploit the SQL injection vulnerability, such as by appending SQL commands that could be executed by the database.