Code-Projects Medical Store Management System SQL Injection Vulnerability

A SQL injection vulnerability exists in Code-Projects Medical Store Management System version 1.0. The issue arises in the UpdateCompany.java file, specifically within the Update Company Page component. The vulnerability is triggered by manipulating the companyNameTxt parameter, allowing remote attackers to inject malicious SQL queries. This exploitation could lead to unauthorized database access, data manipulation, and leakage of sensitive information.

Impact

Exploitation of this vulnerability allows for SQL injection, enabling attackers to interfere with the application's database. This could result in unauthorized data access, data modification or deletion, and in some cases, executing administrative operations on the database.

Reproduction

To reproduce this vulnerability, navigate to the Update Company Page in the application. Once there, update the companyNameTxt field with a payload that includes SQL injection elements, such as a single quote followed by SQL commands. This injected SQL will be executed by the application's database, demonstrating the vulnerability.