SourceCodester Computer Laboratory Management System 1.0 allows classes/Master.php id SQL Injection.
The vulnerability consists of improper validation and parameterization of input data passed through the id parameter to the classes/Master.php file. An attacker can inject malicious SQL code directly into the query executed on the database. The attack requires no authentication or user interaction, and the network vector (AV:N) means it can be carried out remotely over the network.
An attacker can gain full access to the application's database — including reading, modifying, and deleting data — which can lead to violations of confidentiality, integrity, and system availability. In certain configurations, execution of system commands on the server is also possible.
Apply patches available from the vendor according to the references. It is also recommended to implement parameterized SQL queries (prepared statements) in the application code and restrict system access only to trusted networks or apply application-level firewall (WAF).
SourceCodester Computer Laboratory Management System version 1.0
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HOretnom23 Computer Laboratory Management System
APPOretnom231.0
Related vulnerabilities
SQL Injection w SourceCodester Computer Laboratory Management System 1.0
SQL Injection w Computer Laboratory Management System v1.0 (parametr 'id')
SQL Injection w Computer Laboratory Management System v1.0
SQL Injection w Computer Laboratory Management System v1.0 — parametr 'id'
A SQL injection vulnerability in manage_damage.php in Sourcecodester Computer Laboratory Management System v1....