SourceCodester Client Database Management System 1.0 is vulnerable to SQL Injection in user_delivery_update.php via the order_id POST parameter.
The vulnerability occurs in the POST parameter named order_id, passed to the user_delivery_update.php script. User-entered data is included in the SQL query without proper validation and sanitization, allowing an attacker to inject arbitrary SQL instructions. Due to the lack of authentication requirements (PR:N, UI:N), the exploit can be carried out by anyone with network access to the application.
An attacker can gain full access to the database, read, modify or delete collected data, and under favorable configuration conditions, lead to command execution on the server. The CVSS vector indicates high risk of breach of confidentiality, integrity and system availability.
Patches available from the manufacturer should be applied in accordance with references. Until the fix is implemented, it is recommended to restrict network access to the application and implement Web Application Firewall (WAF) rules blocking SQL injection attempts.
SourceCodester Client Database Management System version 1.0
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HLerouxyxchire Client Database Management System
APPLerouxyxchire1.0
Related vulnerabilities
SQL Injection w SourceCodester Client Database Management System 1.0
SQL Injection w SourceCodester Client Database Management System 1.0
Dowolne przesyłanie plików i RCE w SourceCodester Client Database Management System 1.0
SQL Injection w SourceCodester Client Database Management System 1.0
RCE poprzez Arbitrary File Upload w SourceCodester Client Database Management System 1.0