CRITICAL🇵🇱 Wersja polska

CVE-2025-46192

CVSS 9.8v3.1pub. 2025-05-09upd. 2025-05-22

SourceCodester Client Database Management System 1.0 is vulnerable to SQL Injection in user_payment_update.php via the order_id POST parameter.

🤖 AI Analysis
How it works

The vulnerability exists in the POST parameter named order_id, transmitted to the user_payment_update.php script. Input data is not properly validated or sanitized before being included in the SQL query. An attacker can inject malicious SQL code that will be executed directly by the database engine. The attack does not require authentication or any user interaction.

Impact

An attacker can gain full access to the database — read, modify, or delete its contents, including customer and transaction data. Depending on server configuration, it may also be possible to take control of the operating system.

Mitigation & patch

Apply patches available from the vendor according to references. As an immediate safeguard, it is recommended to restrict access to the vulnerable endpoint at the firewall or web server level and implement parameterized SQL queries (prepared statements) in the application code.

Who is affected

SourceCodester Client Database Management System version 1.0 — user_payment_update.php file, POST parameter order_id.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Lerouxyxchire Client Database Management System

    APP
    Lerouxyxchire
    1.0
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
SQLi
CWE
References

Related vulnerabilities

CVE-2025-46188CRITICAL9.8PL ✓ten sam produkt

SQL Injection w SourceCodester Client Database Management System 1.0

CVE-2025-46189CRITICAL9.8PL ✓ten sam produkt

SQL Injection w SourceCodester Client Database Management System 1.0

CVE-2025-46190CRITICAL9.8PL ✓ten sam produkt

SQL Injection w SourceCodester Client Database Management System 1.0

CVE-2025-46191CRITICAL9.8PL ✓ten sam produkt

Dowolne przesyłanie plików i RCE w SourceCodester Client Database Management System 1.0

CVE-2025-46193CRITICAL9.8PL ✓ten sam produkt

RCE poprzez Arbitrary File Upload w SourceCodester Client Database Management System 1.0