| Title | Virtual Airlines Manager 2.6.2 SQL Injection |
|---|
| Description | A SQL Injection vulnerability exists in Virtual Airlines Manager v2.6.2 due to insufficient input validation in multiple GET parameters. This allows an attacker to inject arbitrary SQL queries, potentially leading to unauthorized database access, data exfiltration, and, depending on database permissions, data modification or deletion. The vulnerable endpoints include:
/vam/index.php?page=manual_flight_details&ID=10
/vam/index.php?page=plane_info_public®istry_id=10
/vam/index.php?page=fleet_public&plane_icao=1
By exploiting this vulnerability, an attacker can enumerate database names, extract sensitive information such as user credentials (if stored in plaintext or weakly hashed), and potentially execute administrative operations. |
|---|
| Source | ⚠️ https://vam.fidusair.com/vam/index.php?page=manual_flight_details&ID=10 |
|---|
| User | davimo (UID 79678) |
|---|
| Submission | 03/03/2025 04:24 PM (4 months ago) |
|---|
| Moderation | 03/15/2025 09:40 PM (12 days later) |
|---|
| Status | Accepted |
|---|
| VulDB Entry | 299820 [VAM Virtual Airlines Manager up to 2.6.2 HTTP GET Parameter /vam/index.php ID/registry_id/plane_icao sql injection] |
|---|
| Points | 20 |
|---|