| عنوان | QueryMine sms 1.0 SQL Injection vulnerability |
|---|
| الوصف | The admin/editcourse.php file is responsible for handling the course editing function in the background management system. When querying course information, the code directly obtains the course ID from the GET request parameter id through $_GET['id'], and concatenates it into the SQL query statement SELECT * FROM course WHERE course_id='$get_course_id' without any input filtering, parameterization or escaping. This results in a SQL injection vulnerability. Attackers can construct malicious request parameters to execute arbitrary SQL statements, obtain sensitive data in the database (such as user credentials, course information), modify or delete data, and even gain server control in severe cases. In addition, the project does not enable the Issue function, making it impossible to submit vulnerability reports and repair suggestions to the project maintainers through the official repository. |
|---|
| المصدر | ⚠️ https://github.com/duckpigdog/CVE/blob/main/QueryMine_sms%20PHP%20Project%20Deployment%20Document%20(Windows%20Local)-2.md |
|---|
| المستخدم | yanxiao (UID 96717) |
|---|
| ارسال | 24/03/2026 08:47 AM (1 شهر منذ) |
|---|
| الاعتدال | 17/04/2026 09:14 AM (24 days later) |
|---|
| الحالة | تمت الموافقة |
|---|
| إدخال VulDB | 358032 [QueryMine sms حتى 7ab5a9ea196209611134525ffc18de25c57d9593 GET Request Parameter admin/editcourse.php معرف حقن SQL] |
|---|
| النقاط | 20 |
|---|