| Titel | https://www.sourcecodester.com/php/17280/advocate-office-managem https://www.sourcecodester.com/php/17280/advocate-office-management-system-free-download.html V1.0 SQL Injection |
|---|
| Beschreibung | In the core business module of this office management system, a critical SQL injection vulnerability exists in the activate_case.php processing file located at the server path /kortex_lite/kortex_lite/control/activate_case.php. The root cause of this vulnerability is that developers failed to implement compliant filtering, escaping, or parameterized query processing for core parameters passed by users (such as case activation identifiers, user operation credentials, business process numbers, etc.) when writing database interaction logic. This allows attackers to construct malicious SQL statement fragments and splice them into the system's normal database query statements, thereby breaking through the security restrictions on data access.
By exploiting this vulnerability, attackers can bypass the system's identity verification and permission control mechanisms to execute arbitrary unauthorized SQL operations: they can not only illegally read and steal sensitive information stored in the system (including user account passwords, enterprise case data, employee identity information, financial transaction records, core business configurations, etc.) but also tamper with critical data in the database (such as modifying case activation status, forging business approval records, adjusting user permission levels). Furthermore, attackers can achieve database privilege escalation through SQL injection to gain operational access to the database server, ultimately leading to the complete collapse of the data security defense line of the entire office management system. This brings a series of severe consequences to the enterprise, including data leakage, theft of trade secrets, disruption of business processes, and legal compliance risks. |
|---|
| Quelle | ⚠️ https://github.com/yuan384/cve/issues/2 |
|---|
| Benutzer | yuan384 (UID 95948) |
|---|
| Einreichung | 27.02.2026 07:45 (vor 1 Monat) |
|---|
| Moderieren | 07.03.2026 21:53 (9 days later) |
|---|
| Status | Duplikat |
|---|
| VulDB Eintrag | 260274 [SourceCodester Kortex Lite Advocate Office Management System 1.0 activate_case.php ID SQL Injection] |
|---|
| Punkte | 0 |
|---|