जमा करें #844491: sergomanov SmartHomeAdatum latest (2026-06, no formal release) SQL Injectionजानकारी

शीर्षकsergomanov SmartHomeAdatum latest (2026-06, no formal release) SQL Injection
विवरणDescription: SmartHomeAdatum smart home system contains unauthenticated SQL injection in user registration and deletion (CWE-89). File: users.php Vuln 1 - Registration log injection: mysqli_query($con,"INSERT INTO logs VALUES ('...".$_POST['login']."')"); $_POST['login'] directly concatenated into INSERT without sanitization. Vuln 2 - User deletion injection: $box_array = $_REQUEST['box']; foreach($box_array as $value) { mysqli_query($con,"DELETE FROM users WHERE id_user='$value'"); } $_REQUEST['box'] values directly concatenated into DELETE without sanitization. No authentication check on users.php. Uses deprecated mysql_* functions alongside mysqli. MIT-licensed open source smart home platform. Exploitation: Registration: POST login='); DROP TABLE users; -- Delete: POST del=1&box[]=1' OR '1'='1 Countermeasure: Use prepared statements with parameter binding. CVSS 9.8.
स्रोत⚠️ https://github.com/sergomanov/SmartHomeAdatum
उपयोगकर्ता
 Dest1ny_2 (UID 98658)
सबमिशन01/06/2026 05:54 AM (1 महीना पहले)
संयम11/07/2026 02:36 PM (1 month later)
स्थितिस्वीकृत
VulDB प्रविष्टि377805 [sergomanov SmartHomeAdatum तक cf495353d81b680675eb8d9aa14a318aa45ce12c Login users.php लॉग इन करें SQL इंजेक्शन]
अंक20

Might our Artificial Intelligence support you?

Check our Alexa App!