| タイトル | QueryMine sms 1.0 SQL Injection vulnerability |
|---|
| 説明 | The admin/editcourse.php file is responsible for handling the course editing function in the background management system. When querying course information, the code directly obtains the course ID from the GET request parameter id through $_GET['id'], and concatenates it into the SQL query statement SELECT * FROM course WHERE course_id='$get_course_id' without any input filtering, parameterization or escaping. This results in a SQL injection vulnerability. Attackers can construct malicious request parameters to execute arbitrary SQL statements, obtain sensitive data in the database (such as user credentials, course information), modify or delete data, and even gain server control in severe cases. In addition, the project does not enable the Issue function, making it impossible to submit vulnerability reports and repair suggestions to the project maintainers through the official repository. |
|---|
| ソース | ⚠️ https://github.com/duckpigdog/CVE/blob/main/QueryMine_sms%20PHP%20Project%20Deployment%20Document%20(Windows%20Local)-2.md |
|---|
| ユーザー | yanxiao (UID 96717) |
|---|
| 送信 | 2026年03月24日 08:47 (1 月 ago) |
|---|
| モデレーション | 2026年04月17日 09:14 (24 days later) |
|---|
| ステータス | 承諾済み |
|---|
| VulDBエントリ | 358032 [QueryMine sms 迄 7ab5a9ea196209611134525ffc18de25c57d9593 GET Request Parameter admin/editcourse.php 識別子 SQLインジェクション] |
|---|
| ポイント | 20 |
|---|