| 제목 | SourceCodester AC Repair and Services System v1.0 SQL Injection |
|---|
| 설명 | A SQL Injection vulnerability has been identified in the php-acrss application within the delete_inquiry function. The vulnerable code directly interpolates user-controlled input into an SQL query without proper validation or parameterization. This flaw allows an authenticated—and in some configurations unauthenticated—attacker to manipulate the underlying database.
File: php-acrss/classes/Master.php
Function: delete_inquiry
Line: 154
The delete_inquiry function constructs an SQL query by concatenating the $id parameter directly into the statement:
$del = $this->conn->query("DELETE FROM inquiry_list where id = '{$id}'");
Because the input is neither sanitized nor validated, a malicious user can inject arbitrary SQL payloads via the id parameter. This can lead to unauthorized deletion of database records or execution of additional SQL commands depending on the database permissions. |
|---|
| 원천 | ⚠️ https://github.com/regrews/cve-vulnerabilities/issues/1 |
|---|
| 사용자 | regrews (UID 92696) |
|---|
| 제출 | 2025. 11. 17. PM 02:22 (5 개월 ago) |
|---|
| 모더레이션 | 2025. 11. 22. PM 05:55 (5 days later) |
|---|
| 상태 | 중복 |
|---|
| VulDB 항목 | 234223 [SourceCodester AC Repair and Services System 1.0 HTTP POST Request Master.php?f=delete_inquiry 아이디 SQL 주입] |
|---|
| 포인트들 | 0 |
|---|