| 제목 | QueryMine sms 1.0 SQL Injection vulnerability |
|---|
| 설명 | The admin/editcourse.php file is responsible for handling the course editing function in the background management system. When querying course information, the code directly obtains the course ID from the GET request parameter id through $_GET['id'], and concatenates it into the SQL query statement SELECT * FROM course WHERE course_id='$get_course_id' without any input filtering, parameterization or escaping. This results in a SQL injection vulnerability. Attackers can construct malicious request parameters to execute arbitrary SQL statements, obtain sensitive data in the database (such as user credentials, course information), modify or delete data, and even gain server control in severe cases. In addition, the project does not enable the Issue function, making it impossible to submit vulnerability reports and repair suggestions to the project maintainers through the official repository. |
|---|
| 원천 | ⚠️ https://github.com/duckpigdog/CVE/blob/main/QueryMine_sms%20PHP%20Project%20Deployment%20Document%20(Windows%20Local)-2.md |
|---|
| 사용자 | yanxiao (UID 96717) |
|---|
| 제출 | 2026. 03. 24. AM 08:47 (1 월 ago) |
|---|
| 모더레이션 | 2026. 04. 17. AM 09:14 (24 days later) |
|---|
| 상태 | 수락 |
|---|
| VulDB 항목 | 358032 [QueryMine sms 까지 7ab5a9ea196209611134525ffc18de25c57d9593 GET Request Parameter admin/editcourse.php 아이디 SQL 주입] |
|---|
| 포인트들 | 20 |
|---|