| 제목 | ProjectsAndPrograms school-management-system commit 6b6fae5 SQL Injection |
|---|
| 설명 | A critical SQL Injection vulnerability exists in the buslocation.php file within the student_panel directory of the School Management System. The application fails to properly sanitize or parameterize user-supplied input before using it in a database query.
Specifically, on line 54 of student_panel/buslocation.php, the bus_id HTTP GET parameter is directly concatenated into the SQL statement: $sql = "SELECT * FROM bus_root WHERE bus_id='{$_GET['bus_id']}'";
This is a high-severity vulnerability. Successful exploitation allows a remote attacker to bypass intended database query logic. |
|---|
| 원천 | ⚠️ https://tcn60zf28jhk.feishu.cn/wiki/MdHFw78Gmi1zbske8Ozc6XTjnIh?from=from_copylink |
|---|
| 사용자 | EthX0_ (UID 96627) |
|---|
| 제출 | 2026. 03. 28. AM 09:13 (24 날 ago) |
|---|
| 모더레이션 | 2026. 04. 19. PM 12:53 (22 days later) |
|---|
| 상태 | 수락 |
|---|
| VulDB 항목 | 358230 [ProjectsAndPrograms School Management System 까지 6b6fae5426044f89c08d0dd101c7fa71f9042a59 HTTP GET Parameter buslocation.php bus_id SQL 주입] |
|---|
| 포인트들 | 20 |
|---|