| Título | 1000 Projects Beauty Parlour Management System V1.0 SQL Injection |
|---|
| Descrição | The primary root cause is insufficient sanitization of user inputs in the “Array-like #1* ((custom) POST)” parameter. The system constructs SQL statements with these parameters directly, allowing attackers to embed arbitrary code into the query.
Database Compromise
Attackers may escalate privileges, read sensitive data, or make unauthorized modifications.
Data Leakage
Confidential information (e.g., customer details, service logs) could be exposed.
Service Interruption
Malicious queries (like time-based “SLEEP” injections) may degrade system performance or trigger crashes.
System Control
In some scenarios, attackers pivot from database to broader system-level access if combined with other exploits. |
|---|
| Fonte | ⚠️ https://github.com/lings3346/CVE/blob/main/SQL_Injection_in_Beauty_Parlour_Management_System.md |
|---|
| Utilizador | lings3346 (UID 79542) |
|---|
| Submissão | 30/12/2024 15h19 (há 1 Ano) |
|---|
| Moderação | 31/12/2024 09h46 (18 hours later) |
|---|
| Estado | Aceite |
|---|
| Entrada VulDB | 289826 [1000 Projects Beauty Parlour Management System 1.0 Customer Detail add-customer-services.php sids[] Injeção SQL] |
|---|
| Pontos | 20 |
|---|