| Título | 1000 Projects portfolio-management-system v1.0 SQL Injection |
|---|
| Descrição | A critical SQL injection vulnerability exists in 1000project `admin/block_status.php` and `admin/unblock_me.php`. The vulnerability allows an attacker to inject malicious SQL code through base64-encoded parameters, enabling unauthorized modification of user account status.
**Key Characteristics:**
- **Attack Vector**: Base64 encoded parameter injection
- **Impact**: Unauthorized user account status modification
- **Authentication**: Requires admin session (but can be bypassed)
The vulnerability stems from directly concatenating base64-decoded user input into SQL statements without any parameterization or validation. |
|---|
| Fonte | ⚠️ https://github.com/9str0IL/CVE/issues/3 |
|---|
| Utilizador | 9str0il (UID 97218) |
|---|
| Submissão | 10/04/2026 04h59 (há 2 meses) |
|---|
| Moderação | 26/04/2026 21h47 (17 days later) |
|---|
| Estado | Aceite |
|---|
| Entrada VulDB | 359742 [1000 Projects Portfolio Management System MCA até 1.0 /admin/block_status.php q Injeção SQL] |
|---|
| Pontos | 20 |
|---|