| Название | 1000 Projects portfolio-management-system v1.0 SQL Injection |
|---|
| Описание | A critical SQL injection vulnerability exists in 1000project `admin/block_status.php` and `admin/unblock_me.php`. The vulnerability allows an attacker to inject malicious SQL code through base64-encoded parameters, enabling unauthorized modification of user account status.
**Key Characteristics:**
- **Attack Vector**: Base64 encoded parameter injection
- **Impact**: Unauthorized user account status modification
- **Authentication**: Requires admin session (but can be bypassed)
The vulnerability stems from directly concatenating base64-decoded user input into SQL statements without any parameterization or validation. |
|---|
| Источник | ⚠️ https://github.com/9str0IL/CVE/issues/3 |
|---|
| Пользователь | 9str0il (UID 97218) |
|---|
| Представление | 10.04.2026 04:59 (2 месяцы назад) |
|---|
| Модерация | 26.04.2026 21:47 (17 days later) |
|---|
| Статус | принято |
|---|
| Запись VulDB | 359742 [1000 Projects Portfolio Management System MCA до 1.0 /admin/block_status.php q SQL-инъекция] |
|---|
| Баллы | 20 |
|---|