Submit #782202: halex CourseSEL 1.1.0 SQL Injectioninfo

Titlehalex CourseSEL 1.1.0 SQL Injection
DescriptionA SQL Injection vulnerability exists in the CourseSEL system (a ThinkPHP 3.2 based application) due to the lack of parameterization and improper input sanitization in the Apps/Index/Controller/IndexController.class.php file. The check_sel method directly concatenates the user-supplied HTTP GET parameter seid into the SQL query string using the framework's where() method. An authenticated attacker with standard student privileges can exploit this vulnerability to trigger an Error-based SQL Injection, allowing them to bypass authorization, extract sensitive database schemas, and dump administrative credentials.
Source⚠️ https://github.com/zy606/Vulnerability-Report/tree/main/CourseSEL-SQLi
User
 Zyyyy (UID 96412)
Submission03/18/2026 09:52 (21 days ago)
Moderation04/04/2026 08:42 (17 days later)
StatusAccepted
VulDB entry355290 [halex CourseSEL up to 1.1.0 HTTP GET Parameter IndexController.class.php check_sel seid sql injection]
Points20

PreviousOverviewNext

Do you need the next level of professionalism?

Upgrade your account now!