| Title | CodeAstro Human Resource Management System in PHP CodeIgniter v1.0 Boolean, Error and Time-Based SQL Injection |
|---|
| Description | A critical SQL Injection vulnerability exists in the Human Resource Management System developed by CodeAstro. The issue is present in the employee view functionality where the (I) GET parameter is base64-decoded and passed into the GetFileInfo function without sanitization. An attacker can inject arbitrary SQL queries through this parameter, leading to full database compromise including data exfiltration, modification, and potential service disruption. The vulnerability is exploitable via boolean-based blind, error-based, and time-based SQL injection techniques. |
|---|
| Source | ⚠️ https://github.com/ashikmd0507/CVE/tree/main/SQL%20Injection%20via%20GetFileInfo%20Function |
|---|
| User | ashikmd7 (UID 98284) |
|---|
| Submission | 05/29/2026 05:07 (1 month ago) |
|---|
| Moderation | 06/28/2026 11:27 (1 month later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 374543 [CodeAstro Human Resource Management System 1.0 View Endpoint Employee_model.php GetFileInfo ID sql injection] |
|---|
| Points | 20 |
|---|