CVE-2018-5977
Description
SQL Injection exists in Affiligator Affiliate Webshop Management System 2.1.0 via a search/?q=&price_type=range&price= request.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affiligator 2.1.0 suffers from SQL injection via the search endpoint, allowing unauthenticated attackers to extract database contents.
Vulnerability
Affiligator Affiliate Webshop Management System version 2.1.0 is vulnerable to a SQL injection in the search/ endpoint. The price parameter, when combined with price_type=range, is directly concatenated into SQL queries without proper sanitization or parameterization. The vulnerability can be triggered by sending a crafted request to http://localhost/[PATH]/search/?q=&price_type=range&price=[SQL] [1].
Exploitation
An attacker can exploit this vulnerability remotely without any authentication or prior privileges. By injecting a malicious SQL payload into the price parameter (URL-encoded or plain), the attacker can manipulate the underlying database query. The exploit proof-of-concept demonstrates a payload that retrieves the database version via group_concat(Version()) [1]. No special network position or user interaction is required; the attack is performed over HTTP by sending a single GET request.
Impact
Successful exploitation allows an attacker to extract sensitive information from the database, including user credentials, session data, or other application data. This constitutes a compromise of confidentiality (data disclosure) and can potentially lead to further privilege escalation if the extracted data includes administrator credentials. The scope of compromise is the entire database content accessible by the web application's database user [1].
Mitigation
No patch or fixed version has been released for Affiligator 2.1.0 as of the publication date. The vendor homepage (getaffiligator.com) and CodeCanyon page do not provide an update. As a workaround, input validation and parameterized queries should be implemented, or the application should be isolated from untrusted networks. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: = 2.1.0
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing input sanitization in the `price` parameter of the search endpoint allows SQL injection."
Attack vector
An attacker sends an HTTP GET request to the `/search/` endpoint with the `q`, `price_type`, and `price` parameters. By injecting SQL syntax into the `price` parameter, the attacker can manipulate the underlying database query [ref_id=1]. The exploit-db entry demonstrates a URL-encoded payload that extracts the database version using `group_concat(Version())` [ref_id=1]. No authentication is required beyond network access to the web application.
Affected code
The vulnerability is in the search functionality of Affiligator Affiliate Webshop Management System 2.1.0. The `search/?q=&price_type=range&price=` endpoint passes unsanitized user input from the `price` parameter into SQL queries [ref_id=1].
What the fix does
No patch or official fix is included in the bundle. The advisory does not specify whether the vendor released a remediation [ref_id=1]. To close the vulnerability, the application should use parameterized queries or prepared statements for the `price` parameter in the search functionality, and validate that the input matches an expected numeric or range format before including it in a SQL query.
Preconditions
- networkThe attacker must be able to send HTTP GET requests to the web application.
- authNo authentication is required; the search endpoint is publicly accessible.
- inputThe attacker supplies a malicious SQL payload in the `price` query parameter.
Reproduction
1. Send a GET request to `http://localhost/[PATH]/search/?q=&price_type=range&price=[SQL]` where `[SQL]` is a SQL injection payload. 2. For example, the URL-encoded payload `%31%30%30%20%61%6e%64%28%73%65%6c%65%63%74%21%56%65%72%41%79%61%72%69%2d%7e%30%2e%20%66%72%6f%6d%28%73%65%6c%65%63%74%28%73%65%6c%65%63%74%20%67%72%6f%75%70%5f%63%6f%6e%63%61%74%28%56%65%72%73%69%6f%6e%28%29%29%29%79%29%78%29` decodes to `100 and(select!VerAyari-~0. from(select(select group_concat(Version()))y)x)` and extracts the database version [ref_id=1].
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- www.exploit-db.com/exploits/43861/mitreexploitx_refsource_EXPLOIT-DB
News mentions
0No linked articles in our index yet.