CVE-2022-41498

Vulnerability

Billing System Project v1.0, available from SourceCodester, contains a SQL injection vulnerability in the /phpinventory/editbrand.php endpoint. The id parameter is directly concatenated into a SQL query without proper sanitization or parameterization, enabling an attacker to inject arbitrary SQL commands. The application is built using XAMPP with PHP 8.1 and uses a MySQL database named store1.

Exploitation

An attacker must first authenticate as a Super Admin (default credentials mayurik/rootadmin as noted in the reference [1]). Once logged in, a crafted GET request to /phpinventory/editbrand.php?id=-1' union select 1,database(),3,4--+ triggers the injection. The attacker can modify the payload to extract other data from the database. No special network position or user interaction beyond authentication is required.

Impact

Successful exploitation allows the attacker to retrieve sensitive information from the database, such as the database name (store1), and potentially other tables containing user credentials, billing records, or configuration data. The attack is limited to data exfiltration (confidentiality impact) and does not directly enable code execution or privilege escalation.

Mitigation

No official patch or fixed version has been released by the vendor as of the publication date (2022-10-17). The application appears to be unmaintained; users should consider migrating to an alternative solution or implementing input validation and prepared statements for the id parameter. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.