CVE-2022-44277
Description
Sanitization Management System v1.0 is vulnerable to SQL Injection via /php-sms/classes/Master.php?f=delete_product.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
SQL injection in Sanitization Management System v1.0 allows authenticated attackers to extract database contents via the delete_product endpoint.
Vulnerability
The Sanitization Management System v1.0, available from SourceCodester, contains a SQL injection vulnerability in the /php-sms/classes/Master.php?f=delete_product endpoint. The id parameter is directly concatenated into a SQL query without proper sanitization or parameterization, allowing an attacker to inject arbitrary SQL statements. The vulnerability is present in the delete_product function of the Master.php file. The application is built using PHP 8.1 and MySQL. [1]
Exploitation
An attacker with network access to the application can exploit this vulnerability by sending a POST request to /php-sms/classes/Master.php?f=delete_product with a crafted id parameter. The reference demonstrates exploitation using a Super Admin account (admin/admin123), indicating that authentication is required. The payload id=2' and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+ triggers an error-based SQL injection that reveals the database name in the error message. The attacker can modify the payload to extract other data from the database. [1]
Impact
Successful exploitation allows an attacker to extract sensitive information from the database, such as the database name (sms_db), and potentially other data including user credentials, product lists, and other application data. The attack leverages error-based SQL injection via the updatexml function, which causes the database to return an error containing the injected data. This leads to information disclosure, compromising the confidentiality of the database. [1]
Mitigation
As of the publication date (2022-12-02), no official patch or updated version has been released by the vendor. Users are advised to implement input validation and use prepared statements with parameterized queries to prevent SQL injection. Additionally, restricting access to the vulnerable endpoint to authorized users only and applying the principle of least privilege can reduce risk. If the application is no longer maintained, consider migrating to an alternative solution. [1]
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Sanitization Management System/Sanitization Management Systemdescription
- Range: = v1.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
0No linked articles in our index yet.