Unrated severityNVD Advisory· Published May 12, 2023· Updated Aug 2, 2024

SourceCodester Lost and Found Information System GET Parameter manager_category sql injection

CVE-2023-2668

Description

A vulnerability was found in SourceCodester Lost and Found Information System 1.0 and classified as critical. Affected by this issue is the function manager_category of the file admin/?page=categories/manage_category of the component GET Parameter Handler. The manipulation of the argument id leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-228884.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

SQL injection in SourceCodester Lost and Found Information System 1.0 via the `id` parameter in `manager_category` allows remote attackers to execute arbitrary SQL commands.

Vulnerability

A SQL injection vulnerability exists in SourceCodester Lost and Found Information System version 1.0. The flaw resides in the manager_category function within the file admin/?page=categories/manage_category. The id GET parameter is not properly sanitized before being used in SQL queries, allowing an attacker to inject arbitrary SQL commands. This issue is classified as CWE-89: Improper Neutralization of Special Elements used in an SQL Command [1].

Exploitation

An attacker can exploit this vulnerability by sending a crafted HTTP GET request to the vulnerable endpoint, such as /php-lfis/admin/?page=categories/manage_category&id=<malicious_payload>. No authentication is required, as the admin panel appears to be accessible without a valid session. The attacker can use tools like SQLmap to automate the injection and extract data from the database [1].

Impact

Successful exploitation allows an attacker to execute arbitrary SQL commands on the backend database. This can lead to unauthorized disclosure of sensitive information (e.g., user credentials, personal data), modification or deletion of database records, and potentially full compromise of the application and underlying server [1].

Mitigation

As of the publication date (12 May 2023), no official patch has been released by SourceCodester. Users should apply input validation and use parameterized queries to prevent SQL injection. If the application is no longer maintained, consider migrating to a supported alternative. This vulnerability is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog [1].

References

CVE_2023/Lost and Found Information System/CVE-2023-2668.md at main · tht1997/CVE_2023

AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

Lost and Found Information System/Lost and Found Information Systemllm-fuzzy
Range: =1.0
SourceCodester/Lost and Found Information Systemv5
Range: 1.0

Patches

No patches discovered yet.

Vulnerability mechanics

Root cause

"The `id` GET parameter is passed unsanitized into an SQL query in the `manager_category` function, allowing SQL injection [CWE-89] [ref_id=1]."

Attack vector

An attacker can exploit this SQL injection by sending a crafted GET request to `/php-lfis/admin/?page=categories/manage_category&id=` with a malicious `id` parameter [ref_id=1]. The attack is remotely exploitable and requires no authentication beyond access to the admin page [ref_id=1]. The researcher's proof of concept demonstrates using SQLmap against the vulnerable endpoint to extract database contents [ref_id=1].

Affected code

The vulnerability resides in the `manager_category` function within the file `admin/?page=categories/manage_category` of the GET Parameter Handler component [ref_id=1]. The `id` parameter is passed directly into an SQL query without proper sanitization [ref_id=1].

What the fix does

No patch or official fix is provided in the bundle [ref_id=1]. The advisory does not include remediation guidance from the vendor. To close this vulnerability, the application should use parameterized queries (prepared statements) or properly escape the `id` input before including it in an SQL command, neutralizing special characters that could alter the intended query structure [CWE-89].

Preconditions

networkAttacker must have network access to the web application
authThe vulnerable admin page must be accessible (no authentication bypass required beyond normal admin access)
inputAttacker controls the 'id' GET parameter value

Reproduction

1. Visit the vulnerable page: `/php-lfis/admin/?page=categories/view_category&id=2` [ref_id=1]. 2. Copy the request to a text file and run it with SQLmap against the endpoint `/php-lfis/admin/?page=categories/manage_category&id=2` [ref_id=1]. 3. The raw GET request includes the `id=2` parameter in the query string, which is the injection point [ref_id=1].

Generated on May 24, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/tht1997/CVE_2023/blob/main/Lost%20and%20Found%20Information%20System/CVE-2023-2668.mdmitreexploit
vuldb.commitresignature
vuldb.commitrevdb-entrytechnical-description

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000