VYPR
← All advisories
Unrated severityNVD Advisory· Published May 12, 2023· Updated Aug 2, 2024

SourceCodester Lost and Found Information System GET Parameter sql injection

CVE-2023-2669

Description

A vulnerability was found in SourceCodester Lost and Found Information System 1.0. It has been classified as critical. This affects an unknown part of the file admin/?page=categories/view_category of the component GET Parameter Handler. The manipulation of the argument id leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-228885 was assigned to this vulnerability.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

SQL injection in SourceCodester Lost and Found Information System 1.0 via id parameter in admin/?page=categories/view_category allows remote attackers to execute arbitrary SQL commands.

Vulnerability

A critical SQL injection vulnerability exists in SourceCodester Lost and Found Information System version 1.0. The flaw resides in the admin/?page=categories/view_category endpoint, where the id GET parameter is passed unsanitized into an SQL query. This allows an attacker to inject arbitrary SQL commands. The issue is classified as CWE-89 [1].

Exploitation

An attacker can exploit this vulnerability remotely without authentication. The proof-of-concept involves sending a crafted GET request to /php-lfis/admin/?page=categories/view_category&id=2 with a malicious id value. The request can be captured and processed with tools like SQLmap to automate injection and data extraction [1].

Impact

Successful exploitation leads to full compromise of confidentiality, integrity, and availability of the database. An attacker can retrieve, modify, or delete sensitive data, and potentially escalate privileges within the application [1].

Mitigation

No official patch or updated version has been released by the vendor as of the publication date. Users should restrict network access to the admin panel, implement strict input validation and parameterized queries, or consider using a web application firewall to block SQL injection attempts [1].

References
  1. CVE_2023/Lost and Found Information System/CVE-2023-2669.md at main · tht1997/CVE_2023

AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"The `id` GET parameter in `admin/?page=categories/view_category` is not sanitized before being used in an SQL query, leading to SQL injection [CWE-89]."

Attack vector

An attacker can exploit this SQL injection by sending a crafted GET request to `/php-lfis/admin/?page=categories/view_category&id=` with a malicious `id` parameter value [ref_id=1]. The attack is performed remotely over HTTP and does not require authentication. The researcher demonstrated the exploit by capturing the request and feeding it to SQLmap, which automates the injection process [ref_id=1].

Affected code

The vulnerability resides in the file `admin/?page=categories/view_category` of the Lost and Found Information System 1.0. The `id` GET parameter is passed to the database query without proper sanitization, allowing an attacker to inject arbitrary SQL commands [ref_id=1].

What the fix does

No patch has been published by the vendor. The advisory does not include a fix or remediation guidance [ref_id=1]. To close this vulnerability, the application should use parameterized queries (prepared statements) or properly escape the `id` input before including it in an SQL statement, as recommended for CWE-89 [ref_id=1].

Preconditions

  • configThe target must be running SourceCodester Lost and Found Information System 1.0 with the admin interface accessible.
  • networkThe attacker must be able to send HTTP GET requests to the server (network connectivity).
  • networkThe vulnerable page /php-lfis/admin/?page=categories/view_category must be reachable.

Reproduction

1. Visit the vulnerable page: `/php-lfis/admin/?page=categories/view_category&id=2` [ref_id=1]. 2. Copy the HTTP request to a text file. 3. Run SQLmap against the captured request to automate the SQL injection [ref_id=1].

Generated on May 24, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

3

News mentions

0

No linked articles in our index yet.