SourceCodester Lost and Found Information System GET Parameter sql injection

Vulnerability

A critical SQL injection vulnerability exists in SourceCodester Lost and Found Information System version 1.0. The flaw resides in the admin/?page=items/manage_item endpoint, specifically within the id GET parameter of the item management functionality. No authentication or special privileges are required to reach the vulnerable code path. The parameter is directly concatenated into SQL queries without sanitization or parameterization, enabling injection. [1]

Exploitation

An attacker can exploit this vulnerability remotely by sending a crafted HTTP GET request to the vulnerable endpoint with a malicious id parameter. The exploit is publicly disclosed, including proof-of-concept details such as the exact request structure and injected payload. The attacker does not need authentication or prior knowledge of the system, as the vulnerable page is accessible without login. [1]

Impact

Successful exploitation allows an attacker to execute arbitrary SQL commands against the underlying database. This can lead to unauthorized retrieval, modification, or deletion of sensitive data (confidentiality, integrity, availability impact). The attacker gains read and write access to database contents at whatever privilege level the application is configured to use for its database connections. [1]

Mitigation

As of the publication date, no patch or fixed version has been released by the vendor. Users should upgrade to a non-vulnerable version if and when it becomes available. In the absence of an official fix, administrators should restrict network access to the admin interface and apply web application firewall (WAF) rules to block SQL injection patterns; however, these are temporary mitigations. The vulnerability is not known to be listed in CISA's Known Exploited Vulnerabilities (KEV) catalog. [1]