code-projects Pharmacy Management System manage_purchase.php sql injection
Description
A vulnerability was found in code-projects Pharmacy Management System 1.0. It has been rated as critical. Affected by this issue is some unknown functionality of the file /php/manage_purchase.php?action=search&tag=VOUCHER_NUMBER. The manipulation of the argument text leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
SQL injection in Pharmacy Management System 1.0's purchase search allows remote attackers to execute arbitrary SQL commands via the text parameter.
Vulnerability
A critical SQL injection vulnerability exists in code-projects Pharmacy Management System version 1.0. The flaw resides in the /php/manage_purchase.php endpoint when the action=search and tag=VOUCHER_NUMBER parameters are used. The text parameter is directly concatenated into SQL queries without sanitization, allowing an attacker to inject arbitrary SQL commands [2].
Exploitation
The vulnerability is remotely exploitable without authentication. An attacker sends a crafted GET request to the vulnerable endpoint, manipulating the text parameter with SQL injection payloads. A proof-of-concept demonstrates using a time-based blind injection with SLEEP(5) to confirm the vulnerability [2]. No special privileges or user interaction are required.
Impact
Successful exploitation allows an attacker to execute arbitrary SQL commands, leading to disclosure of sensitive data (e.g., financial or operational records), modification or deletion of database contents, and potential disruption of the application's functionality. The impact is critical due to the lack of authentication required and the full database compromise possible [2].
Mitigation
As of the publication date (2024-10-16), no official patch has been released by the vendor. The affected version is 1.0, and the project appears to be unmaintained. Users should consider isolating the application, implementing a web application firewall (WAF) with SQL injection rules, or migrating to an alternative solution. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog [2].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: = 1.0
- Range: 1.0
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing input sanitization in the `text` parameter allows direct SQL command injection."
Attack vector
An attacker sends a crafted GET request to `/php/manage_purchase.php?action=search&tag=VOUCHER_NUMBER` with a malicious `text` parameter containing SQL metacharacters. The `text` value is directly concatenated into a SQL query without sanitization, allowing the attacker to inject arbitrary SQL commands [ref_id=1]. The attack is remotely exploitable over HTTP with no authentication required, and the PoC demonstrates a time-based blind injection using `SLEEP(5)` to confirm database manipulation [ref_id=1].
Affected code
The vulnerable endpoint is `/php/manage_purchase.php` with the `action=search` and `tag=VOUCHER_NUMBER` parameters. The `text` parameter passed via GET request is the injection point [ref_id=1].
What the fix does
No patch is available for this vulnerability; the advisory explicitly lists the status as "Unpatched" [ref_id=1]. The recommended remediation is to implement parameterized queries or prepared statements for the `text` parameter in the search functionality, and to validate and sanitize all user-supplied input before including it in SQL queries [ref_id=1].
Preconditions
- networkThe attacker must be able to send HTTP GET requests to the vulnerable endpoint.
- authNo authentication or special privileges are required.
- inputThe `text` parameter is accepted without sanitization.
Reproduction
Send the following GET request to the vulnerable server (adjust Host as needed):
``` GET /php/manage_purchase.php?action=search&text=3213'%20AND%20(SELECT%203786%20FROM%20(SELECT(SLEEP(5)))Tbox)--%20XBUg&tag=VOUCHER_NUMBER HTTP/1.1 Host: localhost:8080 ```
A 5-second delay in the response confirms the SQL injection is exploitable [ref_id=1].
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- gist.github.com/higordiego/439f2af836c2c7d6075ba9de2e1169damitreexploit
- vuldb.commitrethird-party-advisory
- code-projects.orgmitreproduct
- vuldb.commitresignaturepermissions-required
- vuldb.commitrevdb-entrytechnical-description
News mentions
0No linked articles in our index yet.