code-projects Pharmacy Management System manage_supplier.php sql injection
Description
A vulnerability classified as critical has been found in code-projects Pharmacy Management System 1.0. This affects an unknown part of the file /php/manage_supplier.php?action=search. The manipulation of the argument text leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A critical SQL injection in Pharmacy Management System 1.0 allows remote attackers to execute arbitrary SQL commands via the `text` parameter in manage_supplier.php.
Vulnerability
A critical SQL injection vulnerability exists in code-projects Pharmacy Management System version 1.0. The flaw resides in the /php/manage_supplier.php?action=search endpoint. The text parameter is not properly sanitized, allowing an attacker to inject arbitrary SQL commands via GET request. The vulnerability affects version 1.0 of the software, and no patch has been released as of the advisory date.[1][2]
Exploitation
An attacker can exploit this vulnerability remotely without authentication. By sending a crafted GET request to the vulnerable endpoint with a malicious payload in the text parameter, the attacker can execute arbitrary SQL statements. A proof-of-concept demonstrates using a time-based blind SQL injection technique (e.g., SLEEP(5)) to extract data. The exploit does not require special privileges beyond network access to the application.[2]
Impact
Successful exploitation allows an attacker to read, modify, or delete data in the underlying database. This could expose sensitive supplier information, operational or financial data, and potentially lead to full compromise of the database. The vulnerability is classified as critical due to the ease of exploitation and the sensitivity of the exposed data.[2]
Mitigation
No official patch or fix has been released by the vendor as of the publication date. Users are advised to apply input validation and use prepared statements or parameterized queries to mitigate the risk until a fix is available. The vulnerable software may be end-of-life or unmaintained, so migrating to a supported alternative is recommended.[1][2]
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: =1.0
- Range: 1.0
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing input sanitization and lack of parameterized queries in the search functionality allow SQL injection via the `text` parameter."
Attack vector
An attacker sends a crafted GET request to `/php/manage_supplier.php?action=search&text=` with a malicious SQL payload in the `text` parameter [ref_id=1]. The payload uses a time-based blind SQL injection technique (e.g., `a%' AND (SELECT 4603 FROM (SELECT(SLEEP(5)))wrps) AND 'nhHU%'='nhHU`) to exfiltrate data or cause denial of service [ref_id=1]. The attack is remotely exploitable over HTTP with no authentication required [ref_id=1].
Affected code
The vulnerable endpoint is `/php/manage_supplier.php?action=search`, specifically the `text` parameter passed via GET request [ref_id=1]. The file `manage_supplier.php` in the Pharmacy Management System 1.0 does not sanitize or parameterize this input before using it in a SQL query [ref_id=1].
What the fix does
No patch has been published for this vulnerability [ref_id=1]. The advisory recommends immediate mitigation, such as implementing prepared statements or parameterized queries for the `text` parameter in the search functionality, to prevent SQL injection [ref_id=1]. Without a fix, the application remains critically exposed to database compromise [ref_id=1].
Preconditions
- networkThe attacker must be able to send HTTP GET requests to the vulnerable endpoint.
- authNo authentication or special privileges are required.
- configThe application must be running Pharmacy Management System version 1.0 with the search functionality exposed.
Reproduction
Send the following GET request to the vulnerable endpoint (adjust Host as needed):
``` GET /php/manage_supplier.php?action=search&text=a%25'%20AND%20(SELECT%204603%20FROM%20(SELECT(SLEEP(5)))wrps)%20AND%20'nhHU%25'%3d'nhHU HTTP/1.1 Host: localhost:8080 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Accept: */* Connection: keep-alive ```
If the application pauses for approximately 5 seconds before responding, the time-based blind SQL injection is confirmed [ref_id=1].
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- gist.github.com/higordiego/2bd0a94e480906a60ce83b8a4ec26957mitreexploit
- vuldb.commitrethird-party-advisory
- code-projects.orgmitreproduct
- vuldb.commitresignaturepermissions-required
- vuldb.commitrevdb-entrytechnical-description
News mentions
0No linked articles in our index yet.