code-projects Pharmacy Management System add_new_medicine.php sql injection
Description
A vulnerability classified as critical was found in code-projects Pharmacy Management System 1.0. This vulnerability affects unknown code of the file /php/add_new_medicine.php. The manipulation of the argument name/packing/generic_name/suppliers_name leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Critical SQL injection in Pharmacy Management System 1.0 via unsanitized parameters in add_new_medicine.php allows remote attackers to execute arbitrary SQL commands.
Vulnerability
A critical SQL injection vulnerability exists in code-projects Pharmacy Management System version 1.0. The flaw resides in the /php/add_new_medicine.php endpoint, where the name, packing, generic_name, and suppliers_name parameters are not properly sanitized before being used in SQL queries. An attacker can inject arbitrary SQL commands through these parameters, as demonstrated in the proof-of-concept request [2].
Exploitation
An attacker can exploit this vulnerability remotely without authentication. By crafting a malicious GET request to /php/add_new_medicine.php with SQL injection payloads in any of the vulnerable parameters, the attacker can execute arbitrary SQL statements. The provided PoC uses a time-based blind injection technique with SLEEP() to confirm the injection [2]. The attack requires no special privileges or user interaction.
Impact
Successful exploitation allows an attacker to read, modify, or delete database contents, potentially exposing sensitive information such as supplier details, medicine records, and user credentials. The vulnerability can lead to complete compromise of the database integrity and confidentiality, and may enable further attacks on the application [2].
Mitigation
As of the publication date (2024-10-16), no official patch has been released for this vulnerability. The vendor (code-projects) has not provided a fix. Users are advised to implement input validation and parameterized queries to mitigate the risk. Until a patch is available, restricting network access to the vulnerable endpoint and applying web application firewall rules can reduce exposure [2].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: =1.0
- Range: 1.0
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing input sanitization in the `name`, `packing`, `generic_name`, and `suppliers_name` parameters allows SQL injection."
Attack vector
An attacker sends a crafted GET request to `/php/add_new_medicine.php` with malicious SQL payloads in any of the `name`, `packing`, `generic_name`, or `suppliers_name` parameters [ref_id=1]. The input is not sanitized before being used in database queries, allowing the attacker to inject arbitrary SQL commands. The attack can be performed remotely without authentication, as demonstrated by the PoC using a time-based blind SQL injection with `SLEEP(5)` in the `name` parameter [ref_id=1].
Affected code
The vulnerable endpoint is `/php/add_new_medicine.php` in Pharmacy Management System 1.0. The parameters `name`, `packing`, `generic_name`, and `suppliers_name` are all unsanitized and susceptible to SQL injection [ref_id=1].
What the fix does
No patch is available for this vulnerability [ref_id=1]. The advisory recommends immediate mitigation, such as implementing proper input validation, parameterized queries, or prepared statements to prevent SQL injection in the affected parameters [ref_id=1].
Preconditions
- networkThe attacker must be able to send HTTP GET requests to the vulnerable endpoint.
- authNo authentication is required; the endpoint is publicly accessible.
- inputThe attacker must craft a malicious payload in one or more of the parameters: name, packing, generic_name, or suppliers_name.
Reproduction
Send a GET request to the vulnerable endpoint with a SQL injection payload in the `name` parameter. Example from the PoC [ref_id=1]:
``` GET /php/add_new_medicine.php?name=a' AND (SELECT 7103 FROM (SELECT(SLEEP(5)))XkQj)-- DYIO&packing=aaa&generic_name=a&suppliers_name=Desai%20Pharma HTTP/1.1 Host: localhost:8080 ```
A 5-second delay in the response confirms successful time-based blind SQL injection [ref_id=1].
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- gist.github.com/higordiego/01a35a20a4e20e937d384b677c000921mitreexploit
- vuldb.commitrethird-party-advisory
- code-projects.orgmitreproduct
- vuldb.commitresignaturepermissions-required
- vuldb.commitrevdb-entrytechnical-description
News mentions
0No linked articles in our index yet.