code-projects Pharmacy Management System manage_medicine_stock.php sql injection
Description
A vulnerability, which was classified as critical, has been found in code-projects Pharmacy Management System 1.0. This issue affects some unknown processing of the file /php/manage_medicine_stock.php. The manipulation of the argument name/packing/generic_name/suppliers_name leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Critical SQL injection in Pharmacy Management System 1.0 via multiple parameters in manage_medicine_stock.php allows remote attackers to execute arbitrary SQL commands.
Vulnerability
A critical SQL injection vulnerability exists in the update functionality of /php/manage_medicine_stock.php in Pharmacy Management System version 1.0 [1][2]. User-supplied input for parameters name, packing, generic_name, and suppliers_name is not properly sanitized, allowing an attacker to inject arbitrary SQL commands [2].
Exploitation
An attacker with network access to the application and a valid user session can exploit this vulnerability by sending a crafted GET request to the vulnerable endpoint with malicious SQL in the parameters. A proof-of-concept (PoC) using a time-based blind SQL injection (SLEEP) has been publicly disclosed [2]. The attack is remote and does not require any special privileges beyond a valid session [2].
Impact
Successful exploitation allows an attacker to execute arbitrary SQL commands, leading to disclosure of sensitive information such as supplier details, and potentially compromising the integrity and availability of the database [2]. This poses a critical risk to the confidentiality of pharmaceutical operations data [2].
Mitigation
As of the publication date, no official patch is available for Pharmacy Management System 1.0 [2]. Users should implement input validation, use parameterized queries, or restrict access to the vulnerable endpoint as a workaround. The application is considered unpatched, and users should monitor vendor updates [1][2].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: = 1.0
- Range: 1.0
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing input sanitization in the update medicine functionality allows SQL injection through the name, packing, generic_name, and suppliers_name parameters."
Attack vector
An attacker sends a crafted GET request to `/php/manage_medicine_stock.php?action=update` with malicious SQL injected into the `name`, `packing`, `generic_name`, or `suppliers_name` parameters [ref_id=1]. The attack is performed remotely over HTTP and requires no authentication beyond a valid session cookie [ref_id=1]. The PoC demonstrates a time-based blind SQL injection using `AND (SELECT 4184 FROM (SELECT(SLEEP(5)))wLDx)` in the `id` parameter to cause a 5-second database delay [ref_id=1].
Affected code
The vulnerable endpoint is `/php/manage_medicine_stock.php` with the `action=update` parameter [ref_id=1]. The parameters `name`, `packing`, `generic_name`, and `suppliers_name` are not sanitized before being used in SQL queries [ref_id=1].
What the fix does
No patch has been released for this vulnerability [ref_id=1]. The advisory notes the issue is unpatched and recommends immediate mitigation to prevent data breaches and system compromise [ref_id=1]. Without a fix, the application continues to pass unsanitized user input directly into SQL queries, allowing arbitrary command execution against the database.
Preconditions
- networkThe attacker must have network access to the Pharmacy Management System web interface
- authA valid PHP session cookie (PHPSESSID) is required
- inputThe attacker sends crafted input via GET parameters (name, packing, generic_name, suppliers_name, or id)
Reproduction
1. Obtain a valid session cookie by visiting the Pharmacy Management System login page. 2. Send a GET request to the vulnerable endpoint with a time-based SQL injection payload in the `id` parameter, for example: `GET /php/manage_medicine_stock.php?action=update&id=4%20AND%20(SELECT%204184%20FROM%20(SELECT(SLEEP(5)))wLDx)&batch_id=NI325&expiry_date=05/22&quantity=3&mrp=31.65&rate=28` [ref_id=1]. 3. Observe a 5-second delay in the response, confirming successful SQL injection [ref_id=1].
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- gist.github.com/higordiego/b0083f7f12dee245c2fbe7102e31d9a4mitreexploit
- vuldb.commitrethird-party-advisory
- code-projects.orgmitreproduct
- vuldb.commitresignaturepermissions-required
- vuldb.commitrevdb-entrytechnical-description
News mentions
0No linked articles in our index yet.