code-projects Pharmacy Management System manage_invoice.php sql injection
Description
A vulnerability was found in code-projects Pharmacy Management System 1.0. It has been declared as critical. This vulnerability affects unknown code of the file /manage_invoice.php. The manipulation of the argument invoice_number leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
An unauthenticated SQL injection in the invoice deletion endpoint of Pharmacy Management System 1.0 allows remote attackers to delete records or extract data.
Vulnerability
A critical SQL injection vulnerability exists in code-projects Pharmacy Management System version 1.0. The flaw resides in the file /manage_invoice.php, specifically in the invoice_number parameter used by the deletion functionality. The application fails to sanitize this input, allowing an attacker to inject arbitrary SQL commands via a GET request [2]. No authentication is required to reach the endpoint.
Exploitation
An attacker can exploit the vulnerability by sending a crafted GET request to /php/manage_invoice.php?action=delete&invoice_number=... with malicious SQL payloads appended to the invoice_number parameter. A public proof-of-concept demonstrates using time-based blind injection (e.g., BENCHMARK) to confirm the injection [2]. The attack requires no prior authentication and can be initiated remotely over HTTP.
Impact
Successful exploitation allows an attacker to manipulate the underlying database, potentially deleting invoice records, exposing sensitive data, or disrupting financial operations. The vulnerability is rated critical due to the ease of exploitation and the potential for data compromise [1][2].
Mitigation
As of the publication date (2024-10-19), no patch is available from the vendor. The manufacturer (code-projects) has not released a fix, and the software is considered unpatched [2]. Users should consider isolating the application from untrusted networks, applying input validation and parameterized queries, or discontinuing use until a security update is provided.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: = 1.0
- Range: 1.0
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing input sanitization on the `invoice_number` parameter in the invoice deletion functionality allows SQL injection."
Attack vector
An attacker sends a crafted GET request to `/php/manage_invoice.php?action=delete&invoice_number=...` with malicious SQL payloads in the `invoice_number` parameter [ref_id=1]. The parameter is not sanitized, allowing the attacker to inject arbitrary SQL commands that the database executes [ref_id=1]. The attack can be performed remotely over HTTP with no authentication required [ref_id=1].
Affected code
The vulnerable endpoint is `/php/manage_invoice.php` with the `action=delete` and `invoice_number` parameters [ref_id=1]. The file `manage_invoice.php` does not sanitize the `invoice_number` input before using it in a SQL query [ref_id=1].
What the fix does
No patch is available for this vulnerability [ref_id=1]. The advisory recommends immediate remediation such as implementing proper input sanitization and parameterized queries for the `invoice_number` parameter to prevent SQL injection [ref_id=1].
Preconditions
- networkThe attacker must be able to send HTTP GET requests to the vulnerable endpoint.
- configThe application must be running Pharmacy Management System 1.0 with the vulnerable code unpatched.
- authNo authentication is required; the endpoint is publicly accessible.
Reproduction
Send a GET request to `http://
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- gist.github.com/higordiego/f6411aecc606b015a37382b2be828831mitreexploit
- vuldb.commitrethird-party-advisory
- code-projects.orgmitreproduct
- vuldb.commitresignaturepermissions-required
- vuldb.commitrevdb-entrytechnical-description
News mentions
0No linked articles in our index yet.