code-projects Pharmacy Management System manage_medicine.php sql injection
Description
A vulnerability was found in code-projects Pharmacy Management System 1.0. It has been rated as critical. This issue affects some unknown processing of the file /manage_medicine.php?action=delete. The manipulation of the argument id leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
SQL injection in Pharmacy Management System 1.0 via `id` parameter in `/manage_medicine.php?action=delete` allows remote attackers to execute arbitrary SQL commands.
Vulnerability
A critical SQL injection vulnerability exists in Pharmacy Management System version 1.0 in the file /manage_medicine.php?action=delete. The id parameter is not properly sanitized, allowing an attacker to inject and execute arbitrary SQL commands via a GET request. This vulnerability is classified as critical and affects the delete functionality of medicine records [2].
Exploitation
An attacker can exploit this vulnerability remotely without authentication by sending a crafted GET request to the vulnerable endpoint. For example, manipulating the id parameter as id=1 AND 1084=BENCHMARK(5000000,MD5(0x5741704f)) triggers a time-based blind SQL injection. The attacker does not require any special privileges or user interaction [2].
Impact
Successful exploitation allows an attacker to execute arbitrary SQL commands, leading to unauthorized deletion of critical records, exposure of sensitive data, and disruption of essential operations. The attacker can potentially compromise the entire database, including reading, modifying, or deleting data [2].
Mitigation
As of the publication date, no patch is available for this vulnerability. The vendor (code-projects) has not released a fix. Users should implement input sanitization and parameterized queries as a workaround. This CVE is not listed in the Known Exploited Vulnerabilities (KEV) catalog [2].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: =1.0
- Range: 1.0
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing input sanitization on the `id` parameter in the medicine deletion functionality allows SQL injection."
Attack vector
An attacker sends a crafted GET request to `/php/manage_medicine.php?action=delete` with a malicious `id` parameter containing SQL injection payloads [ref_id=1]. The attack is remotely exploitable over HTTP with no authentication bypass described. The PoC demonstrates injecting a time-based blind payload (`BENCHMARK`) appended to the `id` value, which causes the database to delay its response if the injection succeeds [ref_id=1].
Affected code
The vulnerable endpoint is `/php/manage_medicine.php?action=delete`, where the `id` parameter is passed via GET request without sanitization [ref_id=1]. The file `manage_medicine.php` processes the delete action and directly uses the unsanitized `id` value in a SQL query [ref_id=1].
What the fix does
No patch has been released for this vulnerability [ref_id=1]. The advisory recommends sanitizing the `id` parameter before using it in SQL queries, such as by casting it to an integer or using prepared statements with parameterized queries [ref_id=1]. Without a fix, the application remains vulnerable to arbitrary SQL command execution.
Preconditions
- networkThe Pharmacy Management System version 1.0 must be running and the manage_medicine.php endpoint must be accessible over HTTP.
- inputThe attacker sends a GET request with a malicious id parameter; no authentication is mentioned as a prerequisite.
Reproduction
Send a GET request to the vulnerable endpoint with a SQL injection payload in the `id` parameter. Example from the PoC [ref_id=1]: `GET /php/manage_medicine.php?action=delete&id=1%20AND%201084%3dBENCHMARK(5000000%2cMD5(0x5741704f)) HTTP/1.1` with Host set to `localhost:8080` and a valid session cookie. A time delay in the response confirms the injection is successful [ref_id=1].
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- gist.github.com/higordiego/edd15afd508c51c95e5ce29544165320mitreexploit
- vuldb.commitrethird-party-advisory
- code-projects.orgmitreproduct
- vuldb.commitresignaturepermissions-required
- vuldb.commitrevdb-entrytechnical-description
News mentions
0No linked articles in our index yet.