code-projects Pharmacy Management System manage_supplier.php sql injection
Description
A vulnerability, which was classified as critical, has been found in code-projects Pharmacy Management System 1.0. Affected by this issue is some unknown functionality of the file /manage_supplier.php. The manipulation of the argument id leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Critical SQL injection in code-projects Pharmacy Management System 1.0 via unsanitized 'id' parameter in the supplier deletion endpoint /manage_supplier.php.
Vulnerability
A critical SQL injection vulnerability exists in code-projects Pharmacy Management System version 1.0 [1]. The flaw resides in the file /manage_supplier.php within the supplier deletion functionality. The id parameter passed via a GET request to the endpoint /php/manage_supplier.php?action=delete&id=... is not properly sanitized before being used in a SQL query, allowing an attacker to inject arbitrary SQL commands [2].
Exploitation
An unauthenticated remote attacker can exploit this vulnerability by sending a crafted GET request to the vulnerable endpoint. The proof of concept provided demonstrates injecting a BENCHMARK-based payload into the id parameter. Successful exploitation requires no authentication or special privileges, only network access to the application [2].
Impact
Successful SQL injection allows the attacker to delete arbitrary supplier records, expose confidential data, and disrupt key operations. The vulnerability can lead to a full compromise of the database's integrity and confidentiality. No authentication is required to exploit it, and the impact is classified as critical [2].
Mitigation
As of the publication date (October 19, 2024), no patch or fixed version has been released by the vendor [2]. Users of Pharmacy Management System 1.0 are strongly advised to implement input sanitization and parameterized queries for the id parameter, or to restrict access to the vulnerable endpoint until an official fix becomes available. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog [2].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: =1.0
- Range: 1.0
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The `id` parameter in `/php/manage_supplier.php` is not sanitized before being used in a SQL query, allowing injection of arbitrary SQL commands."
Attack vector
An attacker sends a crafted GET request to `/php/manage_supplier.php?action=delete&id=` with malicious SQL appended to the `id` parameter [ref_id=1]. The request can be sent remotely without authentication, as demonstrated by the PoC which includes only a session cookie [ref_id=1]. The injected SQL payload (e.g., a BENCHMARK-based blind injection) is executed by the database, allowing the attacker to extract data, delete records, or perform other unauthorized operations [ref_id=1].
Affected code
The vulnerable endpoint is `/php/manage_supplier.php` with the `action=delete` and `id` parameters [ref_id=1]. The `id` parameter is passed via GET request and is not sanitized before being used in a SQL query [ref_id=1].
What the fix does
No patch has been released for this vulnerability; the advisory explicitly lists the status as "Unpatched" [ref_id=1]. The recommended remediation is to implement proper input sanitization and parameterized queries for the `id` parameter in the supplier deletion functionality to prevent SQL injection [ref_id=1].
Preconditions
- networkThe attacker must be able to send HTTP GET requests to the vulnerable endpoint.
- authThe application must have a valid session (PHPSESSID cookie) to reach the delete functionality.
Reproduction
1. Ensure the Pharmacy Management System 1.0 is running and accessible (e.g., at `http://localhost:8080`). 2. Obtain a valid session cookie (e.g., `PHPSESSID=48068ce7875c00d88ca3aa2b9269b91f`). 3. Send a GET request to the vulnerable endpoint with a SQL injection payload in the `id` parameter: `GET /php/manage_supplier.php?action=delete&id=32%20AND%202813%3dBENCHMARK(5000000%2cMD5(0x4f74656e)) HTTP/1.1` Include the session cookie and appropriate headers as shown in the PoC [ref_id=1]. 4. Observe the database response or timing delay to confirm successful injection.
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- gist.github.com/higordiego/b03bc3a330374a0581e51891d6105ed2mitreexploit
- vuldb.commitrethird-party-advisory
- code-projects.orgmitreproduct
- vuldb.commitresignaturepermissions-required
- vuldb.commitrevdb-entrytechnical-description
News mentions
0No linked articles in our index yet.