code-projects Pharmacy Management System add_new_invoice.php sql injection
Description
A vulnerability was found in code-projects Pharmacy Management System 1.0 and classified as critical. This issue affects some unknown processing of the file /add_new_invoice.php. The manipulation of the argument text leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
SQL injection in Pharmacy Management System 1.0 via text parameter in /add_new_invoice.php allows remote attackers to execute arbitrary SQL commands.
Vulnerability
A critical SQL injection vulnerability exists in the Pharmacy Management System version 1.0, specifically in the /add_new_invoice.php endpoint when processing the action=medicine_list parameter. The text parameter, used to search for medicines during invoice creation, is not properly sanitized before being used in SQL queries. This allows an attacker to inject arbitrary SQL commands. The vulnerable endpoint is /php/add_new_invoice.php?action=medicine_list&text=aa [2].
Exploitation
An attacker with network access to the web server and a valid session (as indicated by the PHP session cookie in the proof of concept) can send a crafted GET request to the vulnerable endpoint. The request includes a malicious value for the text parameter, such as a time-based blind SQL injection payload using SLEEP(). The proof of concept demonstrates that it is possible to inject SQL commands and observe time delays to confirm successful exploitation [2].
Impact
Successful exploitation allows the attacker to execute arbitrary SQL queries against the database. This can lead to unauthorized disclosure of sensitive data (e.g., medicine inventory details, user credentials), as well as modification or deletion of records. The vulnerability compromises both the confidentiality and integrity of the system, and is classified as critical [2].
Mitigation
No official patch is available as of the publication date; the vulnerability status is reported as unpatched [2]. As a workaround, all user input, especially the text parameter, should be sanitized and validated. The use of parameterized queries or prepared statements is strongly recommended to prevent SQL injection attacks. Users should monitor for updates from the vendor and apply them when available.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: =1.0
- Range: 1.0
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing input sanitization on the `text` parameter in `/php/add_new_invoice.php` allows SQL injection."
Attack vector
An attacker sends a crafted GET request to `/php/add_new_invoice.php?action=medicine_list&text=...` where the `text` parameter contains SQL injection payloads [ref_id=1]. The input is not sanitized, allowing arbitrary SQL commands to be executed against the database [ref_id=1]. The attack is remotely exploitable over HTTP with no authentication requirements specified. The provided PoC demonstrates a time-based blind SQL injection using `SLEEP(5)` to confirm the vulnerability [ref_id=1].
Affected code
The vulnerable endpoint is `/php/add_new_invoice.php` with the `action=medicine_list` and `text` parameters [ref_id=1]. The file `add_new_invoice.php` processes the `text` argument without proper sanitization before using it in a database query to retrieve medicine search results [ref_id=1].
What the fix does
No patch has been published for this vulnerability [ref_id=1]. The advisory describes the issue as unpatched and recommends remediation to avoid disruption of pharmaceutical operations and data breaches [ref_id=1]. To fix the vulnerability, the application should implement parameterized queries or prepared statements for the `text` parameter used in the medicine search query, and apply proper input validation and sanitization.
Preconditions
- networkThe attacker must be able to send HTTP GET requests to the vulnerable endpoint.
- inputThe vulnerable /php/add_new_invoice.php endpoint must be accessible.
Reproduction
1. Send a GET request to the vulnerable endpoint with a SQL injection payload in the `text` parameter, for example: `GET /php/add_new_invoice.php?action=medicine_list&text='%20AND%20(SELECT%209276%20FROM%20(SELECT(SLEEP(5)))AbCg)--%20sLxQ HTTP/1.1` [ref_id=1]. 2. Observe a 5-second delay in the response, confirming time-based blind SQL injection [ref_id=1]. 3. The same endpoint can be further exploited with tools like SQLMap to extract or manipulate database contents [ref_id=1].
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- gist.github.com/higordiego/be616d2853a9f1820d8558fc00e97e24mitreexploit
- vuldb.commitrethird-party-advisory
- code-projects.orgmitreproduct
- vuldb.commitresignaturepermissions-required
- vuldb.commitrevdb-entrytechnical-description
News mentions
0No linked articles in our index yet.